CIO Folder: Ignorance seldom leads to business bliss
14 March 2016 | 0
Security is top of the ‘Must Do’ list for most IT managements, even if like real life Post-IT notes it may all too often drift down to ‘To Do’ status. In smaller outfits and for personal users, once there is something by way of security software in place any reviewing of security arrangements all too often ends up in the Jobs Jar. In real business in Ireland today, security is taken reasonably seriously but a guess could be hazarded that the attention level is directly proportional to the perceived potential damage.
That, naturally, depends in large measure on the industry. Financial services are constant targets and any organisation holding personal data today is acutely conscious of the headline grabbing breaches. Most of them have been elsewhere in the world, but we have no reason to be complacent. Last year the Office of the Data Protection Commissioner reported that the data breach rate had risen by 50% in 2014 to 2,264 cases recorded.
“Leadership should include ensuring that there are the structures in place to educate all staff about the cyberrisks”
The National Data Protection Survey for broadly the same period, conducted by the Association of Data Protection Officers [ADPO], is perhaps even more troubling. It found that 55% of Irish companies had suffered a data breach in the period. The survey also found that almost a fifth of Irish companies had experienced some form of malicious external attack. The latter is perhaps only of interest in that it could have been much worse. All such attacks are not necessarily detected because they are relatively simple and repulsed by modest security software.
But data breaches in more than half of our companies is, or should be, deeply troubling. Yes, there is some consolation in the report that the majority of those breaches involved less than 100 records and generally we are not talking about people’s personal data. On the other hand, any data breach, accidental or malicious, can as readily involve millions or records as a few dozen. It just depends on what was compromised. Irish Water, for example, sent personal bank details to the wrong parties — ‘Scandalous’. But there were only 15 people involved! ‘OK, not so bad then.’ But hang on: if it was a systems error and not a human one, surely the number could have been in the thousands?
On the other hand, the LoyaltyBuild breach in 2013 compromised the personal information of 1.5 million people including the credit card details of nearly 400,000 people across Europe and almost 70,000 in Ireland —true headline scale.
Email is seriously prone to human error. We have all gone a click too far at some time, usually sending something to the wrong person (is autofill really all that useful?) or to an entire list. Civil servants are human too. Last October PeoplePoint, the shared human resources and pensions centre, inadvertently emailed a report relating to multiple departments to a number of local HR departments but not of the employees concerned. The details of 317 people, including their names, PPS numbers, grade, department and details of overpayments, were unencrypted. An informed judgement has to be along the lines of ‘the original mistake was not the worst, but why was the information between government agencies not encrypted?’
The subterranean layer is the number and types of malicious data breaches that were never officially reported and perhaps never saw the light of day. Successful ransomware attacks would be the No. 1 current suspect category. The second, since the dawn of computer time, would be malicious internal breaches for embezzlement, saleable trade information or embarrassment to the employer or an individual. US research and the consensus among security analysts is that more than half of all data breaches are not reported. But that principally involves organisations with 500-plus employees.
What is the picture in Ireland? Does anybody know? Once again, an informal chat with some leading IT security experts suggested that more than half of data breaches and successful hacking or malware attacks are not reported. If your organisation survives a DDOS attack, for example, there is no particular need to report it and the judgement may well be that some reputational damage may ensue for just being apparently ‘vulnerable’. On the other hand, there is reasonable awareness of the need to report breaches involving personal data.
But if formal reporting is a management decision, avoiding and spotting are the concerns of every employee — or should be. But that requires knowledge. How much IT security training do Irish employees receive? We should probably omit the multinationals, at least those in financial services, contact centres, software and other IT-related sectors.
To be blunt, CIOs and IT managers out there, what are you doing about raising the levels of awareness and knowledge of digital security amongst your colleagues? The ADP survey showed around 60% of respondents saying that staff are well or very well trained when it comes to understanding information security policies. Sorry, but this column is sceptical. ‘Understanding policies’ is essential, certainly, but how practical is that knowledge in avoiding mistakes? The other thing, with all due deference, is that the respondents are DPOs in organisations which have such posts. That is hardly a representative sample.
Two recent items of security folklore come to mind. The first is an almost fool proof technique for getting your Trojan inside a corporate network — the old USB sticks in the car park trick to seed malware.
The other one is slightly more documented. This big oil company keeps its data encrypted. Well, most of it. Successful spear phishing around the accounts department uncovered PDF purchase orders and invoices. With supplier codes, contact emails and bank details. Completely credible “Please note our change of bank particulars” emails re-directed quite a healthy few million dollars before the suppliers started to whinge about slow payments.
Both stories underpin the fact that most staff are not suspicious and in fact generally credulous. Unless they are informed and their awareness threshold raised. That clearly should involve a regular programme of training in data protection and IT security. That would not need to be overly technical. Many of the risks are purely human, like the government department staff who were conned into giving citizen’s information over the phone to private detectives, not always posing credibly as Gardaí. That is unthinking behaviour, borderline stupid.
But it clearly only arose because the personal data they dealt with daily was to them just stuff. They had little or no appreciation of the significance of privacy to those individuals, much less the legal implications. If they were actually deceived into thinking they were dealing with legitimate Garda enquiries there should have been firm protocols in place and logging of the requests and data disclosed. Always assuming that such disclosures would have been legal in the first place.
All CIOs and IT directors/managers are well aware of the debates about their roles, and we have certainly fostered that debate. But it has to be said that the leadership should include ensuring that there are the structures in place to educate all staff about the cyberrisks in today’s world and the proper vigilance to maintain against threats to corporate and personal information.
Too often the defence plea for not having formal organised training is on the lines of “Sure everybody knows these days…” No, they do not. Not only are the majority of users ignorant about most possible threats but they frequently misunderstand or believe popular myths. Too often the security ethos is a regime of rules, which Irish people are generally happy enough to follow until a dilemma arises. Then we are willing to bend the rules, just a bit.
A proper, functioning information security ethos is informed, intelligent, dynamic and full of communications. Even chat, in Ireland. Did you hear about the gobdaw who opened an email supposed to be from the widow of the former President of Gizmostan? That’s the kind of gossip we need.