CRIBB Cyber Security’s Conor Byrne says it is vital to protect your customers
On the 6th September 2018 British Airways disclosed that it had experienced a significant data breach and that approximately 380,000 transactions had been affected, although the stolen data did not include travel or passport details. The ICO later stated that 500,000 customer records had been harvested in total.
Could BA have prevented this breach? Probably not. Its website contains millions of lines of code and thousands of very complicated routines and functions that are continuously changing and upgrading. This is the nature of the travel business. The best Quality Assurance (QA) procedures available would still allow for some undetected holes in the programming and the website developers will always try to minimise these. The attack was also quite sophisticated and often the hackers are some of the best programmers in the world, which makes it extremely hard for BA’s website developers to keep up.
The fine of £183m amounted to 1.5% of BA’s global turnover, under GDPR rules it could have been 4%. So why wasn’t it 4%? The current thinking is that although this was a significant breach, BA had implemented processes and procedures to deal with a breach. Once the breach was identified BA was able to contact people affected and advise them what action to take.
If this wasn’t concerning enough Marriott Hotel Group was fined on Tuesday 10th July for almost £100m by the UK’s ICO after malicious attackers stole 339 million guests’ records. Back in November 2018 Marriott International disclosed that personal data consisting of credit card details, passport numbers and customers’ personal data had been stolen in a colossal global hack of guest records.
The investigation, undertaken by the ICO, concluded that the attack began with systems at the Starwood hotels group becoming compromised in 2014. Marriott, on acquiring Starwood Hotels in 2016, failed to conduct appropriate due diligence and security checks. The resulting theft of customer information was not discovered until November 2018.
Every travel company should take note of this. If you are breached you are at a serious risk of being fined. It is important to be able to prove that you have taken action to protect your customers’ data, as failure to do this can result in a fine of up to 4% of your global annual turnover. In our previous articles we considered and explored a number of different ways that data can be breached.
As a company executive there are steps you can take to reduce the chance of a breach, reduce the effect of a breach, should it happen, and reduce or negate any fine that may be levied on your company.
Step 1 is to implement an information governance framework. The main starting point in the UK for information governance is Cyber Essentials (CE). This standard applies to system security and identifies where your data is, where it is being sent and how it is processed. Once you have completed the Cyber Essentials (CE) certification additional standards such as ‘ISO 27001’ or the ‘IASME Information Governance’ standard can be undertaken to provide GDPR compliance through appropriate policy and procedural controls. These will ensure that you have good data governance in place as a government-registered assessor will assess them and issue certificates when the standards are met.
Step 2 is to is to further validate your company’s physical systems security. The entry level standard for physical system security is known as Cyber Essentials plus (CE+). (Please note that Cyber Essentials (CE) must be completed before attempting Cyber Essentials Plus (CE+)). Cyber Essentials Plus (CE+) introduces additional cyber security questions and an audited verification of your responses about the hardware that is protecting your data. A trained assessor will run vulnerability scans and moderated penetration tests on your website, networks and connected systems.
If you are breached having completed the steps above prior to the incident, the ICO may look more favourably on your company should it come to levying its fine. These certifications are not just a paper exercise – they are practical steps that companies can take to protect themselves, their employees and their customers.
“It is not if you will have a data breach, it is when!”
The other key GDPR requirement is for companies to appoint a Data Protection Officer (DPO). GDPR makes it clear that organisations must be accountable for the personal data they hold. This includes carrying out proper due diligence and implementing accountability measures to assess which personal data has been acquired and how it is managed. As such GDPR 2018 introduces a compulsory duty for you to appoint a DPO if you are a public authority or body, or if you carry out certain types of processing activities.
DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability. When appointing a DPO it is worth noting whether they have the legal and cybersecurity experience to be able to assist you correctly. Most DPOs will not only require appropriate training and qualifications, but appropriate approval from a governing body. It is in this respect that leading DPOs come from security auditing or legal backgrounds and understand data protection regulation, not only in the UK but across Europe and worldwide.
Appropriate Data Privacy, Information Governance and Security audit certifications will greatly assist your DPO in advising on your company’s security and defence against potential fines. The certifications (with exception of the Cyber Essentials Plus (CE+)) can be completed under a self-assessment process, however, companies often employ the services of an Information Government Advisor (IGA) to get real practical value from the standards. The IGA will explain in detail how to answer the questions and will often provide a set of tools and policies that will make the process much easier to complete and achieve certification. Accreditation bodies such as IASME, who are the guardians of these standards on behalf of the Government, assess and certify Cyber Security companies who can then supply IGAs to assist you with CE and CE+ certification assessments and GDPR compliance.
Remember: you will have a breach at some stage, therefore utilising professionals to help you implement standards will ensure that you’re investing appropriately in protecting your customers’ data, as well as evidencing the precautions being taken. The ICO can fine you for not being compliant with its legislation so it’s hugely important to implement the correct security procedures and governance to protect data and prevent, or at least mitigate, any security breaches. Businesses should view cyber security, GDPR and information governance as a positive; the laws ensure that you streamline your company, mitigate the impact of potential security breaches and will help you sleep better knowing that you’ve taken the best precautionary course of action for your company.