Tue, Aug 7, 2018

Data Breach Fatigue - Is There a Positive Outcome in Sight?

First came the shock, then the fear, followed almost inevitably by an outburst of recrimination and the formation of a committee of inquiry. Singapore’s largest ever data breach has set in train a series of responses. Sadly, the initial shock is the only one that surprises cyber security experts.

It may be natural that those who, like myself, spend their working hours advising companies on data security breaches are the least surprised that these thefts are still happening – even when they are on the monumental scale of the cyber-heist at SingHealth.

But although this breach has been the biggest, it can hardly be regarded as the only attack to impact Singaporeans’ faith in the safety of their stored information. Even the most casually concerned amongst them will have heard that cybercrime has long been able to breach not just the flimsy stockades of the under-resourced, but the defences of the globe’s greatest citadels of state and commerce.

This really does affect almost every level of interaction. Our 10th edition of the Kroll Global Fraud & Risk Report released earlier this year showed that 86% of surveyed executives said that their company experienced a cyber incident or information/data theft, loss, or attack in the last twelve months.

To recognise this reality is not to complacently suggest that since not everything can be done, not anything can be done. Rather it is to restate the proposition that accepting the scale of the problem is an important step towards adopting more successful strategies. 

Whether as consumers or companies, there is much we can all do to make life more difficult for the hackers and we do not have to wait for a clearer understanding of how the SingHealth heist was pulled off to bring this shift about.

It is true that most consumers have got a lot wiser in avoiding the most basic pitfalls: unhesitatingly complying with unsolicited emails demanding they re-enter personal information in order to unlock accounts; believing that ‘password’ is a secure password; or in response to more old-fashioned prompts that ‘blue’ should be entered as your favourite colour or that no hacker might reasonably guess the team you support is called ‘Manchester United.’ 

But most of us have not migrated to the next step, which is to ask not just what we can do to protect ourselves but what companies can do to better protect us. It is a mistake to assume that customers are helpless in being able to nudge corporate behaviour in this way.

Getting clearer statements about how data is secured is the first step. Until relatively recently, companies generally assumed this was information about which their customers did not need to trouble themselves (usually a sign that the senior managers of the companies did not trouble themselves about it either). 

But thanks to successive revelations about the commercial as well as political misuse of personal data, those who store it are increasingly forced towards accountability. Compare the data usage information Facebook supplied as standard to its users before and after the Cambridge Analytica scandal if you want evidence that the shift has begun. 

Of greater significance, it has forced Mark Zuckerberg to devote more of his energies to data security and less to data mining. Facebook’s share price may currently be making some concessions to gravity, but this reprioritising of its senior management’s time might actually be what one day saves it from a terminal fail.

For all this, the effect of public inquisition will not, of itself, prove sufficient. In Europe the regulatory change embodied by the GDPR has forced companies to put information security plans in place where previously they were absent. It has also forced companies to critically review the types of personal data that they collect, how it is classified and secured, and for how long and where they store it. This has been a chore for many businesses, but a necessary one all the same. 

Across Asia regulatory responses vary. In Singapore, the Personal Data Protection Act (PDPA) creates important safeguards, but it recommends rather than obliges impacted organisations to notify their customers of a data breach.

The Implementing Rules and Regulations (IRR) of the Philippines Data Privacy Act (DPA) have gone further and created a legal obligation on a data controller in certain situations to notify the National Privacy Commission - as well as the individual(s) concerned - of a breach of sensitive personal data. It is an obligation that focuses minds to the task of preventing it in the first place.

Whichever path Singaporean law-makers prefer, the combined effect of encouraging greater pressure from a discerning public and tough obligatory rules provides the best incentive for organisations to put the impetrative of cyber security at the heart of everything they do. 

Data in-security now threatens business viability outright. Effectively mitigating the risk requires stress testing exercises by third party best-in-class experts who can be hired to test and locate weak-spots in IT systems that in-house technicians commonly miss. And it particularly requires management-level oversight. 

Data security is businesses’ Achilles heel. The rest of the corporate armour is useless without its proper protection.

This article originally appeared at The Business Times.