We can all recall the incident that caused chaos across the industry after news broke that 1.2 billion passwords had been stolen. 1.2 billion passwords! That is an obscene, almost unquantifiable number. While many people debated whether this really happened, questioning where the passwords came from and the behaviour of the firm disclosing the passwords, I was thinking, “How can this be stopped?”
Hacking cannot continue unabated, quietly happening behind the scenes – unreported, unnoticed and in ever increasing numbers. This year alone, the US Securities Commission has noted that American firms have noticed a 42 percent increase in reported successful hacking attempts.
Meanwhile, consumer confidence is currently dominating the media and its critical we address consumer’s confidence in the digital market place before it begins to have a negative effect on our business. Sooner or later, a data breach will be the tipping point to negatively affect consumer confidence, as people are governed by their feelings and sentiment is exactly the kind of intangible quality that can shift quite quickly.
So, in recognition of the growing problem, I sat down with my colleague and information security expert Paul O’Donovan and discussed three areas of improvement that we believe could restore confidence to digital consumers worldwide and improve the lot of beleaguered infosec officers around the world.
In this first post of the series, we address the first area that needs vital improvements: mandatory reporting.
No business wants to jeopardise its reputation by admitting that they were hacked or breached, so we are in a position where businesses often report up to four years later (such as the case of Paddy Power in Ireland) or sometimes never at all. More household brands than you would ever dream of have withheld evidence of data breaches, so how are we to learn about threats if they are being covered up? How are we to educate ourselves to the risks out there by learning from others? How can we decide who we should do business with if potential partners are not being open and forthright?
Fortunately, mandatory reporting is being implemented in the EU—sort of. As part of the proposed changes in the upcoming EU data protection regulation, mandatory reporting of all data breaches, ideally within 24 hours, is required by the incoming legislation. Substantial penalties—a minimum of €250,000, up to €1 million or 2 percent of an organisations global turnover—are part of the fines for organisations in breach of this act.
Mandatory reporting already exists in 47 of the 50 states in America with only Alabama, New Mexico and South Dakota currently having no mandatory data breach laws in place. Of course, this does not apply to medical data that has been breached, which has been subject to notifications since 2009 in the EU and USA.
Paul O’Donovan firmly believes this step could lead us towards the right direction: “The type of mandatory reporting the EU GDPR is proposing may help to level the playing field somewhat between ‘Joe Consumer’ and the companies.”
“If my data is lost by Multinational Inc., at least the power is now in my hands to limit my exposure to potential identity theft. I can cancel my credit cards and change my passwords before ‘Evil Bob’ has a chance to do anything with them.”
Mandatory reporting also allows us to spot trends and potential risks when real-time information is shared. Emergent dangers can be more easily dealt with and protected against once they are understood and in order to understand something, people need to become aware of it. Mandatory reporting of data breaches means sharing information and preventing more data breaches, something we can all agree would be welcome in the industry.
About the Author: Michael Brophy is Founder and CEO of Certification Europe – a group of accredited certification bodies founded in 2001, which provides ISO Certification and Inspection services to organisations globally. Michael is a graduate of the University of Ulster and the Universidad de Zaragoza (Spain), with a Master in European Policy and Regulation at Lancaster University, and is one of Ireland’s leading authorities on standardisation. Michael has a wealth of experience in Information Security and Business Continuity Management Systems implementation for Government, military and various business sectors (pharmaceutical, Telco, financial, IT and security printing sectors). Michael is also Chair of the Association of Accredited Certification Bodies (AACB).
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Study Finds Most European Breaches Caused By Organizational Error, Insider Attacks
- Five Ways to Avoid Wasting Time During a Breach Investigation
- Cybersecurity as Realpolitik – Lessons from Blackhat 2014
- Why Should We Close The Threat Detection Gap?
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image courtesy of ShutterStock.