It is every CIO’s nightmare when they get a call from one of their managers to tell them they have discovered a security breach. If it is a big breach they know that externally there will be negative press and hundreds if not thousands of angry and or worried customers to deal with. There might be government reviews resulting in major fines and massive bad will and brand damage. Internally there will be a mass of work involved in closing the breach, cleaning and restoring the data and rebuilding databases and interfaces. There will obviously be internal investigations and many questions to be asked, some of them very difficult. Heads will probably roll, particularly those responsible for the breach and probably even the CIO if it is a major breach. So what can you learn from recent major breaches there has been in the last few years – and believe me there are many to choose from?
Butlins lost 34,000 guest’s data from their database as a result of a member of staff responding to a phishing email that gave a hacker access to the customer database. Thankfully, Butlins responded that no financial data had been accessed. Clearly the phishing email was either very clever or realistic or the member of staff was particularly foolish. These types of phishing emails are often of one the following formats:
So what can be learned from the Butlins’ data breach? Firstly of course all staff should be aware of potential threats from emails as well as how to handle them. A special procedure to handle ransomware should be in place. Secondly your system needs to be secure from all know viruses. Lastly you, as the CIO, should be monitoring in real time, your entire ICT environment so that any breaches are quickly identified, nullified and your data restored from a secure back up environment
What about Dixons, Carphone Warehouse who lost over 10 million data records including financial records. This security breach came shortly after they had been fined £400,000 for rudimentary security breaches resulting from not updating a WordPress system in Vietnam that allowed a major data breach. Dixons compounded the bad press by upping the initial data estimate from 1.2 million to 10 million data records.
Dixons now have investigations on going from ICO, the Financial Conduct Authority (FCA) and the police as well as launching an internal investigation into the breach.
So what can an ICO learn from the Dixons Carphone Warehouse debacle? Well clearly they do not have a secure ICT environment and just as clearly they did not handle the public exposure very well. The breach was not discovered for over a month and were not clear as to what data had been breached. If the breach had been just after the GDPR regulations came into force the fines would have been higher and the investigations much deeper. They would have had to declare the breach within 72 hours of it happening. So in this case they were lucky.
Dixon’s security problems were probably heightened by the merger of Carphone Warehouse systems into Dixon’s systems and multi country interfaces. The data breach happened in their customer records including their financial data. Monitoring a multi site environment is problematic but there are multi site monitoring cyber security systems. Of all the data that a company holds, surely customer financial data is the most sensitive and the cyber security around this database should be first rate? The Dixons cyber security processes are clearly not effective, not only did they not discover the breach for some time but were unclear of what had been stolen.
A network monitoring system would give a company a real time view of their network as well as highlight breaches and a good cyber security consultancy could audit the current system and highlight any breaches, technical weakness and lack of patches and upgrades to software. A network audit will ensure that the company knows what their system looks like, its current software versions and what peripherals and terminals are installed and where they are.
Clearly cyber security processes and procedures also need to be introduced so that the company’s system remains secure. Dixons should also consider outsourcing their cyber security management as a Managed Security Service Provision (MSSP).
What you, as a concerned CIO, should really do is talk to Gaia Technologies plc about their Managed Security Service Provision (MSSP) as well as other cyber security services they can provide. Gaia – Total Security Solutions for Quality, Security and Peace of Mind From One Provider.