There are over 100 pages in the Data Protection Commissioner’s Annual Report for 2019. As a security professional you do not have to read them all but it makes good sense to as it is important you understand data protection and appreciate the challenges involved in protecting personal data.
The key section for information security professionals starts on Page 34 – Breaches. Last year’s DPC report covered May to December and had 3,687 notifications. This year, there were over six thousand notifications in the full calendar year. The breaches section, which is only 3 pages long gives a good insight into where the weaknesses are in Information Security programmes across the country. The break down in basic security controls again make up the majority of the breaches. These categories should form the baseline of your 2020 program of work.
Updating my review of the 2018 report, here is the table of breaches broken down into the relevant categories. Unfortunately, the added additional commentary on security program weaknesses that can be addressed are repeating again:
|
Breach Category |
Public |
Private |
2019 Jan – Dec |
2018 May - Dec |
Security Programme Weakness |
|
Unauthorised Disclosure (such as 3rd party access, improper disposal) |
1,939 |
3,249 |
5,188 |
3134 |
|
|
Paper lost or stolen |
205 |
140 |
345 |
196 |
|
|
Hacking |
10 |
98 |
108 |
116 |
|
|
Phishing |
23 |
138 |
161 |
107 |
|
|
Encrypted device lost/stolen |
27 |
14 |
41 |
42 |
|
|
Malware |
2 |
22 |
24 |
32 |
|
|
Unencrypted device lost or stolen |
30 |
16 |
46 |
30 |
|
|
Inappropriate paper disposal |
24 |
20 |
44 |
30 |
|
|
Unauthorised access (was part of Unauthorised access in 2018 report) |
64 |
67 |
131 |
New |
|
|
Unintended online publication |
41 |
44 |
85 |
New |
|
|
System misconfiguration |
10 |
43 |
53 |
New |
|
|
Ransomware/denial of service |
0 |
17 |
17 |
New |
|
|
Software development Vulnerability |
0 |
13 |
13 |
New |
|
|
E-waste (personal data present on an obsolete device) |
1 |
0 |
1 |
New |
|
The last six categories are new to the DPC report and provide great insight into the analysis being undertaken by the DPC team. This detailed categorisation allows organisations to identify where their risks may be.
Of significant concern is the new “Unauthorised access” category with 131 breach notifications. This was part of the “Disclosure unauthorised” value in 2018 and is now significant enough to warrant its own category.
Addressing Security Basics
Based on the figures available it appears that organisations are not doing the basics as all categories increased. Of course, this could be due to the fact that this year’s report is based on a full year and organisations and individuals may be reporting more. But it still does not excuse the security basics which have not been undertaken to try to reduce the breach notifications.
The following security practices may not guarantee a reduction in the notifications, but will improve your chances of not being a victim of a security incident:
- Asset management – know all your assets and where they connect to the network
- Email Filtering – reduce the chance of successful phishing attacks by reducing the chance of the email getting to the user’s inbox. Content filtering will also help
- Awareness – select a suitable topic but more importantly select a suitable delivery method. Dull email communications will not attract any attention from your staff – make the message interesting, make the delivery method outstanding
- Perimeter protection – identify your boundary (they can be quite fluid and large) and place your protection at the appropriate entry/exit points. Firewalls, IDS/IPS are among the tools that should be in place and maintained
- Configuration Management – establish the baseline for all your key asset categories. Only approved changes should be made to ensure the asset remains secure.
- Patch Management – following on from a secure baseline is your patch management process. Develop an appropriate one for your organisation and then implement it.
All experienced security professionals know these and all new security team members should learn them. Furthermore, all seasoned security professionals should promote their use and persuade the Board/Senior Management of their importance.
This blog and its content are provided as a general guide to the subject matter. You should always seek specialist advice about your specific situation – no two organisations are alike.
