Bad Security – Taking Risks and Not Realising It

Another fine has been issued by the Information Commissioner’s Office (ICO) and, again, it is the result of something that could easily have been prevented if a bit of time and money had been spent in advance.

On Thursday, 22 Nov 12, the ICO reported levying a £60,000 Civil Monetary Penalty (fine) on Plymouth City Council following the accidental transmission of case notes to the wrong people.

The press release states:

The Information Commissioner’s Office (ICO) has today served a monetary penalty of £60,000 to Plymouth City Council for a serious breach of the Data Protection Act where the details of a child neglect case were sent to the wrong recipient.

The report included highly sensitive personal information about two parents and four children, notably allegations of child neglect resulting in ongoing care proceedings.

An investigation by the ICO found that the council had no secure system in place for printing reports containing sensitive personal data, and had failed to take reasonable steps to ensure reports were checked before they were sent out.

On the surface, this appears to be yet another example of how decisions over how funds are spent have come back to haunt.

Security can appear costly and for some reason this is viewed as a great business expense to cut when organisations (public and private sector) are looking to reduce costs and shrink budgets.

But inevitably this turns out to be a very false economy and, like Plymouth Council, the true costs of cutting back on security only come to light at a later date.

In this instance, it is clear that if Plymouth City Council had invested a reasonable sum of money in its security & compliance activities, it would have been able to avert compromising public data, causing distress to the public and a £60,000 fine. Instead, either someone within the Council has decided that this is an acceptable risk or, even worse, the Council never managed to properly identify its risks to realise it should protect against this type of event.

Had Plymouth City Council invested properly in its security, it could have spent £15,000 on an external consultant performing a deep dive and identifying the risks to allow good management and a further £15,000 for practical and effective security training to improve the organisational security culture.

Spending £30,000 would have prevented a £60,000 fine and after the fine, they still have to find the funds to improve their security. Is this something the Council will realise and will they take action against whatever budget holder is responsible for deciding that spending money on security is a bad idea? Sadly this is unlikely unless the local tax payers finally get frustrated at losing other services or paying more Council Tax and complain but this situation cant last for ever.

The crucial lesson from Plymouth City Council needs spelling out: Cutting corners with security budgets is a false economy. You aren’t saving money, you are buying risk.

If you run an organisation of any size, be aware of the impact of cutting back on security. Don’t let your budget holders fool you into thinking reducing security budget is a saving that gives you money to spend elsewhere. If you cut back on security – or even fail to properly provision it in the first place – the money you aren’t spending has to be kept to one side as insurance.

In risk management terms, you are tolerating the risk by becoming your own insurer. While in some situations this may make sense, most of the time when it spelled out in this manner, people realise it is a flawed tactic.

Plymouth Council may not even have been aware of the scale of the problems they faced, which is an unfortunately common problem and makes finding a solution very difficult.

To demonstrate this, Stephen Eckersley, Head of Enforcement at the ICO, made this statement about the data breach:

It would be too easy to consider this a simple human error. The reality is that this incident happened because not enough care was being taken within the organisation when handling vulnerable people’s sensitive information.

So, at an organisational level, security wasn’t seen as important enough to drive an improvement to employee behaviour. This implies that there is a lack of security understanding at least at the middle management level.

Organisations that suffer from this face a myriad of security risks (from asset loss to Regulatory fines) and aren’t able to even identify these, let alone address them. One you have gone down this path, it is only a matter of time before something goes wrong and, unless you have good cash reserves (or are very lucky) this can be catastrophic.

Here are some questions you need to consider and will help you determine where your organisation needs help:

  • Do you have an active security / risk management function that is able to report to senior leadership? This can be information risk, physical security, a combination or whatever suits your organisation. The important part is that you have a body with access to the right people who can identify and report risks.
  • Do you maintain a security risk register that is reviewed by the senior leadership (CEO/MD/whatever is appropriate) on a regular basis? At least once every six months, the senior decision maker of your organisation should be made aware of what risks exist and how they are being managed.
  • Do you hold executives accountable for their budget decisions? If you encourage budget holders to cut costs and go unpunished if the cuts lead to more significant losses, then you are going to lose money. Decisions need to be mapped to short and long term risks and all parties must be accountable, even if it risk materialises years later. This is a very difficult problem for organisations to solve without external help.
  • Do you really understand the security risks you face and possible financial harm that may materialise? For years security risks have been over-hyped and, as a result of these risks never materialising, it is easy for people to think there is no risk and no value to security. This is a genuine mistake and possibly more harmful than over-egging the risk. The key is to get a thorough understanding what threats your business faces, how much harm this could do and what you need to do to mitigate against it. For example, if you handle personal data, a breach can cost up to £500,000 (although realistically the maximum fine so far is £325,000), so you need to make sure you are spending the right amount of money to prevent this happening. Crossing your fingers and hoping is not the solution.

The golden rule is dot take unnecessary risks with your business. If you don’t know what risks you face, get urgent help. Tomorrow might be too late.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.