The c-words that curse data breaches

Behind every security failing are the same recurring themes that companies large and small need to address, says Alan Calder
Written by Alan Calder, Contributor

It's astonishing how often the same failings crop up in the context of data breaches. So what's at the root of the problem, asks Alan Calder.

In terms of data security, you might think that cyberattack is the dominant threat. But a bigger problem can permeate an entire organisation long before an attack begins: complacency.

C-words seem to abound in the spate of successful cyberattacks this year. Credit cards. Compromise. Crime. Crisis. Compensation. However, words such as caution and compliance are sadly absent from the list.

How can any company possibly allow customers' personal data — from names and addresses to credit card numbers — to be compromised in a security breach? Any answer must surely begin with complacency.

Why are companies storing credit card numbers anyway? The Payment Card Industry Data Security Standard (PCI DSS) requires that payment card numbers are never stored without a good business reason, and even then must be hashed in the database to be unreadable.

Pressured into PCI DSS compliance

Any organisation that processes, transmits or stores payment card data must comply with the PCI DSS. So what has been going wrong? Every day, we see small e-commerce businesses with tight budgets being pressured into PCI DSS compliance by their acquiring banks — the financial institutions that accept credit-card payments for a merchant.

Do some businesses consider themselves too big to worry about complying? There is no justification for ignoring the PCI DSS and there are no excuses for failing to train staff.

However, even a standard as rigorous as PCI DSS only offers limited protection in isolation. Effective security depends on establishing a comprehensive and interconnected defence strategy.

A good place to start is the ISO27001 security management standard, which complements PCI DSS. The standard represents international best practice for any organisation seeking a structured framework to address cyber risks. Any organisation that handles customers' personal data, but is not compliant with ISO27001, is displaying overt negligence.

No business operates in isolation. Other companies will scrutinise your processes too.

However, every organisation should remember that ISO27001 certification, like PCI DSS compliance, does not equate to invincible security. ISO27001 is simply a management system that, effectively deployed, improves an organisation's information security and resilience. New threats are constantly evolving. So defences need to constantly evolve too. There is no room for complacency.

Risks of ignoring security frameworks

Equally, do not make the mistake of assuming your company is too small to find any value in an ISO27001-compliant structured framework, or that you can justifiably make a management decision to take the risk and suffer the consequences.

No business operates in isolation. Other companies will scrutinise your processes too. Enlightened organisations will want to...

...know their supply chain and other business partners are resilient against cyberattack. Many companies will insist ISO27001 is implemented and independently verified before entering into deals with partners.

New regulations in India, for example, make accredited certification to ISO27001 the default means for organisations to demonstrate compliance with data protection laws. Other countries are sure to follow India's lead. Failure to meet the required standards could cost you major contracts.

Organisations strengthening their information and communications infrastructure should also be implementing UK standards for business continuity and resilience — BS25999, ISO27031 and ISO24762.

In the current economic climate, many companies are inevitably focusing on maximising revenues in the short term, controlling overheads and managing cashflow. Unless you focus on computer and data security too, though, you are placing your entire business at risk.

IT security improvement programme

No organisation should delay in implementing an IT security improvement programme. If you are not really sure if your business is as secure as possible, there is every chance you are actually far short of the requirements.

Let us end where we began, with another c-word — cost. It takes a long time before a company can truly comprehend the cost of a security breach. Immediate loss of revenue through service shutdown, alongside compensation packages, will only represent part of the impact.

The ultimate cost of complacency, in long-term brand and reputational damage, could be enormous. Every company and organisation must be aware of the dangers of computer crime. The threats are real — and if you are not properly prepared, you could be tomorrow's victim.

Alan Calder is chief executive of information security training and consultancy IT Governance. He is a leading author on information security and IT governance issues and an authority on ISO27001, formerly BS7799, the international security standard, about which he has co-written with Steve Watkins the compliance guide, IT Governance: A Manager's Guide to Data Security and ISO27001/ISO27002.

Editorial standards