Blog : BOARD TALK
|Posted on May 9, 2017 at 12:00 PM|
So The Guardian dating website 'Soulmates' is the latest to admit to a data breach. Unsurprisingly, it doesn't amount to much of a story in The Guardian.
As reported yesterday on Forbes, Barclays Bank UK has launched a national digital safety drive, having done research that reveals that a quarter of people in the UK (25%) have experienced a cyber-fraud or scam in the past three years. But there's this strange business reluctance to take ownership of data breaches - and an ongoing and worrying lack of transparency.
I was sent some thoughts from DQM GRC - a business formed in 1996 that specialises in data governance, risk mitigation, compliance (GRC) advisory services, benchmarking research and technologies to 'de-risk data assets'. As they are clear, concise and make good sense to me I am going to reproduce them here, rather than trying to paraphrase them and take the credit.
So, here is their development director, Peter Galdies:
"The Guardian is a brand usually synonymous with good practice on data governance – their consent guidance and transparency is often picked out as an exemplar of good practice – and yet they are in the news after appearing to have suffered a data breach.
In this instance, it appears that the Guardian Soulmates website suffered some form of vulnerability that allowed users’ details to be compromised, resulting in users receiving unwanted sexually explicit spam emails.
The Guardian newspaper's publisher, which runs the service, said "human error" was at fault - but then continued to blame a third-party technology provider for the problem, which has now been rectified. (my emphasis)
This issue clearly highlights three key points:
1) It can happen to you – if an organisation as well managed and compliance aware as the Guardian can get hit - anyone can. (my emphasis)
2) Breaches often occur via third parties. In this case a technology partner appears to have been to blame. While vulnerabilities can often “creep in” to development, a strong and robust vulnerability assessment programme including penetration testing and patch management should minimise this risk. Such third parties may hold some legal responsibilities as processors under the new General Data Protection Regulation laws - hopefully adding to the impetus for more robust protection of personal information. Organisations need to take steps to assure themselves that their third party processors and suppliers can provide well governed and secure management of the personal information entrusted to them. (my emphasis)
3) The final point concerns the amount of time this has taken to become public – with some users having notified the Guardian over 6 months ago. (my emphasis) Under the new legislation organisations will have to notify the ICO within 72 hours of having become “aware” of such a breach and the affected users as soon as reasonably possible. This doesn’t appear to have been the case in this instance and may well prove to be an issue for many organisations. A well formed breach management process should help organisations be ready for such unfavourable circumstances."
He knows far more about data breaches than I do, and the 'supply chain' point about third parties is obviously a valid one. I am also not sure when the new legislation kicks in.
But I knoiw that it has become all too apparent that the reason boardrooms of FTSE 350 businesses don't do more regarding data and cybersecurity is because they have no idea how to deal with this issue - as I covered here on Forbes last month.
Is it that good old-fashioned British (and, dare I say it - often male ?) unwillingness to admit they do not know.? Is it time to make it a requirement of the Corporate Governance Code for a digital quotient to measure best practice in corporate governance for listed businesses - as I suggested on Forbes almost two years ago ?
At least then we would require more transparency, and aim for more protection for stakeholders - instead of treating cybersecurity as a bad smell hoping it will just dissipate of its own accord.