INDUSTRY VIEW: Security experts examine parliamentary select committee’s proposals for data breach compliance, enforcement and awareness
A parliamentary select committee investigation established in the wake of the £60 million cyber attack on TalkTalk last year has published its recommendations on how such threats can be mitigated and prevented.
MPs want the Information Commissioner’s Office (ICO) to be granted more powers, a greater range of financial and custodial penalties for serious offences, and measures to improve the awareness of cyber threats among both businesses and citizens.
You can read a more in-depth look into the report here, but what does the security industry think about the proposals?
Mark James, ESET
“The recommendations seem reasonable and certainly a good basis for starting. Public knowledge is paramount when our data goes missing, changing passwords will not stop the damage caused by the actual breach but could help stop any future use of that data.
“One of the biggest problems with data breaches is how the stolen data is used, often it’s not sufficient on its own to gain access to financial data and is often used as bait to get more information from you; targeted email spam or even worse, actual telephone calls supposedly from the breached company pretending to help you have been used in the past in an effort to extract very private and confidential information from unsuspecting victims.
“If the public are made aware as soon as possible there is a good chance they won’t be fooled by these underhand tactics, the biggest thing we need to take away from this report is how important education is in one form or another, being aware of how you can protect your company and also just as importantly if you are breached how you can help your customers mitigate the damage caused.
Ryan Kalember, Proofpoint
“While this report contains some excellent recommendations that to the outsider may seem like appropriately strong measures, most of the findings and prescribed measures are underwhelming for those of us in the industry.
“Cyber criminals are taking aim at the trust between people and organisations that allows the modern Internet-connected world to function, as people take it for granted that the purported sender of an email is who she says she is, that a website that asks for your credentials really belongs to your service provider, and that a tweet from your bank about resetting your PIN code really came from your bank. That’s a more fundamental issue than heightened awareness, stiffer penalties, and better security programmes can fix.”
Carl Leonard, Forcepoint
“Knowledge is ultimately key when it comes to implementing security measures and businesses have to realise that no-one is safe from getting hacked.
“Companies must be proactive in their approach to securing their data starting now, which includes taking stock of lessons learned from data breaches of other and taking the necessary measures to better educate their IT departments and employees. Having an established data breach plan in place will help businesses be familiar with the necessary detect, response and recovery phases needed to ensure they limit the effect of an attack.”
Jonathan Sander, Liberman Software
“The notion of the CEO and Board being involved in cybersecurity is essential. Often the implications and remedies to cybersecurity issues cut across every aspect of an organisation’s operations. When these breaches occur, it’s absolutely required that executives use their powers to ensure response is swift and complete.
“The comparison of cybersecurity awareness for the public with smoke alarm testing is good, but the analogy seems to fall apart even as it’s made. Just like the public needs to proactively ensure their smoke alarms are in good shape they must also be proactively behaving in safe ways online and looking for the signs of a scam as they happen.
“The ICO and other bodies should be cautious about deploying systems of fines and other financial penalties for cybersecurity lapses. Often putting a set price on these risks simply allows organisations to make a calculation about how little they may spend on cyber defence in order to offset the maximum costs of fines. You see this at work in the regulatory world where an organization often decides to simply pay fees for being out of compliance rather than spend what they feel would be more to be in line with the statutes.
“If cybersecurity simply becomes another set of regulations, then a check box mentality will rule and we will see minimum effort and minimum expenditures. The risk of cybersecurity must be kept akin to the risk of real world crime, where organizations know that a big heist could be an existential threat to their business and act accordingly.”
Michael Callahan, FireMon
“Networked environments, especially in large enterprises like TalkTalk, are becoming increasingly complex with so many disparate solutions trying to solve the end goal of ‘cyber security’.
“What organisations now need to recognise is that more technology is unlikely to stop data leakage and prevent big breaches. Instead, they should focus on proper management of the solutions they already have in place and start looking for tools that give them total visibility into their environment and assess current processes to ensure they are still valid.
“Improved management and personnel training, as suggested in the latest report, will go a long way towards minimising these kinds of breaches and make sure personal customer data is effectively protected.”