EU regulations - Always expect the worst as it's already happening

A pessimistic approach to future threats is advised by Chris McIntosh as the necessary attitude to minimise the extent to which they happen, and bolster our preparedness to cope if and when they do.

EU regulations - Always expect the worst as it's already happening
EU regulations - Always expect the worst as it's already happening

IT security is getting more press than ever before. From the ongoing Snowden/NSA/GCHQ revelations, to the ICO reporting on data breaches, Target, eBay, Russian web-cam sites to Shellshock and other vulnerabilities, stories about cyber-threats business are near-constant. At the same time, the modern world requires an ever-larger amount of data to function ranging from financial data to the most sensitive personal details. As a result, organisations are under increasing pressure from almost every angle to ensure that the data they hold is protected. From within the organisation, stakeholders want to be sure that they are safe from attack. Attackers are constantly testing the defences of organisations seeking to find a way in. And, as awareness of the true threat grows, both the public and regulators are increasingly pressuring organisations to ensure that their sensitive data is safe from prying eyes.  

The roots of discontent

Regulatory pressure can come from many sources. Bodies such as the UK Information Commissioner's Office have some impact through the threat of undertakings and financial penalties. Admittedly, the level of influence the ICO has is still open to some debate. Other bodies, such as the Financial Conduct Authority, have the ability to impose much more severe punishment on organisations within their remit that are seen to stray. For example, the FCA (under its old name of the Financial Services Authority) was not averse to fining Zurich Insurance £2.27 million for a lost hard drive, or Nationwide £980,000 for a stolen laptop – both of which dwarf the potential penalties available to the ICO. However, to many organisations the biggest regulatory challenge on the horizon is the upcoming signing of the European Union's data protection regulations into law.

Crystal ball gazing

It's still not 100 percent certain when the various component regulations will become law. Given this uncertainty, many predictions of what, exactly, the law will entail are closer to soothsaying than hard, scientific fact. Yet it is possible to determine demands that will be included, such as those suggested by the ICO.

Among these are tougher protections for personal data, in order to ensure sensitive private information doesn't get into the wrong hands. Explicit confirmation of when data will be gathered from the public, what data will be taken and how it will be used is likely to become a key part of any contract between businesses and their customers. Tougher rules on when and how personal data can be shared is likely to make it in, as is less leeway when reporting any data breach to regulators. Lastly, harsher penalties for any organisation found to have an unforgivably lax attitude to data protection – up to 5 percent of annual revenue. And the need to report breaches within 72 hours certainly needs further clarification.

What does it all mean?

Organisations might feel that they are currently trapped in a dilemma: wanting to be compliant with both current and upcoming regulation, but unable to act until they know precisely what compliance actually entails. Anyone wishing to protect themselves against EU legislation should bear in mind this key IT security maxim: think of the worst that could possibly happen, and then assume that it already has.

Getting practical

First, organisations should examine their security at the most basic, practical level. Are they using encryption? Is the firewall up to date? How is sensitive data, and the passwords that allow access to that data, stored? Most importantly, what are the potential weak spots? Any weakness is where attackers will make a bee-line for, where a data breach will most likely come from – if it hasn't already. At the very least, there should be a minimum level of security across all IT systems that discourage attackers.

Use or abuse?

Second, organisations should consider why they actually need sensitive data.  The advent of Big Data has resulted in a temptation to gather up any and all information in search of business insights. However, if that data is surplus to immediate requirements then all it is doing is adding another layer of legislative risk.

What's it on?

Even if data is 100 percent necessary, organisations should still consider how it is used: for example, on what devices? If a device's storage can't be protected to an adequate level, as is currently the case for smartphones and tablets, then sensitive data should come nowhere near its storage.

Workers of the world unite

Human error is one of the most common reasons for data breaches that put organisations in front of the regulators. There are simply too many stories of data not being deleted before storage is discarded, or of sensitive information being emailed, faxed or posted to the wrong person or section of a website. Having data protection procedures in place and educating employees is a good start. However, as much as possible the chance of making a mistake should be removed from workers – for example, by making it impossible to save sensitive data onto a non-encrypted device.

Knowledge is power

Perhaps most importantly, organisations should ensure that they know what is happening with their sensitive data. They should know the status of their IT systems and their data at all times: as soon as that status changes unexpectedly, alarms should be ringing. Given time, every organisation will fall victim to a data breach. Any data protection planning should be built around minimising that breach's impact and spotting it quickly to ensure it doesn't fester.

The golden rule

The simple fact is that perhaps the most valuable characteristic in IT security is pessimism. Organisations cannot predict every single detail of laws that may be months or even years away. More importantly, they cannot predict events such as the Snowden revelations or the Stuxnet attacks that can have huge impacts on the security landscape. Yet if organisations are constantly asking themselves “What's the worst that could happen?” their protection against both future legislation and, more importantly, the effects of cyber-attack will be much improved.

Contributed by Chris McIntosh, CEO, ViaSat UK