The press release for the Culture Media and Sport Select Committee Cybersecurity report headlines the recommendation to jail abusers not just fine their employers. The change of reporting emphasis from notifying breaches to, inter alia, the processes for enabling customers and staff to check for impersonation, with fines linked to failure to do so, should, however, also change the way boards monitor the performance of their security teams.
The recommendations from the committee, which I have been privileged to serve as specialist advisor, should help turn the corporate priority from data breach notification to enabling staff and customers to report attempts at impersonation, whether or not there is evidence of an actual breach. Such a change is essential in a world where there may be weeks or months between a breach and its discovery and publicity for a breach will trigger a wave of phishing e-mails and phone calls.
The rules for specialist advisors are strict but I was delighted to be given permission to speak after the report is published, spelling out the implications for those responsible for cyber security, if the recommendations are adopted. In this review I have therefore focused on the sections of the report most relevant to those planning the cyber security activities of their own organizations, as opposed to regulatory or national policy. I strongly recommend, however, that you read the full report. It is only 21 pages.
Then consider your corporate action plan for when, not if, the recommendations become law.
My own recommendations to any Board that asks me for an elevator pitch would include:
- have clear chains of responsibility for security processes, training, reporting and incident management and ensure they are practiced and updated at least annually.
- use staff and customer education programmes to reduce the damage when breaches occur and report the results to the board and outside world.
- report who audits your systems, to what standards, whether you have an incident management plan and when you last exercised, to the board, your customers, your suppliers and the outside world.
- check the processes of current and potential subcontractors: because you will be held liable and may not be able to get who-ever sold your information jailed, especially if they are off-shore.
- prepare for when losses from impersonation replace whiplash and PPI as the target income stream of ambulance-chasing lawyers, so that you can rapidly sort the genuine claims from the rest.
- Watch your trust ratings rise, on-line business increase and complaints and costs fall: as customers and suppliers gain confidence that their information is safer with you.
The background to the enquiry (Para 5 – 10)
The enquiry was triggered by what happened immediately after Talk Talk decided to go high profile after an attack. The evidence showed this was the tip of an iceberg. More-over calls for faster, “better” data breach notification have come to be part of the problem, not the solution. There is a real risk that the focus on breach notification helps phishermen and would-be fraudsters more than potential victims. This is particularly so given that the Information Commissioners office is snowed under with incidents: over 200,000 a year with only 30 staff to respond, handling about 1,000 of the most serious cases at any given time.
Attack and Response
The committee found a need for a step change in customer awareness and education, not just a Government campaign but that: “All relevant companies should provide well-publicised guidance to existing and new customers on how they will contact customers and how to make contact to verify that communications from the company are genuine. This verification mechanism should be clearly signposted and readily accessible, as with existing customer contact and complaints mechanisms.” (Para 14)
[Those with long memories might say that the e-Commerce Directive mandates such information from all trading on-one within the European Union. One of my personal concerns has been the failure, until very recently, to talk seriously about enforcement. It helps that the FCC has pulled the rug from under the position of some of the dominant lobbyists in Brussels .]
Then came some recommendations regarding the very tricky issue of responsibility for handling major incidents within large organisations (Para 16) before a very polite bombshell:
“We were also surprised that there is no requirement to make security a major consideration in the design of new IT systems and apps. We therefore recommend that security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary.” (Para 18)
Those in the industry will know that BCS and IET have finally been able to agree to mandate security components in the agree courses they mandate but the new rules will not come into force until 2017. They will therefore only apply to those graduating from 2020 onwards. Hence the importance of the London Cyber Security Skills partnership on which I blogged recently – including to re-educate all those “Digital Marketing” specialists producing the egregiously leaky “apps” harvesting data from the smart phones of the younger generation.
After summarizing some of the evidence on business continuity exercises and scenario planning and the importance of communication with customers to reduce the risk of spoofing, the Committee recommended that “where the risks of attack are significant, the person responsible for cyber security should be fully supported in organising realistic incident management plans and exercises, including planned communications with customers and those who might be affected, whether or not there has an actual breach.” (Para 20). This will hopefully make life a little less difficult for those in the hot seat.
The report considered the vexed question of compensation and made some substantive points before concluding: “We believe it should be easier for consumers to claim compensation if they have been the victim of a data breach. There are a number of entities (for example the Citizens Advice Bureau, ICO and police victim support units) that could in principle provide further advice to consumers on seeking redress through the small claims process. It would be useful for the Law Society to provide guidance to its members on assisting individuals to seek compensation following a data breach. The ICO should assess if adequate redress is being provided by the small claims process.” (Para 25)
The Law Society might be unable to agree an actual “practice note” for its members (the issues are indeed complex) but the attempt to do so should produce material that will make it much easier for its members, including those who work with Citizens Advice and Victim Support, to give practical advice on how to obtain redress.
Cyber essentials, supply chains and other guidance
Many breaches, however, occur along supply chain in suppliers or outsourcing contractors. The committee therefore recommends that “All telecommunications companies and on-line retailers, and other cyber-vulnerable organisations, should take steps to ensure that compliance with data protection rules and Cyber Essentials are key criteria when selecting third party suppliers.” (Para 26).
The committee also received evidence on the need to regularly update government advice and added that “Cyber Essentials should be regularly updated to take account of more recent attacks, including the need for security, incident management and recovery plans and processes for responding to cyber ransom demands.” (Para 30)
I know that many readers have views on the changes needed and look forward to an interesting but constructive debate on what those changes should be.
There follows a section entitled ”The tensions between informing the authorities, criminal investigation and informing those potentially affected”. The title says it all. The Committee concluded that there was a need for guidance on how and when to publicly report incidents: “The ICO and Cyber Essentials should publish further guidance on informing the relevant authorities and include best-practice examples of how to inform in an appropriate way those affected, in order to strike the best possible balance between protecting information that is sensitive to police investigations, whilst recognising consumer/customer requirements to be made aware of a breach that may affect them. This is particularly relevant as the EU GDPR will extend the obligation to inform consumers to all companies and organisations, not just telecommunications companies and ISPs.” (Para 33)
I have great sympathy for those who may be tasked with producing that guidance. I can fully understand why it does not exist. That does not, however, remove the need.
The role of the information Commissioner
In Para 18 the committee suggested the Commissioner “introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches.”. This will hopefully ratchet up the pressure on the relevant professional bodies to ensure that their members know how to address these. In Para 34 the committee adds “an incentive structure that inhibits delays, for example escalating fines for delays in reporting a breach.” and “scope to levy higher fines if the organisation has not already provided guidance to all customers on how to verify communications.”
The report discusses the impact of escalating the sizes of fine, including when the GDPR comes into force (if we do not Brexit) and makes the important point that “the attention of individuals within the organisation may be better engaged by the threat of a custodial sentence, rather than a fine for their employer.” (Para 36) The committee then supports “the ICO’s call to bring into force Sections 77 and 78 of the Criminal Justice and Immigration Act 2008, which would allow a maximum custodial sentence of two years for those convicted of unlawfully obtaining and selling personal data.” (Para 37)
Then come the recommendations referred to at the start of this blog as a Corporate Action plan. I believe these could not only help transform corporate attitudes towards data protection and security but also greatly improve the effectiveness of the actions they take:
“Companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively. We therefore recommend that organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on:
- Staff cyber awareness training;
- When their security processes were last audited, by whom and to what standard(s);
- Whether they have an incident management plan in place and when it was last tested;
- What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine;
- The number of enquiries they process from customers to verify authenticity of communications;
- The number of attacks of which they are aware and whether any were successful (i.e. actual breaches).
Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at Board level, rather than reporting breaches after they have happened. Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place. (Para 38)
I very much look forward to seeing those currently planning programmes to brief customers on the impact of the GDPR re-writing their scripts. It was clear that the members of the committee know what is needed to catch the attention of main board directors suffering the same information overload as themselves. They also know that such reports will need interpretive guidance from the in-house security teams – but the process should help ensure that security is taken seriously at least once a year by the board, whether or not there have been any serious problems. Among the points I would like to add are:
- Staff education and awareness programmes which are not supported by advice services which answer a steady flow of questions are ineffective.
- “No reported problems” equals a dead system and a ticking time bomb.
- The same is true of the systems available to customers to report phishing attempts and other problems.
- Those running the protection systems to be able to talk about the volume of attacks they have detected and foiled.
- Reports in the annual report and accounts, whether or not the ICO staff read what is reported to them, provide the necessary discipline to ensure the content is actually be read by the board.
- Such reports, in turn, provide marketing and PR staff with the ammunition to tell the world that their employers really do take the security of their customers’ personal data more seriously than the competition.
The general public will, however, need something easier to help them understand who is trustworthy. The committee therefore supported “the ICO’s plan to create a privacy seal, to be launched later this year, which would be awarded to entities which demonstrate good privacy practice and high data protection compliance standards. It would be useful if the privacy seal could also incorporate a traffic light system to help consumers understand which companies are compliant, which are making progress, and which have yet to take the issue seriously.” (Para 39)
Investigatory Powers and Big Data
Finally comes the “haystack of potential problems” that is the Investigatory Powers Bill with the “huge pools of personal data that it would create and their vulnerability to attack and theft leading to personal data breaches”. In interpreting the recommendation at the end of Para 41, “The vulnerability of additional pooled data is an important concern that needs to be addressed urgently by the Government. Part of the response could be to require enhanced security requirements and background checks for those with access to large pools of personal data.” it should, however, be remembered that the problems with Big Data go that already in the hands of the security services or law enforcement.
The Vodafone Survey on which I blogged a few weeks ago came too late to influence the enquiry but it should influence organizations thinking how to respond to the recommendations.
Do read the full report, you will miss much if you merely read my thoughts above. Also remember that policy is made by those who give evidence and respond to consultations.
The “motto” of this blog, announced in the very first entry back in 2008 is “The silent majority gets what it deserves … ignored”. Don’t be.