A report by the Institute of Directors (IoD) and Barclays recently highlighted that one quarter of organisations had suffered a breach in the last twelve months, although only 28 per cent had reported it to the authorities. It is believed that the actual numbers of attacks could be higher.
The fact is that there are still a large number of organisations simply not aware of incidents, or that don’t have the technology or processes in place to identify or respond to a data breach involving personal information. In many instances, attackers can go undetected and access sensitive information for months before being discovered.
Moreover, the scope of where personally identifiable information (PII) resides – from phone numbers to IP addresses and credit card details – is often far wider than many organisations may have considered.
However with the impending EU General Data Protection Regulations (GDPR) expected to come into effect in early 2018, this will need to change. The race is on for organisations to start preparing now with an IT infrastructure and processes which will protect personal data and meet GDPR requirements.
Under these new laws, if there is a data breach, they will have to inform the authorities "without undue delay and, where feasible, not later than 72 hours after becoming aware of it". Failure to comply will come with fines which could be up to four per cent of an organisation's annual revenue.
One of their biggest challenges is to get a handle on how and where they collect, process and store PII. Specific databases, HR and financial software can be identified easily. Working out their corresponding security strategies is a challenge but well understood. However, it’s not only applications such as these that store personally identifiable information; normal user activities like logging into social media, online banking or remote access also produce PII in the form of access credentials, cookies and geolocation data and get recorded in system and application logs.
Since organisations have obligations to store log files for years – depending on the industry and compliance regulations – over time a hacker or, even a malicious insider, could collect many different forms of data to create an holistic picture of an individual.
We may not be able to change this user behaviour, but organisations can take steps to mitigate the risk by collecting information in a way that is secure, encrypted and anonymised to ensure it cannot be linked to an individual. With targeted attacks on the rise, they also need to improve the way they are able to detect unusual behaviour, with monitoring tools that can identify, for example, if a user’s account has been hijacked, so that attacks don’t go undetected for months.
As organisations can only report what they know about, visibility of where data is, and unusual activity, will be key.