Halloween season, so seems only apt to discuss the ‘horror’ of a data breach. Over the past 12 months, the news has seen a raft of reports relating to the issues of data breaches – not least the loss of confidential data last week by TalkTalk in the UK, the third such loss in the last 12 months for this one billion pound company alone. In a previous article I talked about the Cloud and how cloud computing was transforming the business landscape.
So, Sean, the person who has ownership for the cyber security for all my businesses, and the one who took us to the Cloud, used to work in the defence industry and has been involved in data security at the highest level. He tells me that the approach to data privacy has evolved massively over the years. Previously, data breaches were seen as incidents where a credit card receipt was found in a bin, or a government department lost a USB stick or a laptop. These are very real threats, but modern processes (such as PCI-DSS) and data protection techniques (such as encryption) help to mitigate this. However, no amount of protection can always be 100% effective. Take for instance the time when Met assistant commissioner Bob Quick emerged from his car outside No.10 clutching a secret memo about anti-terror raids, all on show to the world’s waiting TV and press! One of the most infamous cases was when a laptop was left on a train which contained details of the Gulf war. In this instance, the laptop was properly protected and the data was safe, however, what wasn’t safe was the printed information which was also in the same laptop bag. These cases illustrate the importance of common sense.
I constantly ask, “Why are we printing all this information” and yet again and again I see paper, everywhere. Indeed just this week we were consulting on a multi million pound project, and there we stacks of proposal copies for an overview meeting. We have a long way to go to be secure at my own businesses… the leak, people and how they think, of course.
In the case of TalkTalk, it appears that one of the people responsible was a 15 year old from Ireland. Although the full details of this incident are still to be published, he has probably discovered a flaw in their website which has allowed him to plant malicious code onto their web or database server. This could then give him access to their systems almost undetected, allowing him to harvest information at will. Common attack methods such as Cross-Site Scripting and SQL Injection attacks are usually exploited through insecure code, and this is where it is important to distinguish the difference between insecure systems and insecure code. For instance, Amazon may have one of the most secure cloud infrastructures in the world, but if you then use their services to publish your own code which is insecure, there is nothing Amazon can do about that.
This highlights the need for proper risk mitigation, audit and review of your IT systems. This should include:
- Penetration Testing – Ensure that your perimeter is secure and not liable to compromise. This is not just about data leakage and confidentiality, it is also about availability. Imagine the fallout if Facebook was unavailable just for one hour as a result of a Denial of Service attack, oh wait, this has happened, hasn’t it? I will ask my development team to attempt to ‘hack’ in to our systems and insist on strong passwords to deny attempts. We still test though.
- Application Testing – Your web applications, e-commerce systems and data storage systems should be regularly tested by an independent company specialising in this service. This is regardless of whether the systems are exposed to the Internet or used internally, as there is always an internal threat of data leakage.
- Systems and process audit – Make sure internal processes are safe. One Middle-Eastern company we audited not so long ago with a turnover of literally billions of dollars stored their entire company’s administrative passwords in Excel… which was stored on a technician’s laptop… which he took home every night… unencrypted! As bizarre as that sounds, I sat at the desk of one of my most senior executives, who is also from a security background and pressed the space bar on his laptop, and there it was, open for all to see, no screen lock! I see this in movies all the time and think “no way” and yet, apparently it is common.
I also work in talent management and have to constantly remind the artists I work with to put codes on their phones, or better still biometric (thats a fingerprint scan for the latest iPhones) which are even better. Better because if someone has an eye on your phone they can see you put in a code. Entirely different proposal with a fingerprint. An awful lot of people’s phones these days have all their pictures, emails, social media all open and readily available if that phone is ‘hacked’
Hacked as well is an interesting word, most cases these days when peoples ‘Cloud’ is hacked, this simply means someone guessed their password as it was that simple. I read recently that there are still a plethora of people using date of birth or a child’s name, and even the word ‘password’ as their password. When a celebrity has their ‘cloud’ storage ‘hacked’, I find myself wondering if this simply means that someone has picked up their phone, unlocked, or used the code which they have seen tapped in.
Remember though, if you want to steal personal or commercially-sensitive information from a company, don’t bother paying a 15 year old to sit in a darkened room and hack into an organisation, it is much easier to get a job as a cleaner and go through their bins!