GDPR/NIS Directive Fines… it forces those who don’t do anything to at least do something?

Did you know that I recently informed — a few months ago — the Chair of the Board of a significant organisation that there was a major…

GDPR/NIS Directive Fines… it forces those who don’t do anything to at least do something?

Did you know that I recently informed — a few months ago — the Chair of the Board of a significant organisation that there was a major security risk on their infrastructure, and that it would put citizen’s data at a major risk. I am still waiting for a reply. I thus still believe that some executives do not take Cyber Security seriously, and want just sweep it away because it is too technical for them. So is there an increasing tension between the CEO and the CTO?

A chat

So a CTO and CEO are glaring at each other over the board room table for the new EU regulations on security …

“Go do it!”, says the CEO,

“It’s not that easy, we need more investment!”, says the CTO,

CEO: “But will we sell more?” … CTO: “No, but it’ll stop us from being pin-pointed!”,

CEO: “I don’t understand!!” … CTO: “The auditors won’t be happy!!”

Silence.

CEO: “I still don’t understand!! Who cares about our auditors. Just show them all that paperwork that I paid your team to produce!!!”, …

CTO: “Well we be fined £17 million and our customers and shareholders won’t be happy! And, when we are breached, you will have to go on Sky TV and explain that you didn’t invest in the security that I asked for!”

“Okay, go ahead!”, says the CEO. Smiles all round.

“I know”, says the CEO, “let’s re-write contacts for all our partners which says …”

“In order to accept this work, they must confirm that if they are shown to be responsible for any computer security breach, that they will be liable for all the fines levied against GDPR and NIS, and that their company will take full responsibility for handling the event, including for our costs in media coverage, investigation and future costs to our company.” …. “and then we will sub-contract to lots of small businesses, and make them responsible for any security problem that we have.”

“You know. You’re a genius”, says the CTO, as he hands-in his resignation, he leaves.

Introduction

I must admit with both GDPR on data protection and the NIS directive on critical infrastructure coming along [here], I wouldn’t want to be a CEO of a large company just now. With fines of 4% of global turnover or £17 million waiting for organisations, and a whole pack of broadcast media organisations waiting for those first few breaches, it must be leading to a good deal of sleepless nights for business leaders.

So to make them sleep a little better, here is my napkin list:

  • Employ a security person/team.
  • Understand and identify risks.
  • Implement security controls to address the risks.
  • Monitor controls.
  • Respond to incidents.
  • Continually evaluate and refine.
  • Write things down — policies, risk register, security log, etc.

We perhaps need more debate and create a strong understanding of what standards exist and define when a company has been negligent or who has just been unfortunate. While industry pushes models and many people push their opinions, let’s look at peer-reviewed academic work [here]:

Why do it?

The most interesting thing about the paper is that they try to argue both sides of the debate, on whether regulations and fines actually help or hinder business processes and in protecting customer data.

In the paper they outline that Romanosky found a 6.1% reduction in data compromises when organisations implemented new regulations. Verizon also found, in a small survey, that PCI DSS compliant organizations were 50% less likely to be attacked, and that 69% of consumers would be less inclined to engage with a business after a data breach.

Overall they focus on the main laws and regulations that exist within regulated areas such as finance and health, such as for the Payment Card Industry Digital Security Standards (PCI DSS), Federal Information Security Management (FISM) Act, Graham-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act (HIPAA).

While they see the positive signs of laws and regulations they give the example of the TJX Corporation data breach of 20 million records where there was compliance in only 3 of the 12 PCI requirements (encryption, access controls, and firewalls). With the OPM (Office of Personnel Management) compromise, there were two major breaches, and where systems often failed to comply with regulatory requirements.

With Home Depot, the company was compliant, but many argue that they used a loop-hole in PCI DSS regulations, and where the company used out-of-date software and had inadequate security policies. They also started to encrypt customer data in April 2014 but did not fully roll it out until September 2014, but which time that had been hacked, and that millions of credit card details had been compromised:

They argue that HIPAA provides a good example of a regulation which was weak in its implementation, and where there were too many exceptions for organisations, with a poor implementation timeline. In health care, it can be seen that HIPAA has had little effect in reducing data breaches:

The paper outlines that governments and courts aim to discourage a laissez- faire attitude for security, and works in contractual arrangments for: asymmetric information; bounded rationality; the judgement proof problem; commitment problems; and influencing tastes. An interesting quote from the paper is:

it forces those who don’t do anything to at least do something

The authors quote that Verizon estimates that only 20% of businesses are PCI compliance, and that there is a suggestion of a link between non-compliance and the susceptibility to data breaches, but that compliance is no guarantee to safety. They also note that Verison actually found that every company they examined for a data breaches were not fully compliant.

Controls

For PCI the 12 basic steps are [1]:

  1. Install and maintain a firewall configuration to protect data.
  2. Do not use vendor-supplied default passwords and settings.
  3. Protect stored cardholder data (encrypt stored data).
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

For FISM (Federal Information Security Management) Act FISMA is used as a framework for protecting federal systems. amd NIST provides advice with Federal Information Processing Standard (FIPS) 199 for categorisation guidelines and FIPS-200 for minimum security requirements for addressing seventeen areas of controls [1]:

  1. access control;
  2. awareness and training;
  3. audit and accountability;
  4. certification, accreditation, and security assessments;
  5. configuration management;
  6. contingency planning;
  7. identification and authentication;
  8. incident response;
  9. maintenance;
  10. media protection;
  11. physical and environmental protection;
  12. planning;
  13. personnel security;
  14. risk assessment;
  15. systems and services acquisition;
  16. system and communications protection; and
  17. system and information integrity.

For the Graham-Leach-Bliley Act of 1999 defines safeguards to protect the security, confidentiality, and integrity of customer information. The guidelines define [1]:

  1. Designate a team for security practices.
  2. Identify reasonably foreseeable internal and external risks to the security and put in place safeguards.
  3. Design and implement information safeguards which focus on risks and regularly test and evaluate
  4. Oversee service providers and assess their security practices.
  5. Evaluate and refine security practices based on evidence.

For those in health care, the HIPAA guidelines define [1]:

  1. Assess current security, risks, and gaps
  2. Develop an implementation plan by reading the security rule, reviewing the addressable implementation specifications and determining the security measures.
  3. Implement the solutions.
  4. Document the decisions made.
  5. Reassess periodically.

Conclusion

I love the quote …

“it forces those who don’t do anything to at least do something”

… and, as a minimum that’s probably the best thing that you can get out more fines and regulations. But I worry that the broadcast media still does not know what “good” looks like, and on the first signs of a breach, they will be going after companies who have good practices. I also worry, too, that auditors might not have the full skills set to fully understand cloud infrastructures, encryption and multi-factor authentication, and that there will still be a gap in “what we propose” and “what we implement”.

References

[1] Would Increased Regulation Reduce the Number of Information Breaches?. Available from: https://www.researchgate.net/publication/290816688_Would_Increased_Regulation_Reduce_the_Number_of_Information_Breaches [accessed Aug 9, 2017].