The breach announced at the University of Greenwich has again shown that it is vital for organisations to address the insider threat across the full range of accidental to deliberate actions.
A significant amount of personal data was posted to the internet in error and as well as including the usual information such as names, dates of birth and addresses it also included sensitive information about the students as well as copies of their signatures - details that are the identity thief’s dream data set.
Policies and procedures alone are never enough
As is often the case, the University’s response was that it was a serious error, in breach of its own policies and procedures. This shows that only having policies and procedures is not enough and there needs to be meaningful awareness training from the point someone joins an organisation, continuing regularly throughout their involvement. This should not be limited to employees; it is vital that contractors, consultants, volunteers, associates and, in the case of educational institutions, the students themselves are trained.
Not complying with the GDPR will be costly - very!
The UK’s Information Commissioner is quite rightly investigating this and the size of any fine they impose will, as always, provide an indication of how serious they take this incident. There is a maximum of £500,000 available to them under current legislation but an interesting aside is that the coming EU General Data Protection Regulation (GDPR) will allow for fines of up to 4% of global revenue. In the case of the University of Greenwich this could be around £8,000,000 based on their report and financial statements for the year end 31 July 2015. Whilst the two-year run in period is not likely to start until the middle of this year, the incident shows that there is still much to be done by organisations before compliance day arrives.
The time to prepare is now ...
Organisations need to be prepared for the threats from both accidental and deliberate insiders. The starting point should be to determine the digital assets that are important, not just from a business perspective, but also from the regulatory angle. Given the imminent arrival of the GDPR, organisations should consider going right back to basics with personal data. They should look at what they actually need, why they need it and how they currently go about getting informed consent to ensure that when the new regulation is in place they have done some of the hard work already.
In order to help organisations prepare for the GDPR, they should develop a clear picture of who needs access to information and how, including any external parties used for processing, storing or using those digital assets.
Upon establishing what organisations want to protect and from whom, the right technical and people-related controls, such as focussed training and awareness, can be put in place to give the assets the protection they merit. As well as serving to reduce the risk of there being a cyber incident, whether it results from an accidental or deliberate act, it will allow organisations to understand what the impact could be if an incident does occur and will prepare them for the GDPR.
# # #
Stephen Bailey leads the Cyber Security Team in PA’s technical security practice, which provides:
- Technical security services such as penetration testing, code reviews and firewall rules assessments
- Audit and compliance services for standards including PCI DSS, ISO27001 and PAS555
- Information security consulting services
- Training relating to our delivery services described above.
Steve specialises in people risk, which is counter-productive behaviour whether accidental or deliberate, and help organisations to take a more people-focussed approach to mitigating it. He is also developing 7Safe's data protection and privacy offering in relation to the upcoming EU General Data Protection Regulation.