Recent data breaches, the saga that was Ashley Madison and the report by Big Brother Watch all paint a pretty grim picture for the future of data protection. But it can't be okay to accept that as our fate - because consumers, the Board of your company and - if the latest Safe Harbour ruling is anything to go by - the EU are unlikely to stand for it. It's time to understand the root cause of these data breaches and put plans in place to combat them... or we could all end up fired!
Cyber-security plays second fiddle to human error
Cyber-security hacks such as the now infamous Ashley Madison breach are very exciting but we all know that the root cause of data breaches is normally plain old human error. Over recent months there's been even more evidence presented from the likes of Databarracks whose survey of 404 IT professionals, named human error as the number one cause of data breaches.
Human error transcends sectors
One private sector example is the recent case of holiday company Thomson, which sent an email, in error, that contained the home addresses, telephone numbers and flight dates of 458 people - leaving the door almost literally open for burglars.
Meanwhile, in the public sector, the Big Brother Watch report gained our attention with the claim that local authorities had 4,236 data breaches in the last three years. The breaches included 197 lost or stolen mobile devices, and more than 5,000 letters either sent to the wrong address or sent with content meant for another recipient. More recently, the 56 Dean Street Clinic emailed 780 HIV patients, unfortunately the email newsletter disclosed all 780 patient's names and email addresses to each other - all very clearly instances of human error.
We're living in different times; data times
The amount of data that people deal with is exploding exponentially every day, and with it the number of data breaches, and probably because of that, a huge increase in consumer interest in their individual data protection and their human right to privacy. This groundswell of public opinion has not only driven the media to cover all data loss stories, but surely, it's been one of the factors in the EU's attitude towards data protection.
What can we learn from the ruled invalidity of Safe Harbour?
The fallout from the recent ruling by the European Court of Justice on the invalidity of Safe Harbour is yet to be fully understood but what it does imply is that the EU is very serious about protecting its citizens' data. The ruling, and the new EU data protection regulation set to be finalised towards the end of this year, suggests that very soon, there won't be anywhere to hide; companies who suffer breaches could suffer fines of €100 million or potentially up to five percent of global annual turnover.
Data security is a board level issue
With these kinds of fines in the mix, the issue of data security has become a board level topic. We've already seen Noel Biderman, CEO of Avid Life Media (ALM), the parent company of Ashley Madison, stand down following its very public data breach. But with the forthcoming EU data protection regulation, an individual as well as a company can be held responsible for the protection of the data it processes. With the recent firings of the Symantec employees who issued fake Google security certificates, you can see that the mindset around security in general is heightened right now, which is absolutely right as we all prepare for the new regulation.
So, what can we do now?
Companies can, and should, focus on combating the undisputed top cause of data breaches; human error. There is a three-pronged approach to this:
Rules and education - every employee needs to be crystal clear on how to deal with data, especially as the new EU regulation requires notification of a data breach within 24 hours of discovery.
Culture - how employees deal with data will often be learnt on the job so if senior management are serious about protecting the company against a breach, that attitude should drop down. Employees should think that it's good to report a data breach rather than hide it as technology exists to do something after the fact.
Technology - companies need more than encryption which is difficult to prove after the fact. They need to consider geo-location tracking, technology that provides a verifiable audit trail, and the ability to destroy data remotely if it's lost irrevocably. People will still make mistakes so you're looking for technology that will both help prevent a breach in the first instance but also help protect you should the inevitable happen.
Contributed by Norman Shaw, CEO and founder, ExactTrak.