Special Edition Blog: What the First Annual DPC Report Says About Information Security

“Patches to be completed by the weekend, a live security incident to handle, policy refresh underway, resourcing challenges, internal risk and audit breathing down my neck. And now the Data Protection Commission (DPC) issues their 2018 Report highlighting the developments, challenges and issues over the seven months from the GDPR day to New Year’s Eve encouraging the board, CEO and C-suite to ask even more questions because they read one of the many blogs, reviews, tweets or info graphs and expect answers. Tomorrow!!” - Diary excerpt from an Information Security Officer.

Does that excerpt look a little familiar? If you’re an organisation’s Information Security (IS), IT or cyber security lead, then I’m not surprised.

“Organisations should continuously evaluate their technical and organisational security position and should refine their technical and organisational measures in accordance with the risk”

DPC 2018 Report

The Data Protection Commission (DPC) released the first of what will be many annual reports – the 2018 edition. I hope that you’ve taken the time to read the report. Seriously, you should. All of it.

It’s not just for Data Protection Officers and data protection teams. It provides clear pointers as to why IS programme shortcomings have led to a 27 percent increase in reported and valid data protection breaches.

Yes – reporting breaches is now a mandatory action and the frequency of those incidents were probably at a similar level to years’ past but not being reported, yet the overall figure still remains high. Too high.

As you read further on, you’ll see that a considerable number of these breaches were avoidable. We should all be working to reduce the 3,400 breaches that were reported over seven months to a much lower figure.

I’ve read the 2018 report from the DPC. Not only is it an excellent, concise report and an easy read, it communicates its message very well. I believe that as security professionals, the sections around Page 38 are key. The question is: why do I see them as valuable?

I consider myself a security professional with data protection tendencies or a data protection specialist with security tendencies. My experiences have allowed me to take a holistic approach to information governance and how to secure data as it travels through the organisation, from its source of origin to disposal. Security and data protection are entwined, and to benefit your organisation they should work closely together.

The key points of the DPC’s 2018 report

The data provided on Page 38 is both interesting and worrying for IS professionals. Below is the table and with additional commentary on security programme weaknesses that can be addressed:

Breach Category

Public

Private

Total

Security Programme Weakness

Unauthorised Disclosure (such as 3rd party access, improper disposal, unauthorised access)

1064

2070

3134

- User access governance permission management and lack of access review
- Appropriately functioning disposal procedures
- Technical controls such as external transferring from scanning devices or email address autocomplete

Paper lost or stolen

110

86

196

- Poor physical security such as no lockable cabinets
- Awareness of information handling requirements

Hacking

14

102

116

- Absent or improperly configured IDS/IPS
- Poorly managed firewalls

Phishing

16

91

107

- Users not able to spot and handle suspicious emails

- Poorly configured email gateway filtering

Encrypted device lost/stolen

21

21

42

- Lack of user knowledge on device protection

Malware

5

27

32

- Poorly managed firewalls
- No or mis-configured Anti-Virus protection

Unencrypted device lost or stolen

13

17

30

- Inappropriate device baseline build

- Lack of user knowledge on device protection

Inappropriate paper disposal

15

15

30

- Lack of appropriate disposal services or devices such as shredders


The section after this table in the report provides several case studies of reported data security breaches. As an experienced security professional, I was disappointed to see that such basic security controls weren’t being followed. I previously wrote in my January blog about the first fines issued under GDPR and explained that these were basic security programme weaknesses where user access governance was not operating effectively.

We’re sometimes too quick to blame the user. The weakness is not the user. They are not the weakest link. The Security Programme is not operating correctly. In a recent Dark Reading blog, Ira Winkler, President at Secure Mentem, set out the convincing argument that users’ actions should be expected and the security programme should allow for this.

Improvements to make to your security programme

  • The DPC recommends that you:
  • Implement protective measures corresponding to the risk level.
  • Continuously evaluate your technical and operational security controls in accordance with the risk level.
  • Do not be over reliant on your 3rd parties to implement security controls.
  • Be comfortable with the risk your 3rd party controls present.
  • Be able to demonstrate to the DPC that such is satisfied.
  • Have Data Processing Agreements in place.
  • Continuously monitor 3rd party activity.

The GDPR article that is relevant to security professionals, states:

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” (Article 32.1)

Perhaps you are too distracted with the day-to-day pressures of operational activities or too close to the security programme to see the areas that could be enhanced for the benefit of your organisation, your employees and your customers.

I’m not aware of any recent empirical studies or evidence as to the global breakdown of data security breaches between sophisticated attacks and simple control breakdown. But it would appear in the DPC 2018 report, that it’s the simple control breakdown that is well ahead.

The actions you can take for your programme and to avoid becoming a case study in the 2019 DPC report include:

  1. Have (or refresh) a policy that clearly tells the user how to handle information assets.
  2. Obtain evidence that they have seen and read the policy.
  3. Design effective security controls.
  4. Objectively evaluate both the control design and monitor the controls effectiveness.
  5. Rinse and repeat.

Finally, complete the activities you can comfortably undertake and get help from IS professionals where you need help.

My regular monthly blogs will return towards the end of March with a different look at IS Risk Management.
New call-to-action
This blog and its content are provided as a general guide to the subject matter. You should always seek specialist advice about your specific situation – no two organisations are alike.