Cyber-crime, data loss and risk management
A recent article published in London’s Evening Standard has hit home the extent of cyber crime affecting London Boroughs (LBs).
Briefly, 27 LBs were asked via a Freedom of Information Request (FoIR) to answer questions about the extent to which confidential data had been accessed by unauthorised people in the past 2 years. 22 responded.
ALL admitted a data breach.
ALL BUT 1 admitted that they did not know where their data was stored, on site, off site, in a cloud… down the back of a drawer…
9 admitted that data security had not been audited for 2 years.
Yes! says the consumer, in the sense that LBs are charged with looking after our data on our behalf. The data is extensive and relates to our dealings with an LB… in other words, pretty much everything that our lives revolve around: council tax, parking, housing, schools, health. The consumer has justifiable fears that personal information is sold on the black market and then what? In the blink of an eye, a person finds out he or she has a poor credit rating and a non-existent expensive sports car defaulting on a loan. And a big headache.
No! says the risk manager, who already knows that public bodies are often poorly resourced, ill-equipped to properly manage data (big or small) and those behind data breaches are sophisticated, probably based abroad and impossible to find.
So preventing data breaches is a must for every organisation, private or public. I go as far as to say it is a duty. A moral and a legal one. So how to prevent (or, more accurately, minimise the risk of) data breach? Having enterprise risk management (ERM) systems and processes in place to protect an organisation and its data is essential. That much everyone agrees. But if the ERM measures are out of date, as the FoIR data evidences is overwhelmingly likely, then a bright-eyed risk manger will consider taking steps such as these to keep the ERM fresh and fit for purpose:
Invest in a thorough review of the existing ERM strategy and set up: a fresh pair of independent expert eyes can work wonders. Then diarise an annual audit.
Organisational structure must leave no gaps: clarify reporting lines and set responsibilities to report monthly and review quarterly.
Be vigilant on the IT front: keep your software, hardware, and protective technology, up to date.
Ensure you know where your data is stored, how often it is backed up and how to retrieve it: in the event of a breach, you will need to identify quickly the magnitude of the loss and the sources of recovery.
Consider taking out cyber insurance for the one big hit, and consequential fall out (time, money, PR…), which you currently take a gamble on: your risk profile (and premium) will be affected by your ability and energy to be watchful and responsive.
Just as I sign off, I see breaking news of a plot to steal $50m in refunds and personal data relating to 100,000 citizens from the USA’s IRS (tax office) … you have been warned.