There is a common refrain in the privacy community – it is not ‘if’ you are going to have a data breach but ‘when’. Personally, I have not worked at a place that didn’t experience some sort of breach – and if an organisation is claiming otherwise, you can bet that they just don’t know about the breaches that have happened.
Breaches come in all shapes and sizes, from the garden variety ‘misfired emails’ addressed to the wrong individuals with the wrong attachments, to highly sophisticated cyber-attacks carried out by state-sponsored actors. Although breaches may look very different, there is a common theme that emerges from the chaos as to why they occur.
I have had the opportunity to lead numerous domestic and international breach investigations, and time and again I’ve witnessed the same recurring theme – organisations have the right policies in place, possess many of the modern security tools, but then fall down when it comes to implementation and heeding the warning signs that a breach has occurred. In Equifax’s 2018 breach, hackers gained access to their systems through a vulnerability the company had known about for more than two months, but had not fixed. The attackers were basically ‘bopping around’ undetected for a further 77 days before the virtual door was shut.
Closer to home, our office has witnessed a similar trend occurring in the Bailiwick where breaches could have been avoided if existing policies and procedures were followed. This can often arrive in the form of sensitive personal information of an individual or group of people being emailed in a rush to an unintended party – and we have seen this occur in most every corner of the community, including the financial, public and education sectors.
Now here is the good news – the inevitability of breaches does not mean that you can’t take meaningful steps to minimise their occurrence and the damage they inflict. And the formulae to protect yourself is strikingly simple.
Organisations need to think of breach preparedness like cruise control of a car. You can’t set it and then jump in the back seat to make yourself a sandwich because, guess what – you’re going to crash, especially on the challenging roads here in Guernsey. You have to steer the car carefully, be aware of present dangers and be prepared to confront unknown threats that will be awaiting you at the turn of the road, all towards protecting yourself, your passengers, and the innocent pedestrians along the route. Put simply, breach preparedness must be viewed as a dynamic rather than static responsibility.
This means that policies for sending messages with sensitive information only work if you follow them, monitoring for cyber-attacks is only effective if you heed the warning signs, and suspicious links or attachments in emails can’t hurt you if you don’t click on them.
Hey, I am the first to admit that such advice is easy to say, but not always straightforward to put into consistent practice. Who hasn’t accidentally hit ‘reply all’ to a mass email when you only intended the message for the sender? I certainly have. Often, the stakes aren’t high in such mis-steps, resulting perhaps in an embarrassing moment where you tell 300 people you will have the chicken for lunch and that you don’t have any food allergies.
Life can be fast and bumpy – you get distracted, rushed, and sometimes are looking for short-cuts. The challenge is that when you are responsible for sensitive data, those procedural short-cuts could result in damage to not only your organisation’s reputation, but the individuals whose data is being breached.
So how do you infuse that commitment to accountability in yourself and your colleagues? By not relegating data protection practices to a once-a-year checkbox, but living and breathing it through ongoing training, exercises and mock drills. And when a breach does happen the organisation’s response is paramount in importance. Have you informed affected customers? Closed the door on any cyber weaknesses? Reported to the ODPA? For high risk breaches these steps can effectively mitigate damages from a cyber-attack.
There is a famous quote by Benjamin Franklin: ‘Tell me and I forget. Teach me and I remember. Involve me and I learn.’
The ODPA is holding a breach workshop on Thursday 19 June at 9am at the bathing pools to provide actionable guidance on breach prevention and how to respond to a breach when it happens to you.
