ManagedIT - issue 54

12 MANAGED.IT 01732 759725 GDPR Dr. Guy Bunker Tony Pepper Divya Gupta Jake Olcott can be huge. In addition to the monetary fine, there can be loss of goodwill, damage to the company’s reputation, loss of future business, network downtime, legal fees for years on end, employee morale issues, customer loss of trust and confidence, executive turnover, unhappy shareholder demands. All this can lead to failure of the business. If you aren’t a big company and you don’t have the money to go through an expensive appeal process like BA is doing, a fine may literally shut you down. Tony Pepper, CEO, Egress : It’s really interesting that the ICO issued a second intention to fine under GDPR just one day after the BA news broke. By barely drawing breath between the two announcements targeting two household names, they have achieved maximum impact in showing the potential of their extended powers under GDPR. The scale of both fines can leave no doubt in anyone’s mind that we are now operating under very different standards than when the Data Protection Act was enforced. If it wasn’t clear before, it certainly is now: there can be no hiding place for organisations that fail adequately to protect customer data. If the BA announcement felt like the tip of the GDPR iceberg, the Marriott one has started to show how deep this problem really goes – and what the ICO is willing to do to get to the bottom of it. Alex Bransome, Virtual Cyber Information Security Officer, Doherty Associates : According to the ICO report, there were major weaknesses at the front end of British Airways’ data network via its website, which is surprising given that this is where all business critical data on customers is processed. The attack was made possible due to a major web-based vulnerability in the front end of BA’s website, which cyber attackers exploited using a common strain of malware, heavily customised to exploit the vulnerabilities of the BA network. It was a very well planned and targeted attack that allowed cyber criminals to skim off customer data and credit card details. BA should have been doing more to monitor, test and update its security systems to ensure there were no gaps in their cyber defence that hackers could take advantage of. Commonly, organisations make the mistake of deploying security systems and then leaving them. This record £183m fine imposed on BA is a warning shot to all other organisations that the ICO is serious about fining anyone breaching GDPR regulations. To keep their front door secure and personal data protected at all times, companies must regularly run security checks and update their security systems to ensure any vulnerabilities are identified and patched so no gaps are left for cyber criminals to exploit. If not, they are leaving their customers’ data exposed, risking a GDPR compliance breach and major reputational damage. Dr. Guy Bunker, CTO, Clearswift : With the news that BA has been fined £183m, we have an answer to the question posed at the time of the hack: will we see a substantial fine levied on the company? While there have been a number of breaches since the legislation was brought in last year, this is the first major ICO fine for a GDPR breach in the UK and shows that the Information Commissioner’s Office is willing to fine large companies for losing personal information, in this case 1.5% of their worldwide turnover in 2017. British Airways will now have to redouble their efforts to prove that they and their supplier have a malware-free infrastructure, in order to begin the process of rebuilding trust with customers. The good news is that the breach was picked up relatively quickly. BA has systems in place that enable it to narrow down both how the incident happened and who was affected. Unlike the TalkTalk incident, where the numbers impacted changed on a regular basis, the BA team appears to have done its due diligence on the event quickly and efficiently. Finding a second attack is not uncommon, and there may well be more. The sophisticated attacks now carried out by organised criminals are designed to have multiple aspects, so that if one is discovered, secondary or tertiary attacks will be ongoing. Any vulnerability found in an IT infrastructure will be exploited to its maximum, and within that exploit further discovery will be carried out to see what other pieces of malware can be introduced. Once an infection takes hold of an environment, it is often easier to rebuild it from scratch than to try to take out the malware infections one by one – if you miss one because it is hibernating, you could end up back at square one in a few weeks’ or months’ time. Divya Gupta, Partner, Dorsey & Whitney : The huge fines facing Marriott for a GDPR breach are a signal to other companies that the regulatory bodies are strictly enforcing the law to protect consumer personal data from loss, damage or theft. When entrusted with personal data, it’s a company’s job diligently to look after it, and for many years businesses have gotten away with not doing so. With further fines like this on the horizon, companies doing business in the EU should look to their American operations too. Several states are imposing privacy laws in the United States – California leading the pack with the California Consumer Privacy Act – and this means possible future penalties for non-compliance now. Thirty million Europeans were impacted in the Marriott breach; if just 10% of that number were California residents, Marriott would be looking at $300,000,000 in domestic statutory penalties as a minimum for failure to enact reasonable security practices and procedures. The lesson here: this GDPR penalty is a paltry sum compared to what is looming. Jake Olcott, VP Government Affairs at BitSight : It has never been more important for board members and corporate executives to understand and manage their organisation’s cybersecurity performance. Poor performance leads to breaches, fines and legal liability, so executives must start treating cybersecurity like other business risks. Receiving ongoing briefings, quarterly reports with quantitative metrics, and developing a more strategic approach to cyber risk are no longer nice to have, they are required. ...continued