Yesterday, the BBC reported an unprecendeted one billion Yahoo user accounts being stolen, including personal data such as names, phone numbers, passwords and email addresses. This is likely to be on top of the 0.5 billion reported by Yahoo just months ago.
The growing number and scale of data privacy breaches highlights that many companies are still not taking the security of personal data seriously enough, which is echoed by the increasingly stringent penalties from regulators such as the ICO, who recently fined Talk Talk £400,000 for security failings in the UK. Forthcoming European privacy regulations will come into force in the UK in May 2018 (before we leave the EU), and will introduce additional processing requirements and significantly larger penalties for non-compliance.
Enhancing security to protect from cyber attacks is often the first reactive approach after being hacked, but the requirements for open data, desire for transparency, complexity of access requirements to support home workers and an increasing prevalence of BYOD (bring your own device) mean that it is becoming increasingly difficult to keep external boundaries secure. If even the most highly controlled utopian military networks suffer breaches, a managed level of risk is at best determined by the trade off between practicality and cost of security, with perfection simply being impossible to attain.
An often overlooked but arguably more effective response is to ensure the organisation is aware exactly what sensitive data it holds and that it is suitably protected internally. Auditing information for sensitive data has led me to many high risk examples, such as child protection records in unprotected public shared drives, personal credit card information in open collaborative SharePoint sites, scans of passports and drivers licences, utility bills, personal bank account details and medical records – and the list goes on …and on. However this situation arose, leaving these sensitive records out in the open is a high risk and potentially very expensive strategy. Throw in the cost savings from finding and removing configurable ROT (redundant, obsolete and trivial) in the same audit process and you have a compelling case to regain control of your data at source, lock down the files which will cause financial or reputational damage when leaked, and reduce the impact of the inevitable cyber attack when it does happen.