There are over 100 pages in the Data Protection Commissioner’s Annual Report for 2019. As a security professional you do not have to read them all but it makes good sense to as it is important you understand data protection and appreciate the challenges involved in protecting personal data.

The key section for information security professionals starts on Page 34 – Breaches. Last year’s DPC report covered May to December and had 3,687 notifications. This year, there were over six thousand notifications in the full calendar year. The breaches section, which is only 3 pages long gives a good insight into where the weaknesses are in Information Security programmes across the country. The break down in basic security controls again make up the majority of the breaches. These categories should form the baseline of your 2020 program of work.

Updating my review of the 2018 report, here is the table of breaches broken down into the relevant categories. Unfortunately, the added additional commentary on security program weaknesses that can be addressed are repeating again:

Breach Category

Public

Private

2019 Jan – Dec

2018 May - Dec

Security Programme Weakness

Unauthorised Disclosure (such as 3rd party access, improper disposal)

1,939

3,249

5,188

3134

  • User access governance permission management and lack of access reviews
  • Appropriately functioning disposal procedures
  • Technical controls such as external transferring from scanning devices or email address autocomplete

Paper lost or stolen

205

140

345

196

  • Poor physical security such as no lockable cabinets
  • Awareness of information handling requirements

Hacking

10

98

108

116

  • Absent or improperly configured IDS/IPS
  • Poorly managed firewalls

Phishing

23

138

161

107

  • Users not able to spot and handle suspicious emails
  • Poorly configured email gateway filtering

Encrypted device lost/stolen

27

14

41

42

  • Lack of user knowledge on device protection

Malware

2

22

24

32

  • Poorly managed firewalls
  • No or mis-configured Anti-Virus protection

Unencrypted device lost or stolen

30

16

46

30

  • Inappropriate device baseline build
  • Lack of user knowledge on device protection

Inappropriate paper disposal

24

20

44

30

  • Lack of appropriate disposal services or devices such as shredders

Unauthorised access (was part of Unauthorised access in 2018 report)

64

67

131

New

  • User access governance permission management and lack of access reviews
  • Accurate and timely user activity logging, alerts and monitoring

Unintended online publication

41

44

85

New

  • Content management procedures
  • Approval process
  • Configuration weaknesses

System misconfiguration

10

43

53

New

  • Poor change management
  • Security not been part of the SDLC

Ransomware/denial of service

0

17

17

New

  • Poor approach to AV program, IPS/IDS, Email filtering, network management, staff awareness and patch management

Software development Vulnerability

0

13

13

New

  • Security not been part of the SDLC regardless of the approach taken (traditional v agile)

E-waste (personal data present on an obsolete device)

1

0

1

New

  • Asset disposal process weakness

 

The last six categories are new to the DPC report and provide great insight into the analysis being undertaken by the DPC team. This detailed categorisation allows organisations to identify where their risks may be.

Of significant concern is the new “Unauthorised access” category with 131 breach notifications. This was part of the “Disclosure unauthorised” value in 2018 and is now significant enough to warrant its own category.

Addressing Security Basics

Based on the figures available it appears that organisations are not doing the basics as all categories increased. Of course, this could be due to the fact that this year’s report is based on a full year and organisations and individuals may be reporting more. But it still does not excuse the security basics which have not been undertaken to try to reduce the breach notifications.

The following security practices may not guarantee a reduction in the notifications, but will improve your chances of not being a victim of a security incident:

  • Asset management – know all your assets and where they connect to the network
  • Email Filtering – reduce the chance of successful phishing attacks by reducing the chance of the email getting to the user’s inbox. Content filtering will also help
  • Awareness – select a suitable topic but more importantly select a suitable delivery method. Dull email communications will not attract any attention from your staff – make the message interesting, make the delivery method outstanding
  • Perimeter protection – identify your boundary (they can be quite fluid and large) and place your protection at the appropriate entry/exit points. Firewalls, IDS/IPS are among the tools that should be in place and maintained
  • Configuration Management – establish the baseline for all your key asset categories. Only approved changes should be made to ensure the asset remains secure.
  • Patch Management – following on from a secure baseline is your patch management process. Develop an appropriate one for your organisation and then implement it.

All experienced security professionals know these and all new security team members should learn them. Furthermore, all seasoned security professionals should promote their use and persuade the Board/Senior Management of their importance.

This blog and its content are provided as a general guide to the subject matter. You should always seek specialist advice about your specific situation – no two organisations are alike.