The Culture, Media and Sport Committee has published its report Cyber Security: Protection of Personal Data Online . This inquiry was launched in October 2015 following the cyber-attack on TalkTalk’s website. The Committee looked at cyber-security and the response to cyber-crime and broader issues around data protection. Cyber security experts from ESET, Proofpoint, FireMon and Lieberman Software discuss the report.
Mark James, Security Specialist at ESET:
“The recommendations seem reasonable and certainly a good basis for starting. The fines currently imposed do seem quite insignificant for very large organisations that hold so much of our data and the ability to scale new fines based on global turnover may well help to encourage some new thoughts on protecting our data.
Public knowledge is paramount when our data goes missing, changing passwords will not stop the damage caused by the actual breach but could help stop any future use of that data. One of the biggest problems with data breaches is how the stolen data is used, often it’s not sufficient on its own to gain access to financial data and is often used as bait to get more information from you; targeted email spam or even worse, actual telephone calls supposedly from the breached company pretending to help you have been used in the past in an effort to extract very private and confidential information from unsuspecting victims.
If the public are made aware as soon as possible there is a good chance they won’t be fooled by these underhand tactics, the biggest thing we need to take away from this report is how important education is in one form or another, being aware of how you can protect your company and also just as importantly if you are breached how you can help your customers mitigate the damage caused. Data breaches are a risk we have to live with, in an ideal world it would be nice to think our data could be protected and held completely safe but the reality of that is far from happening, but we have to aim for that goal. Adapting our defences and sharing knowledge is one of the best ways of achieving that.”
Ryan Kalember, SVP, Cybersecurity Strategy at Proofpoint:
“While this report contains some excellent recommendations that to the outsider may seem like appropriately strong measures, most of the findings and prescribed measures are underwhelming for those of us in the industry. Cyber criminals are taking aim at the trust between people and organisations that allows the modern Internet-connected world to function, as people take it for granted that the purported sender of an email is who she says she is, that a website that asks for your credentials really belongs to your service provider, and that a tweet from your bank about resetting your PIN code really came from your bank. That’s a more fundamental issue than heightened awareness, stiffer penalties, and better security programmes can fix.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“The notion of the CEO and Board being involved in cybersecurity is essential. Often the implications and remedies to cybersecurity issues cut across every aspect of an organization’s operations. The bad guys don’t have to wade through politics and bureaucracy to cross those lines, but everyone within an organization will unless they have immediate and prioritized access to executive backing. When these breaches occur, it’s absolutely required that executives use their powers to ensure response is swift and complete.
The comparison of cybersecurity awareness for the public with smoke alarm testing is good, but the analogy seems to fall apart even as it’s made. Just like the public needs to proactively ensure their smoke alarms are in good shape they must also be proactively behaving in safe ways online and looking for the signs of a scam as they happen. The message should not simply be about how to handle the wake of incidents, but also about how to avoid both being taken in by scams and how to behave in ways that lessen the impact of breaches when they are out of your control.
The ICO and other bodies should be cautious about deploying systems of fines and other financial penalties for cybersecurity lapses. Often putting a set price on these risks simply allows organizations to make a calculation about how little they may spend on cyber defense in order to offset the maximum costs of fines. You see this at work in the regulatory world where an organization often decides to simply pay fees for being out of compliance rather than spend what they feel would be more to be in line with the statutes. If cybersecurity simply becomes another set of regulations, then a check box mentality will rule and we will see minimum effort and minimum expenditures. The risk of cybersecurity must be kept akin to the risk of real world crime, where organizations know that a big heist could be an existential threat to their business and act accordingly.”
Michael Callahan, VP at FireMon:
“Networked environments, especially in large enterprises like TalkTalk, are becoming increasingly complex with so many disparate solutions trying to solve the end goal of ‘cyber security’. What organisations now need to recognise is that more technology is unlikely to stop data leakage and prevent big breaches. Instead, they should focus on proper management of the solutions they already have in place and start looking for tools that give them total visibility into their environment and assess current processes to ensure they are still valid.
“Improved management and personnel training, as suggested in the latest report, will go a long way towards minimising these kinds of breaches and make sure personal customer data is effectively protected.”