When Bloomberg broke the Uber hack story in mid-November, it was jaw-dropping news on several levels. Firstly, the sheer scale of the data extracted from the company: 57 million names, email addresses and phone numbers, 600,000 of which were drivers and their license details. Secondly, that Uber had paid hackers to ‘delete’ the data and received assurances this had happened, something some commentators have described as ‘nonsensical’. And finally, and perhaps most critically, the reported admission that this took place in 2016 and had been concealed, would leave most kicking their jaw along the floor!
It is a simple fact that when companies experience a data breach, they must inform those affected immediately, as well as comply with relevant regulations such as EU GDPR, which comes into force in May 2018. Uber’s breach of 57 million customers' details would have cost the company dearly in fines under that regulation, and board members such as the data protection officer and CEO would have been held accountable. All companies must act to ensure all personally identifiable information is encrypted, not just data ‘perceived’ as sensitive such as bank information or medical data. Encrypting customer data protects your customers, as well as your company, mitigating the risks of fines and personal liability.
Companies are rightly fearful of the impact a data breach will have on their reputation, as we have seen with cases such as TalkTalk in 2015. That breach was reported as only affecting 4 per cent of its customers (101,000 people), but led to a £15m disruption to their quarterly figures and subsequent costs that put the total bill at £60m. And those are just the hard costs, the reputational damage to the brand with customers and observers is much harder to measure.
Whilst we may never become public knowledge why Uber took the decisions it did in respect of their data breach, many will believe it put its own self-interest ahead of the security of its customers and drivers.
Prepared to act?
The simple truth is that protecting data is not just a matter of technology, it is how and where that is applied in a complex and dynamic infrastructure, as well as attitude and process.
On May 25th 2018 the EU General Data Protection Regulation (GDPR) will come into force meaning that if your company trades with EU citizens or holds data on them, then you are bound to adhere by the regulations. Compliance is not just a matter of avoiding fines; consumers care deeply about the abuse and loss of their data. The reputational damage from non-compliance can far outweigh the €20 million or 4 per cent of global revenue fine that a company could receive from the EU.
Research we conducted earlier this year showed that UK companies are struggling to get ready for the new rules in key areas such as the management of personally identifiable information and data breaches. The survey found when looking specifically at data breaches that only 37 per cent of UK companies are completely confident that they can report data breaches within 72 hours of discovery to the authorities. Companies also admitted they cannot easily identify the data obtained in a breach. As few as a quarter (27 per cent) are completely confident that they could precisely identify the data that had been exposed in a breach.
Companies may be making headway in their ability to identify data breaches, and report them, but considering it is only a matter of months until the legislation takes effect, many will be cutting it a bit fine! These processes should already be in place.
Encrypt your data – all your data!
It is often forgotten that the role of security is to protect against problems on the inside, as much as the outside, whether an accidental breach of data or a rogue employee. Sensitive data, whether it is personally identifiable information of your customers or corporate data, should always be encrypted and kept in that state. A simple rule, is that if you don’t want just ‘anyone’ to see it, then it should be encrypted. That way encryption becomes embedded in the organisation from a technology and process perspective. Encryption is the last line of defence against any loss of data or attempted hack. They may still get your data, but if it is unintelligible, the damage including reputational, is mitigated as far as possible.
Manage your clouds
One of the areas where protecting data can easily fall down is when a company uses third party cloud services. This is not because they are in any way more insecure, its more an issue of management. When a company chooses to use multiple environments, which many do sharing application workloads, for resilience, and to store data, it can become very complex to manage virtual machines and encrypt data across those services in a way that maintains complete control and visibility over the way data is protected. This is because virtual machines are so easily spun up dynamically and data moved around between them on a service, and even between services, that sometimes it is not clear what resources you have, and how protection has been applied.
Often multiple management consoles are required either for different providers or tasks. This type of complexity can lead to mistakes being made, data breaches or service failures. It is important to think as carefully about the management tools and processes used for encryption and general service management as the choosing individual cloud service providers. By using centralised encryption key management, companies can ensure only authorised people have access to their data, wherever it is stored on premise, or in public or private clouds.
If your company wants to use third party cloud storage services, it is critical to use solutions where encryption keys are always in the control of the organisation, rather than the cloud service. This adds yet another level of protection should a breach occur at a 3rd party cloud service provider.
Taking responsibility seriously
Encrypting data across an infrastructure does not need to be complicated, but regardless of the technology companies need to start taking their responsibilities more seriously. We all know an email address is as useful to a hacker as a username and password – any personally identifiable customer data should be encrypted at source. EU GDPR is focusing the mind of companies, but implementing the technology alone is not enough, you have to choose to encrypt the right data, and that means having the right proactive attitude towards protecting the real owners of that data, your customers and partners.
Luke Brown, vice president of EMEA, WinMagic
Image source: Shutterstock/alexskopje