Time to take data security seriously
I’ve been talking about the subject of information security weaknesses in smart buildings for a while now, and maybe it’s coincidence, or maybe just an example of the Baader-Meinhof effect, but the news around this has appeared to be getting noisier recently. We had a serious botnet attack on the DNS infrastructure at Dyn in October, French hosting company OVH were attacked in September and whilst researching attacks on journalists I found that Google are running a free service called Project Shield, created specifically to protect news media sites from denial-of-service attacks that are becoming a regular feature of online publishing. There is of course a debate to be had about how this puts Google into a position where they protect those they feel worthy of the service – but that’s for another day.
My attention was then caught by this story about a German steel mill that suffered damage after their systems were compromised by a phishing email leading to a widespread attack on the plant, including the industrial control systems. Best practice says that this type of equipment is not connected directly to the internet, but this rule of thumb is often ignored, mainly because the systems are diagnosed and/or managed remotely. The assumption that best practice will be followed is a dangerous one.
This vulnerability in cyberspace, caused mainly by poor practice in manufacturing or installing new devices, must cause us to think hard about how we protect data. There is an ever-increasing amount of personal information being gathered about us, which can be used to help us understand our own lives, and make better choices – or it can be used by people or organisations that do not have our interests at heart. So the current debate around the Digital Economy Bill in the committee rooms of Parliament is an interesting, and important one. One of the key proposals of the bill is to allow sharing of individuals’ data between government departments. This is a good thing in many ways and could lead to better service provision and reduced replication of services in the civil service machine. The bill also makes provision for mandatory age checking for certain websites, notably pornography. Again there are laudable reasons for this, but what this essentially becomes is a porn-viewers register. Once all this information is stored and shared, where are the controls on *how* it is shared?
The bill allows for information to be shared for ‘research’ in the public interest, and there are no definitions of who would be carrying out this research or what the definition of ‘public interest’ is in this case. Given that the National Audit Office report into how government protected our data last year recorded 8,995 data breaches by the 17 largest departments in 2014/15, I believe it’s fair to question the competence of the government to manage such large amounts of aggregated data at this point in time.
This all points to a need for companies and individuals to take a serious look at how they manage their information and the systems that process it. The GDPR regulation coming into force in 2018 provides for fines of up to €20 million or 4% of global annual turnover – whichever is greater – for data breaches of personal data, and breaches must be notified within 72 hours.
Understanding this world and building coherent strategies for managing data is not impossible, but it does need a conscious decision and consistent effort. If you don’t think you’ve got a handle on it today, my advice is to start thinking about it tomorrow.