www.strategic-risk.eu
[ November 2011 ]
Data security
Protecting private data from prying eyes
poses some serious risk management
questions. Here are the answers
SPONSORED BY
DATA PROTECTION [ StrategicRISK Executive Report ]
Introduction & Contents
WELCOME 2 | A new direction for data
How is the European Commission
THE NUMBER AND COST OF DATA BREACHES APPEAR TO BE RISING EACH YEAR. WHILE planning on tightening its
US incidents and costs are fairly well documented, it is more difficult to gain a full picture of data laws?
the situation in Europe, since notification of potentially affected customers is not
mandatory in all countries for all types of companies. This may change, however, as the 4 | Past breaches, future trends
European Commission seeks to tighten and harmonise data privacy regulations.
The Commission’s proposals are the result of the technological developments and the Data breaches do not discriminate
growth in globalisation that have taken place since the current Data Protection Directive when it comes to company size
was introduced. Not least among these is the growth in cloud computing, which poses some or influence
particular risk management challenges.
Handing over-sensitive data to a third party inevitably carries risks. But these may be 6 | Taking control of the cloud
especially significant in view of the fact that the cloud is a relatively recent phenomenon.
For example, it can be difficult to ascertain where data is stored in the virtual cloud Cloud computing is an attractive
environment, the robustness – or otherwise – of the cloud provider’s security, and even in concept, but it’s not without
some cases whether the cloud provider is handling data in a lawful way. The traditional its risks
checks that companies run when outsourcing may be much harder to enforce.
The financial and reputational costs of a data breach can be enormous, and risk 8 | Prevention and cure
management plays a key role in minimising likelihood and potential losses. In addition to
technological protections against system intrusions, more companies are finding the need Practical advice on preventing
to enforce controls to guard against internal risks. and dealing with data breaches
Employees’ actions – deliberate or unintentional – are one of the key causes of data
breaches. For some risk managers, potential leaking of confidential information by employees 10 | Security service
on social networking sites is a particular concern. Companies are responding to the ‘insider’
risk by increasing awareness and in some cases establishing guidelines on social networking. More brokers are fine-tuning
Should the worst happen, companies need to respond quickly and efficiently to insurance to cater for data
minimise damage, which can include significant business interruption costs. Dealing with a breaches, so there’s no excuse
data breach is becoming a crucial component when designing crisis management plans. for not being covered
It is not surprising that today’s increased focus on preserving data privacy has boosted
interest in cyber risk insurance. In turn, some insurers have fine-tuned cover to meet 12 | First line of defence
companies’ needs more precisely, for example covering the costs of forensic investigation
into a suspected incident and offering panels of experts to help handle breach responses. Learning from others’ strategies
Patrick Pouillot, IT underwriting manager for continental Europe, ACE and experiences can provide
a formidable defence
Editor Nathan Skinner Head of events Debbie Kidman SPONSORED BY
Editor-in-chief Sue Copeman Events logistics manager
Market analyst Andrew Leslie Katherine Ball
Group production editor Áine Kelly Publisher William Sanders
Deputy chief sub-editor Laura Sharp tel: +44 (0)20 7618 3452
Business development manager Managing director Tim Whitehouse
Donna Penfold
tel: +44 (0)20 7618 3426
Production designer Nikki Easton To email anyone at Newsquest
Group production manager Specialist Media,
Tricia McBride please use the following:
Senior production controller firstname.surname@
Gareth Kime newsquestspecialistmedia.com
www.strategic-risk.eu [ 2011 ] StrategicRISK Executive Report 1
DATA PROTECTION [ StrategicRISK Report ]
still valid, they also identified new
challenges for future legislation to address:
• The need to clarify and specify the
A new direction for data
application of data protection principles
to new technologies, in order to ensure
that individuals’ personal data is
effectively protected, whatever the
technology used to process their data,
and that data controllers are fully aware
of the implications of new technologies
As ever more of our personal information becomes globally on data protection.
• The lack of sufficient harmonisation
available on online networks, the European Commission is between member states’ legislation on
working to tighten its data protection laws data protection, in spite of a common EU
legal framework. Stakeholders stress the
need to increase legal certainty, lessen
KEY POINTS T HE EU DATA PROTECTION DIRECTIVE
is currently under review. The
European Commission believes that
they store data with programmes hosted on
someone else’s hardware.
At the same time, ways of collecting
the administrative burden and ensure a
level playing field for economic
operators and other data controllers.
01: Rapid reforms are essential to bring the rules into personal data have become increasingly • The increased outsourcing of processing,
technological line with the rapid technological changes elaborate and less easily detectable, the very o en outside the EU, which raises
changes mean that have been – and are – taking place. Commission has warned. For example, several problems in relation to the law
that new Increased data security is pivotal to the sophisticated tools allow economic operators that applies to the processing and the
legislation in the new legislation. to better target individuals thanks to the allocation of associated responsibility.
area is inevitable. In November 2010, the Commission monitoring of their behaviour. And the Many organisations consider that
02: Major challenges published its approach to personal data growing use of geo-location devices and current schemes for international data
to EU-wide protection in the EU. This was centred on the procedures allowing automatic data transfers are not entirely satisfactory
legislation fact that rapid technological developments collection, such as electronic transport and need to be reviewed and
include lack of and globalisation have profoundly changed ticketing and road toll collecting, make it streamlined to make them simpler and
harmonisation the world and brought new challenges. easier to determine the location of less burdensome.
and increased The Commission says that technology individuals. • Consensus among stakeholders that
outsourcing. today allows individuals to share Public authorities also use more and data protection authorities’ roles need
03: The USA information about their behaviour and more personal data for purposes such as strengthening to ensure better
has already preferences easily and make it publicly and tracing individuals in the event of an enforcement of data protection rules.
implemented globally available on an unprecedented outbreak of a communicable disease, • The need for an overarching
proposed EU scale, citing the example of social preventing and fighting terrorism and instrument applying to data processing
laws in the form networking sites “with hundreds of millions crime, and so on. operations in all sectors and policies of
of mandatory of members spread across the globe”. the EU to ensure an integrated
notifications for Cloud computing could also pose Keeping up approach as well as seamless,
data breaches. challenges to data protection, as it may While the Commission’s research and consistent and effective protection.
04: The public is involve the loss of individuals’ control over consultation processes confirmed that the A number of EU commentators have
largely aware of their potentially sensitive information when core principles of the current directive are stressed the aspects of the proposed
its rights to
request, view and
contest personal INFORMATION COMMISSIONER REPORTS UK FAILINGS
information.
05: Penalties for MOST ORGANISATIONS IN THE PUBLIC can identify the data protection principles Freedom of Information Act was “necessary”,
failing to observe and private sectors fail to understand the unprompted, a fall of 8% on the same survey while 93% described the Data Protection Act
data privacy laws legal requirements for the storage of in 2007. in the same terms.
can be severe. personal data, according to research from The survey did contain some good news. Information commissioner Christopher
the UK Information Commissioner’s Office Around 90% of individuals have a clear Graham explained that the importance
(ICO) last year. understanding of their right to see individuals place on data protection should
The ICO Annual Track 2010 found that information about them held by an act as a warning to businesses. “Individuals
just 48% of private and 60% of public sector organisation, up 15% since 2004. Some 84% are concerned about the collection and
organisations are aware of the need to store know that they can request information from secure storage of their personal information.
personal information securely. The research authorities through the Freedom of Ignoring data protection obligations is
also found that just 14% of all organisations Information Act. Around 80% said that the ignoring a key customer concern,” he said.
2 StrategicRISK Executive Report [ 2011 ] www.strategic-risk.eu
Goggin states that a recent speech by EU
deputy commissioner and director of data CURRENT EU RULES
‘The cost of no action in protection David Smith indicates that
the field of data protection mandatory data notification requirements THE EU DATA PROTECTION DIRECTIVE (ALSO KNOWN AS
are inevitable. The EU has already moved Directive 95/46/EC) is designed to protect the privacy and
is much higher than the some way on this with a new EU directive, protection of all personal data collected for or about citizens of the
cost of improving the rules’ amending the previous E-Privacy Directive, EU, especially as it relates to processing, using, or exchanging such
coming into effect in May 2011. data. Key principles include:
Viviane Reding European commissioner
EU Directive 2009/136/EC requires > people whose data is being collected should be given notice
providers of publicly available electronic of this,
communications services to notify relevant > data collected should be used only for stated purpose(s) and
changes that they consider most national authorities and, in some instances, for no others,
important. affected individuals, of a personal data > organisations collecting personal data should not disclose or
European commissioner for justice, breach. Marshall Dennehey Warner Coleman share this with third parties without consent from the
fundamental rights and citizenship Viviane & Goggin states that this directive’s subject(s) of the data,
Reding is leading the process of reform. She notification provisions are very similar to > organisations must keep the personal data they collect safe
has expressed concern that personal data many of the existing state notification laws and secure from potential abuse, the , or loss,
can easily be stored and then even more in the USA. For example, the directive: > people whose personal data is being collected should be
easily multiplied on the web – but it is not • conditions individual notification informed as to who is collecting that data,
easy to wipe it out. She said that people need requirements on a risk-of-harm > people should be given access to their personal data and
to be confident that the information they standard; allowed to correct any inaccuracies,
commit to the internet can be removed in • requires notification “without undue > people should be able to hold personal data collectors
the future – the so-called ‘right to be delay”; and accountable for adhering to all of these principles.
forgotten’ – particularly as social networks • defines “breach” in similar language to
continue to store ever-increasing amounts of that commonly used in US notification
personal information. laws. The penalties for failing to observe data
Reding has also admitted that changes The firm warns: “Considering these privacy laws can be severe. Law firm Norton
in legislation are likely to mean higher costs similarities, telecom companies operating in Rose says: “While the sanctions that
of compliance for businesses. But she Europe will no doubt be looking to the organisations may face if they fail to comply
believes that companies have specific notification compliance efforts of US vary from country to country, in developed
responsibility because data is o en their companies that have successfully handled economies sanctions range from criminal
main economic asset – and “the cost of no past breaches. While Directive 2009/136/EC prosecution to fines levied by regulators.
action in the field of data protection is much does not explicitly provide for specific Regardless of the enforcement regime, for
higher than the cost of improving the rules”. enforcement penalties comparable to the many organisations the damage caused by
enforcement provisions of US notification bad publicity resulting from a breach may
Looking to the USA laws, many EU member states have dwarf any fine.”
The European data protection supervisor instituted fines and penalties for violations UK information commissioner
Peter Hustinx has called for the introduction of laws enacted under the existing E-Privacy Christopher Graham agrees. “Businesses
of mandatory data breach notifications – a Directive. We expect to see similar fine and need to show that they are taking data
move that seems highly likely in the current penalty provisions in the forthcoming protection seriously. Failing to do so could
data regulatory climate. US law firm breach notification laws enacted under not only lead to enforcement action, but to
Marshall Dennehey Warner Coleman & Directive 2009/136/EC.” significant damage to their reputation.” SR
EUROPE TAKES UK TO TASK CLOUD STRATEGY NEEDED
THE EUROPEAN COMMISSION IS > UK law allows interception where the EUROPEAN COMMISSION VICE-PRESIDENT RESPONSIBLE FOR
bringing an action in the EU Court of Justice perpetrator has “reasonable grounds the digital agenda Neelie Kroes believes that it is down to
against the UK government over its alleged for believing” that consent has been regulators and member states to make sure that citizens can trust
failure to fully implement rules relating to given for this, in the security of cloud services. “The protection of personal data is
the confidentiality of electronic > probation of unlawful interception of a fundamental right in the EU, and this demands several actions.”
communications. The Commission says that data is limited to “intentional” Kroes advocates cloud assurances that apply to all member
existing UK laws do not comply because: interception only whereas EU law states, and recommends new laws and codes of practice. Her
> the country does not have an requires that all member states remarks stem from the many grey areas associated with data
independent national authority to prohibit and introduce sanctions security in the context of the cloud (see page 6). She explains that
supervise interception of some against all unlawful interceptions, the Commission is working on a cloud computing strategy which
communications, regardless of intent. needs the input of all EU authorities.
www.strategic-risk.eu [ 2011 ] StrategicRISK Executive Report 3
DATA PROTECTION [ StrategicRISK Report ]
Past breaches, future trends
What types of companies are the most vulnerable to large expensive data security breaches?
Incidents over the last 10 years or so may provide a guide
KEY POINTS E ARLIER THIS YEAR, JAPANESE
company Sony suffered a massive data
breach when hackers accessed personal
facilities as well as healthcare providers
and educational institutions. Not
surprisingly, banks and credit card
and subsequent sale to a data broker
affected 8.5 million customers.
01: Data breaches information on 77 million PlayStation companies have also been targets. But any Counting the costs
are increasing in Network and Qriocity accounts. The company that holds personal details on its Most data breaches affect thousands rather
frequency and company was forced to shut down its customers may become a victim. than millions of records. The Ponemon
are costing network for almost a month and has Institute 2010 Annual Study: Cost of a Data
businesses more introduced a range of new security • In 2007, retail giant TJX revealed Breach, sponsored by Symantec Corporation,
every year. measures including an early warning that hackers had stolen customers’ examines the costs incurred by 51 US
02: Despite the system to alert it to any future attempt to credit and debit card information. organisations a er experiencing data
costly risk to penetrate the network. Over 40 million records were affected breaches ranging from nearly 4,200 records
‘first timers’, This was one of the biggest data and the attack is estimated by some to 105,000 records from 15 different industry
companies are breaches to date and illustrates the security experts to have cost the sectors.
more vigilant vulnerability of companies conducting company billions rather than millions Particularly interesting is the study’s
about system business online. However, generally outside of dollars. finding that, while more organisations
failures than data of the USA and a few other countries where favour rapid response to data breaches, a
breaches. notification of consumers a er a data • In 2009, Heartland Payment Systems quick response generally adds to their costs.
03: The true picture breach is mandatory, information on announced that hackers had stolen “In 2010, quick responders had a per-record
remains breaches tends to be sketchy. information on the 100 million or so cost of $268, up $49 (22%) from $219 the year
unknown as Since compulsory notification was transactions that it processed each before. Companies that took longer paid
notifications are introduced in the USA, there have been a month for merchants – once again at a $174 per record, down $22 (11%) from 2009,”
not mandatory vast number of incidents recorded. Many of huge cost to the business. says the report.
globally. these involve government and military The institute believes that this suggests
• Demonstrating that even smaller that moving too quickly through the data
organisations’ systems are not safe breach process may cause cost inefficiencies
AVERAGE ORGANISATIONAL COST from intrusion, the US grocery store for an organisation, especially during the
OF A DATA BREACH, 2008-10 Hannaford Brothers reported in detection, escalation and notification phases.
2008 that hackers had gained access Another key finding is that, in 2010 for
Source: Symantec and Ponemon Institute
to more than 4.2 million credit card the first time, malicious or criminal attacks
transactions. According to were the most expensive cause of data
2008 $6,655,758m InformationWeek, by the time the breaches and not the least common one.
breach was revealed more than 1,800 “The 2010 cost per compromised record of a
of the credit card numbers had data breach involving a malicious or
been used. criminal act averaged $318, up $103 (48%)
2009 $6,751,451m
from 2009 and the highest of any data
• While many major incidents involve breach cause this year. The huge increases
organised crime, dishonest employees reinforce the extreme danger hostile
2010 $7,241,899m can also cause significant damage. breaches pose.”
In 2007, Certegy Check Services, a But US organisations are more
subsidiary of Fidelity National proactively protecting themselves from
$0 $1m $2m $3m $4m $5m $6m $7m $8m
Average total cost Information Service, estimated that an malicious attacks. And breaches due to
employee’s the of customer records systems failures, lost or stolen devices and
4 StrategicRISK Executive Report [ 2011 ] www.strategic-risk.eu
third-party mistakes have reduced. over privacy, reflecting an
Companies appear to be becoming more understanding of the real threats to the OVERALL TRENDS
conscientious about preventing data existence and proliferation of social
breaches in the worsening threat networks. Security measures will The Ponemon Institute 2010 Annual Study: Cost of a Data Breach
environment. provide improved protection against identified the following trends:
The report also says that companies’ application layer attacks, stronger > Breach costs directly reflect IT security best practices and threat
investments in finding and remediating authentication and account control trends. Data breach costs more or less correlate directly with
data breaches may be paying off by features, as well as better malware the presence or absence of major data breach causes (malicious
minimising the cost of lost business. detection systems. attacks, for example) or data protection best practices (such as
chief information security officer (CISO) leadership).
On the horizon? 5. There will be a growing number of data > Data breaches continue to cost organisations more every year.
Data security company Imperva has breaches where compromised > Customer turnover in direct response to breaches remains the
compiled 10 top security predictions for 2011 information is in the form of files rather main driver of data breach costs.
to help businesses protect themselves than database records. Imperva says > Training and awareness programmes remain the most popular
against the next onslaught of cyber security that, since each file is an autonomous post-breach remedies, but encryption and other technologies
threats. entity, with respect to content are gaining fast.
ownership and access control (contrary > Breaches by third-party outsourcers are becoming slightly less
1. Nation-sponsored hacking and to a database record), maintaining common but much more expensive.
specifically targeted cyber attacks will control of who can access a file is almost > Breaches involving lost or stolen laptop computers or other
incorporate concepts and techniques impossible, as is keeping track of access mobile data-bearing devices remain a consistent and
from the commercial hacker industry. to those files that contain sensitive expensive threat.
But they will not be aimed at gaining information. “The inability to maintain > Companies are more vigilant about preventing systems failures.
financial advantage. For example, control may result in excessive access > Negligence remains the most common threat, and an
Stuxnet was focused on gaining control privileges and an inadequate audit trail increasingly expensive one.
of crucial infrastructure. Companies of access to sensitive information.” > ‘First timers’ pay the highest breach costs because they o en
with good security controls may be lack breach response experience that can help lower costs.
protected partially from advanced 6. There will be more application security > To better manage data breaches and reduce breach costs,
persistent threat (APT) attacks. offerings in the cloud throughout 2011, more companies are trusting their CISOs.
But Imperva warns that, as APT is and Imperva predicts some early data > Fewer organisations are using external consulting support,
persistent, if a certain attack does not security in the cloud offerings. even though such support lowers data breach costs.
succeed, another one will come into play. Challenges include maintaining Organisations in a rush to respond may not believe they have
“The traditional security controls do not bulletproof partitions between datasets the time to bring in outside help to meet compliance
deter these relentless, state-sponsored of different customers and providing requirements. This in turn could help explain the increase in
hacker organisations. For the enterprise different levels of data security to popularity of relying on CISOs, as organisations can quickly
as well as government, this means applications sharing the same logical or leverage these internal resources and see similar cost benefits.
increasing monitoring of traffic and physical platforms. > More companies had better-than-average security postures,
setting security controls across all and those organisations enjoyed much lower data breach costs.
organisation layers,” it says. 7. The proliferation of sophisticated mobile
devices will have a substantial effect on
2. There will be growing awareness to application and data security, in organisations will ‘buy out’ other groups
security incidents of an ‘insider job’ particular as organisations struggle to or merge their operations with others.
nature as a result of an increased flow of accommodate the increase in number
incident reports where data the and and variety of these devices, while 9. Cyber security will become a business
security breaches are tied to employees maintaining traditional data and process. “This means security teams
and other insiders. application security practices. Imperva need to become business process experts
expects “exponential growth” in the to keep the bad guys disarmed while
3. The sophistication of Man in the number of incidents related to mobile keeping the good guys productive,”
Browser (MitB) attacks will increase. devices in the next few years. says Imperva.
While avoiding infection by proxy
trojans is presumably the responsibility 8. Security researchers will continue to 10. There will be convergence of data
of consumers, MitB attacks are quickly look into the hacker operations and will security and privacy regulation
becoming a concern of online service unearth the smaller or less diligent worldwide. With companies finding the
providers that need to be able to serve criminals. In general, the hacker task of complying with multiple
(and protect) customers who might be industry will react by investing more mandates across borders very difficult,
infected with malware. resources in attack techniques and governments are already beginning to
detection evasion. The hackers that define a common framework to make
4. Prominent social networks, and tools, cannot make this investment will go out life easier for themselves and for
will direct more efforts into security of business. Other cyber-criminal enterprises housing data. SR
www.strategic-risk.eu [ 2011 ] StrategicRISK Executive Report 5
DATA PROTECTION [ StrategicRISK Report ]
Taking control of the cloud
With significant cost benefits, storing data in ‘the cloud’ is an attractive idea, but as a relatively
new concept and with no universal governance, it is not without its risks
KEY POINTS C LOUD COMPUTING CAN OFFER
significant cost benefits – but these may
come at a price. Director of information •
migrate from one provider to another or
bring data and services back in-house.
Isolation failure. Mechanisms
• Insecure or incomplete data deletion.
When a request to delete a cloud
resource is made, this may not result in
01: Storing data in security practice at PricewaterhouseCoopers separating storage, memory and routing true wiping of the data. Adequate or
the cloud poses a UK William Beer warns that cloud between different tenants could fail. timely deletion may also be impossible
variety of risks computing in its broadest terms presents • Compliance risks. Investment in (or undesirable from a customer
that many risk new areas of risk that a lot of organisations achieving certification (for example, perspective), either because extra copies
managers have have not completely come to grips with yet. industry standard or regulatory of data are stored but are not available,
not considered. “The main cloud providers have been requirements) may be put at risk by or because the disk to be destroyed also
02: Experts suggest focusing on things like scalability, migration to the cloud if the provider stores data from other clients.
transferring risk technology, flexibility and of course cost cannot evidence its own compliance • Malicious insider. While usually less
to cloud savings. There hasn’t really been much with the relevant requirements or does likely, the damage that may be caused
providers, but active discussion on information security.” not allow the customer to audit. by malicious insiders is o en far greater.
this cannot cover ACE European Group (UK) cyber • Management interface compromise. Cloud architectures necessitate certain
reputational underwriter Iain Ainslie summarises the Customer management interfaces of a roles that are extremely high-risk, for
damage or legal problem. “If your data is stored within your public cloud provider are accessible example system administrators.
implications. own building, with your own staff looking through the internet and mediate access
03: A lack of a er your servers, you have an element of to larger sets of resources (than ENISA says that it is o en possible, and
universally control. If that information is in the cloud, traditional hosting providers) and in some cases advisable, for the customer to
accepted you are relinquishing your control.” therefore pose an increased risk, transfer risk to the cloud provider. But a
standards and especially when combined with remote customer cannot transfer all risks, for
protocol creates Out of your hands access and web browser vulnerabilities. example serious damage to reputation or
a further Two years ago, when the EU’s European • Data protection. In some cases, it may legal implications. “Ultimately, you can
challenge. Network and Information Security Agency be difficult for the cloud customer in its outsource responsibility but you can’t
04: Moves are afoot (ENISA) looked at the benefits and risks role as data controller to effectively outsource accountability,” warns the agency.
to implement an associated with cloud computing as part of check the data-handling practices of the While Beer concedes that a lot of the
industry- its emerging and future risk programme, it cloud provider and thus to be sure that traditional approaches in terms of doing due
standard cloud identified the following major security risks: the data is handled in a lawful way. diligence can apply, he cautions that it can
certification
programme. • Loss of governance. In using cloud
05: Always check a infrastructures, the client necessarily MOVES TOWARDS CERTIFICATION?
cloud provider’s cedes control to the cloud provider on a
controls and number of issues that may affect THE CLOUD SECURITY ALLIANCE (CSA) OPENED ITS CERTIFICATE OF CLOUD SECURITY
standing. security. At the same time, service Knowledge (CCSK) for testing last year. Described as the industry’s first user certification
level agreements may not offer a programme for secure cloud computing, the CCSK is designed to ensure that a broad range
commitment to provide such services on of professionals with responsibility related to cloud computing have a demonstrated
the part of the cloud provider, thus awareness of the security threats and best practices for securing the cloud.
leaving a gap in security defences. CSA says that, as cloud computing is being aggressively adopted, it is critical that the
• Lock in. The lack of tools, procedures or industry provide training and certification of professionals to ensure that cloud computing is
standard data formats or services implemented responsibly with the appropriate security controls. The programme reflects
interfaces that guarantee data, both CSA’s own catalogue of security best practices, the Security Guidance for Critical Areas
application and service portability may of Focus in Cloud Computing, and ENISA’s recommendations.
make it difficult for customers to
6 StrategicRISK Executive Report [ 2011 ] www.strategic-risk.eu
be easy for an individual within an space. There are quite a few providers.
organisation to bypass due diligence by Some will probably go bankrupt; some will DEFINING CLOUD COMPUTING
going to a public cloud provider and using be acquired. Because there are no standards
their corporate credit card to buy services on on intercompatibility or sharing There are three categories of cloud computing:
their own. “That would bypass all the things information what happens then? This new > So ware as a service (SaaS): is so ware offered by a third-party
that your organisation has in place and it sector does not have many answers here provider, available on demand, usually via the internet
makes some of the traditional approaches yet. And if information needs to be deleted, configurable remotely. Examples include online word processing
very difficult to apply,” he says. what assurance can they provide that your and spreadsheet tools, CRM services and web content delivery
data has been safely destroyed?” services (Salesforce CRM, Google Docs, and so on).
Data difficulties There is also a question mark around > Platform as a service (PaaS): allows customers to develop new
Beer sees one of the key risks that the availability of 24/7 support. “What sort applications using APIs deployed and is configurable remotely.
organisations face relate primarily to data of guarantees can cloud providers give that The platforms offered include development tools,
privacy. “Where is data stored and located?” important services are going to be configuration management, and deployment platforms.
he asks. “Most cloud providers are struggling available?” Beer asks. “A lot of the providers, Examples are Microso Azure, Force and Google App engine.
to provide assurance and concrete evidence particularly the newer ones, have structured > Infrastructure as service (IaaS): provides virtual machines and
as to where data may come and flow due to their service level agreements in a very other abstracted hardware and operating systems that may be
the technical nature of the cloud, which uses modular way and are inflexible when it controlled through a service API. Examples include Amazon
virtualisation technology. This makes it comes to modifying their contracts.” EC2 and S3, Windows Live Skydrive and Rackspace Cloud.
extremely hard for them to say whether
data is being stored in the USA, UK or Ensuring model alignment Clouds may also be divided into:
wherever. It is a massive challenge that most Ainslie urges companies to drill down into > Public: available publicly – any organisation may subscribe.
of them are still struggling with.” the cloud provider’s business approach. > Private: services built according to cloud computing principles,
Ainslie points out that certain “You may be using a SaaS provider, putting but accessible only within a private network.
provisions apply where European your data into a so ware tool in the cloud > Partner: cloud services offered by a provider to a limited and
companies’ data is stored outside of the EU. to take advantage of benefits such as cost well-defined number of parties.
“It’s important to make sure that storage and scalability. But you need to be aware Source: Cloud computing – benefits, risks and recommendations for information
arrangements are acceptable,” he says. that your provider may have the same security, November 2009, ENISA
Another major problem that Beer business model and be using another
identifies is the lack of the universally company’s services – which means that
accepted service standards and certification your data may be sitting with the vendor of cloud provider asks for keys, ask them why
that normally apply when using a your vendor. they need them and how they intend to
third-party provider of computer services. “You need to ask if your vendor is using store them.”
“These can provide an organisation buying another party, who they are and whether it
traditional data services with some comfort, is possible to audit them to check their Additional risks
as well as reassuring any regulatory controls and standing. And with both direct In its June report, Assessing the Security
authorities involved. But the cloud and indirect vendors, you need to be able to Risks of Cloud Computing, Gartner says that
environment based in virtualisation check that they have insurance to sensitive data processed outside the
technologies means that these standards compensate you for any data breach that enterprise brings with it an inherent level
may not necessarily apply. There’s currently you suffer as a result of their negligence.” of risk, because outsourced services bypass
a great deal of debate as to whether a He also warns that, while you may seek the “physical, logical and personnel
specific new cloud standard is needed.” to protect your data held in the cloud by controls” IT retailers exert over in-house
He also picks up on two of the issues encryption, it is not uncommon for your programmes. The firm recommends users
identified by ENISA: lock-in and insecure or cloud provider to ask for the keys to the to get as much information as they can
incomplete data deletion. Beer says: “Cloud encryption. “Once you give the keys away, is about the people who manage their data.
computing provision is a relatively new that data still secure?” Ainslie asks. “If your Gartner also warns that investigating
inappropriate or illegal activity may be
impossible in cloud computing. “Cloud
CLOUD CRASH services are especially difficult to
investigate, because logging and data for
AMAZON WEB SERVICES’ SIGNIFICANT PERIOD OF OUTAGE IN APRIL ILLUSTRATES THE multiple customers may be co-located
risks for users that depend on cloud technology. The incident took down many other online and may also be spread across an ever-
sites and internet services that rely on Amazon’s cloud. changing set of hosts and data centres,”
The outage was caused by a glitch at the company’s northern Virginia data centre. Some says the report.
block storage volumes created new backups of themselves, which filled up Amazon’s Ainslie concludes: “It’s essential to
available storage capacity, leading to connectivity problems. ensure that the service given by your cloud
Users affected included: question and answer site Quora, social media hub Reddit, the provider is more than just a cost-cutting
HootSuite link-sharing tool, and location-based services Foursquare and SCVNGR. exercise but a secure and reliable service
as well.” SR
www.strategic-risk.eu [ 2011 ] StrategicRISK Executive Report 7
DATA PROTECTION [ StrategicRISK Report ]
Prevention and cure
No company is able to boast completely bullet-proof data security provisions, but it is possible
to mitigate breach risks efficiently
KEY POINTS C OMPANIES’ IT EXPERTS AND
advisers may be smart but the high
incidence of data security breaches suggests
might be stolen. The second was that
hacking of their overall systems would allow
criminals to transfer payments to bogus
Ainslie warns that it’s important not to
be too reliant on technology – even if it is
the latest model. “When a new firewall
01: Causes and that hackers may be smarter, while accounts. Providing this kind of risk comes on the market, hackers will buy it,
consequences of dishonest or careless employees also remain information allows a company to set up the work out a script to breach it and then send
data breaches a threat. So just how should companies right kind of controls to prevent occurrences that over the net to find and attack firewalls
should be graded approach data risk management and – and plan the right level of crisis of that type. For this reason, it’s important
for probability, minimise the downside should a management should the worst happen.” to have layers of security – if one is
indicating where breach occur? breached, there’s another underlying it,”
risk is greatest. Head of Marsh Risk Consulting in France Layers of security he says.
02: Data breach Marc Paasch suggests that an important first Paasch advocates a multi-tier approach to Ainslie suggests another strategy of not
scenarios should step is to identify and analyse the possible risk management. The first involves the putting all your data on one server. “Try to
be written scenarios that could result in a breach or loss human element, asking the right questions distribute it around several servers so if one
into crisis of data. “These could include a range of to assess whether you need to improve is breached you don’t lose everything.”
management incidents such as hacking, loss through fire controls. He says: “Look at who is entering
plans. or a natural catastrophe, and even malicious and exiting the systems. When are the codes Basic measures
03: Should a breach damage,” he says. changed? Which individuals have access to Patrick Donnelly, managing director of
occur, evaluate In connection with the latter, Paasch what? Who handles your systems professional risk solutions for Aon Risk
the situation gives the example of a head of IT who takes maintenance?” Solutions’ Financial Services Group, also
thoroughly your systems’ codes when he leaves the On the human angle, ACE European advocates a structured approach to
before reacting, company and then uses these codes to Group (UK) cyber underwriter Iain Ainslie managing data security risks. He stresses the
lest further change some information in your databases. says that it’s important to make staff aware advantage of using the same basis as that
damage – both “It’s usually possible to detect any erased of what constitutes sensitive material and applied to other corporate risks so that it is
reputational and information fairly quickly but relatively the degrees of sensitivity that may apply. He familiar to both the company and its risk
legal – occur. small alterations can be quite difficult to suggests: “You can do this with a range of management team. He explains that this
spot,” Paasch says. measures including training videos with includes:
Having identified the possible causes tests at the end to ensure the message has
and consequences in terms of both financial gotten across, and awareness campaigns. But • risk identification,
and reputational loss, these should be you need to run regular checks to make sure • risk assessment,
graded for probability. This will highlight procedures are policed.” • evaluating the efficacy of risk controls,
the potentially very damaging losses that Employees need to understand the • quantifying the exposure that remains
have a reasonably high chance of occurring potential implications of data breaches. a er assessing efficacy, the
and will give an indication of where the risk “Risks to their company could ultimately appropriateness of risk transfer or other
is greatest, explains Paasch. affect their own jobs and if they understand risk financing, and
“For example, we recently completed a this, they may take more care,” he says. • designing a framework to manage the
study for a very large European company. Secondly, you should consider physical residual risk that remains a er any risk
This was not in one of the traditional and virtual protections. How easy is it for transfer.
high-risk sectors like financial, telecoms or unauthorised people to gain access to your
retail, but nonetheless it held data on over premises where data is stored? What “While you take these same basic steps,
one million clients,” says Paasch. back-up facilities, anti-virus protections it is of course important to apply specifics in
He continues: “We identified two major and firewalls does your company’s IT the context of managing data privacy,” he
risk scenarios. The first was that client data systems have? says. “For example, companies will need to
8 StrategicRISK Executive Report [ 2011 ] www.strategic-risk.eu
controls can help manage the identified the final component in risk management
risks,” says Donnelly. planning,” Donnelly says.
‘Establish a relationship with an “Your business continuity and crisis
appropriate crisis management Quantifying the risk management plans should take account of
Risk exposure quantification can take what you need to do should there be a data
public relations firm so that several forms. Most companies look at third breach,” Paasch says. “There are no hard and
you can call upon them if party issues, look at their own experience fast rules because circumstances and the
and also take into account publicly available types of information involved vary, but
there’s a problem’ information. This may well be the approach generally it is important to be as transparent
Iain Ainslie ACE UK adopted by companies in sectors which are as possible. Notifying any clients that could
not deemed to have the highest exposure potentially be impacted can o en save
– perhaps because they store little or no problems at a later stage,” he explains.
establish their standards for risk assessment. personal and financial information on their
These may be by industry or size of customers. Respond reasonably
company but there may also be some But Donnelly says that some companies Ainslie agrees but warns companies to not
general standards that apply within the require a more specific, even actuarially act too hastily. “A lot of businesses get into
particular industry sector.” driven, quantification of risk, modelling trouble because they do the wrong thing. For
Donnelly cites the retail sector which, in their portfolios of personal privacy risks. example, there have been cases where
connection with credit card payments, needs “Once the model is established, they can companies have panicked a er they have
to comply with the payment card industry’s overlay various risk financing treatments to discovered a data breach and notified all the
data security standards. The International help the company come to the optimal view customers that they think might be involved.
Organisation for Standardisation has also of how to finance the risk,” he explains. “Later investigation has shown that the
developed a code of practice for information Alongside questions concerning the breach was not as serious as they thought
security management. “ISO has around 162 robustness of your IT protection has to come and they have then had to send out another
member countries so this is a standard that the consideration of how much your notification, doubling their costs and
is fairly well recognised by companies and company wants or needs to invest in it. potentially damaging their reputations,”
information security professionals globally,” Paasch explains: “For an industrial client as he says.
says Donnelly. opposed to, say, a financial institution or a Ainslie also recommends that you line
Another step in the risk assessment telecoms company, losses arising from a data up in advance the people that you might
process is to look at the company’s latest breach are probably not going to be that need to rely on should a serious data breach
third-party or internal audit. “The findings great and will represent a far smaller share occur. “Establish a relationship with an
of your latest report on compliance will be of their total cost of risk. appropriate crisis management public
fundamental here,” he states. “So the amount of money they invest in relations firm so that you can call upon
While establishing the standards IT protection is likely to reflect this, along them if there’s a problem,” he says.
against which to assess your risk may be with their tolerance or appetite for this type “Contacting people and trying to enlist their
relatively straightforward, evaluating the of risk. They need to reach a solution that help at the last moment when there is a real
efficacy of risk controls is not quite so they feel comfortable with.” panic situation will almost always be more
defined, warns Donnelly. “Controls tend to Ainslie agrees that companies need to expensive and less effective.” SR
focus in three areas,” he explains. “It is analyse the costs versus the benefits. But he
important to look at the efficacy of risk gives an analogy: “If you live in a row of 10
controls in the context of contractual houses and everyone goes on holiday, the TOP TIPS
controls, operational controls and one that leaves the windows and doors open
technological controls.” is more likely to get burgled!” 1 Don’t just rely on technology to protect your data – restrict
There has been quite a significant Basic precautions are important and, in access to sensitive information and train employees to be
change here since companies first started to any event, you need to make sure that risk aware.
focus on data privacy risk management. whatever controls you put in place are 2 Identify and risk manage the potentially very damaging
“Initially, companies concentrated on the reviewed regularly. losses that have a reasonably high chance of occurring.
technological aspects with information risks Once the risk management approach, 3 Align investment with potential loss – including any
being largely managed by their IT controls and any risk transfer are in place, reputational damage implications – so that you don’t over
departments. the company needs to establish how it would spend or skimp on essentials.
“Most organisations have moved on deal with a data security breach. There is 4 Assess your exposure and the standards you need to apply
from that, understanding that technology is general consensus among risk advisers in the light of reported losses in your business sector and
only part of the picture. So there is focus now – and some risk managers – that no system best practice guidance.
on operational controls as well, taking in is fail-safe because the extent of the controls 5 Run regular checks to make sure controls remain in place
aspects such as who has access to data and required to achieve this would be counter- and employees are adhering to protective strategies.
increasing employees’ risk awareness, for productive to the efficient running of the 6 Make dealing with a data breach part of your business
example by training. Companies have come business itself. “A planned, organised continuity and crisis management plans.
a long way in understanding how risk approach to dealing with any data breach is
www.strategic-risk.eu [ 2011 ] StrategicRISK Executive Report 9
DATA PROTECTION [ StrategicRISK Report ]
Security service
Cyber risk insurance has become a must-have, as companies start to realise the full ramifications
of a data breach and that no organisation is safe
KEY POINTS C YBER RISK INSURANCE HAS TAKEN
some years to become established
among European companies. But recent
safe. “A hacker will send a script around the
web that tries to find holes in the security of
any company – and there are more of these
reprograms the so ware to give machinery
new instructions. “It is evident and provable
that Stuxnet is a directed sabotage attack
01: Hacking is o en trends have pushed it up the risk attacks than the targeted hacking that we involving heavy insider knowledge,” says
indiscriminate, management agenda. tend to read about.” industrial computer expert Ralph Langner in
affecting smaller The purchase of cyber risk insurance But targeted attacks are still a serious analysis published on the web.
companies as had a boost at the end of the 1990s because issue for some companies – and ACE IT While the focus tends to be on online
well as larger of fears that the millennium bug could underwriting manager for Continental attacks by hackers, it is a mistake to think
ones. hit businesses hard. When this didn’t Europe Patrick Pouillot says that in some that data security attacks are always so
02: Notifying all happen, it tended to take a back seat. But cases there is a change in motivation. sophisticated. As long as their methods
potentially a number of recent changes have “Attacks on data security now are not just work, criminals tend not to be too worried
affected highlighted the importance of the cover coming from criminal or political about how they get hold of the information.
companies when and it is now being described in some organisations but also from aggrieved For example, they may get branded memory
a data breach quarters as the “new D&O” (that is, a cover individuals who consider that a particular sticks reproduced, leaving these in company
occurs – which is once considered irrelevant in Europe and company has done something wrong and car parks or outside offices. Ainslie says:
set to become now seen as a must-have). want to punish it,” he says. “This could mean “Employees pick them up, thinking they’ve
mandatory under ACE European Group (UK) cyber risk that we will see some new viruses that been dropped by a colleague, and then plug
EU law – can be underwriter Iain Ainslie explains: “In the last specifically target one company, which them into their PC to try to see who they
extremely 10 or 11 years, companies have come to rely would be difficult for traditional risk belong to, unwittingly unleashing a virus
expensive. more heavily on IT than before. As a prevention techniques to combat.” into the system.”
03: The rise of social consequence, an IT problem can be a major Pouillot cites Stuxnet, a worm that
media has issue, affecting their revenues and balance initially infects Windows machines and then A duty to report
increased the sheets.” goes on to seek out industrial control There is likely to be even more increased
likelihood of But it is not just the growth in so ware made by Siemens. It then attention on security and protection when
confidential data importance of IT that has alerted companies
being leaked to the need to protect themselves. Ainslie
inadvertently points out that some European jurisdictions
from within. such as the UK are becoming far more EXPOSURE TO THIRD-PARTY CLAIMS
litigious. Criminals too are becoming more
aware of the value of data and, with so much THIRD-PARTY CLAIMS ARE NOT ALWAYS THE DIRECT RESULT OF DATA BREACHES.
held online, it is easier to get to if you do not > Most employees use their work PCs to make purchases, visit websites, check their
protect it. “Hackers sell it on to other personal emails, and so on. They could pick up a virus in the course of their browsing,
criminals, who know what to do with it and which would affect your company’s systems and the emails sent out.
commit the actual fraud,” Ainslie warns. > If people in your company send out emails with viruses attached and the result is that
recipient individuals or companies experience a financial loss, they can claim against you
Mixed motives for this.
In addition, a number of high-profile IT > IT forensic experts can determine the origin of such viruses.
security breaches have focused corporate > Currently ACE provides cyber insurance covering first-party loss and third-party
attention. Although it is the incidents liability in the UK and across continental Europe, even if the insurer’s policies offered
affecting the largest companies that have hit in Europe can vary from one insurance market to another in terms of cyber, media and
the headlines, Ainslie warns that smaller privacy liabilities.
companies should not consider themselves
10 StrategicRISK Executive Report [ 2011 ] www.strategic-risk.eu
proposed EU legislation comes to fruition. In breach could mean that you end up doing
an effort to harmonise approaches across just that. A CONSULTANT’S VIEW
member states, the European Commission
looks set to make it mandatory to notify Accidental leaks PATRICK DONNELLY, MANAGING
potentially affected customers of all There are many ways that your company’s director of professional risk solutions for
companies when a data breach occurs – not confidential information could be “leaked”. Aon Risk Solutions’ Financial Services
just those in the recognised high-risk But one that risk managers are increasingly Group, comments: “There has been an
categories. aware of is through social networking sites. evolution in the insurance cover available
Notifications can be very expensive if Organisations use social media sites in the last two years or so. When the
large numbers are involved and companies quite extensively and o en encourage their initial cyber policies were introduced in
o en also have to pay legal advisers to make employees to do the same and blog on their the late 1990s, they were fairly restrictive,
sure that they couch their message in the own or other sites as appropriate. It’s a way focusing on network security liability
right way. of getting their business and services coverage and first-party property
known, with a potentially huge audience insurance, which very much resembled
and at a far cheaper cost than traditional traditional property insurance cover
‘Attacks on data security advertising. although linked to non-physical perils.
But they could be swimming in “Over the years, this has changed to
now are not just coming shark-infested waters, because there is no the extent that insurance cover now adds
from criminal or political certainty about protection should anything much more value. The first-party cover –
go wrong. “There is not much case law and the insurance for losses of the
organisations but also from no set rules about issues like intellectual organisation – is no longer limited to
aggrieved individuals’ property protection, defamation and leakage replacing assets or providing business
of confidential information yet,” Ainslie says. interruption cover, but can include
Patrick Pouillot ACE UK
Certainly it makes it a difficult area for reimbursement for the costs associated
insurers to provide cover. with investigating a breach event and
But, even at present, Pouillot says that Companies do have some control managing the breach response.
most insurers will respect the views of their over their own pages on Facebook and “As a result, we’ve seen a trend in the
clients’ risk managers as to whether to similar sites, in that they can remove last six months with organisations willing
notify or not a er a significant data breach. inappropriate content quickly and easily. to take higher retentions on the front end
“The notification costs may be huge but If your employee posts a message, of the cover but looking to build fuller
quick notification could prevent liability inadvertently giving away confidential coverage rather than sub-limits within the
claims. It’s a question of trying to prevent information about your company, your elements associated with breach
the impact of the incident on the customers options are not so clear. response events. And some insurers are
in both the company’s and the insurer’s You might be able to take action against not only willing to offer reimbursement
interests,” he says. that employee on the grounds that they for breach response costs but also offer
have breached their confidentiality access to a panel of experts with
What’s ‘sensitive’? agreement with your business. But if a rival experience in managing breach incidents.
Serious data breaches involve “sensitive” company uses this information to your own “Liability coverage has moved
information – but how do you decide just company’s detriment, there may be little you beyond responding to damages arising
what falls into this category? Clearly can do, as their argument will be that the from specified network perils to include
personal customer information such as information was in the public domain. a broad trigger for damages arising from
credit card and bank details needs to be Pouillot says that one of the challenges the breach of any duty to keep
protected. Less obvious but still sensitive are that insurers face lies in the new types of information from improper or
customers’ names and email addresses. claims that may be presented. “We all tend to inadvertant disclosure. While policies
Obtaining these could allow criminals to think in absolute terms – that a breach or have always responded to defence costs
send scam information and phishing emails. other problem has been discovered that and damages associated with third-party
But it’s important to remember that needs correcting – but sometimes it’s not claims, coverage may now be tailored to
some of your own company’s data is that simple. The IT manager may go into the also respond to costs and damages
sensitive, too. Although the legislative focus office on Monday morning and consider that arising out of a regulatory investigation
has been on protecting individuals and something in the systems does not feel right or enforcement action.
clients, reflected in the third-party cover but he’s not quite sure what may have “At a time of unprecedented
offered by insurers, your company itself happened over the weekend.” capacity, the cost of cyber risk insurance
could suffer significant loss through a data Pouillot believes that in the future there is more attractive than it has ever been.
breach involving its own business plans will be a greater demand for insurers to That is proving to be incredibly
and strategies. cover the costs of investigating whether a compelling for companies of all sizes in
No company would want to share its loss has actually occurred. He says: “It will all industries. No organisation can be
innermost trade secrets and business plans change the definition of claim in this area of 100% sure that it won’t have a problem.”
with its competitors. But a successful data business.” SR
www.strategic-risk.eu [ 2011 ] StrategicRISK Executive Report 11
DATA PROTECTION [ StrategicRISK Report ]
First line of defence
Data privacy should be a top priority for risk managers, but no company can boast a 100%
security assurance. They can, however, learn valuable data protection lessons from others
KEY POINTS P ROTECTING DATA PRIVACY IS AN
important issue for virtually all
companies. Even those that do not store
Other IT risks he cites include intrusion,
for example by viruses, and inappropriate
use of the company’s network by employees.
customers’ invoices, is a major consideration
that is directly related to our business
continuity,” he says. “It is fundamental to
01: Having a data individuals’ personal data within their IT “Every system that is developed by people establish a procedure and a framework
back-up is vital, systems are concerned to protect can be cracked by people. We have seen that where IT risks are properly managed, so our
but be sure not confidential information regarding clients all types of very heavily protected IT investment in IT is significant. Our data
to store it near and contracts that could be valuable to a systems have been hacked into – even the protection is facilitated through cross-
the main system, competitor. And ensuring reliable and robust US White House computer system.” department activity. Our IT, security and risk
and ensure it technology is essential for many other He also refers to the reputational management departments are all involved
has wide corporate functions as well. damage that can occur if companies don’t – there’s no single owner of the risk.”
compatibility. Katoen Natie chief risk officer Carl ‘clean up’ old websites. “Sometimes Strategies include control procedures for
02: Any system that Leeman says: “There is probably not one companies register a number of different employees to prevent loss of data, controls to
is developed by business today where IT has not increased in websites in various names. They abandon prevent external intrusion and also general
people can be importance. Certainly in the logistics some of these and other businesses or physical protections to prevent unauthorised
cracked by business that I am involved in, we have individuals take over the name and use the access and damage to the systems.
people; therefore warehouse management systems that are websites for unacceptable purposes,” he says.
grant access very important. Any problem with our IT Leeman says his company’s system does Personnel security
permissions system there would quickly result in major not hold personal data like individuals’ Elaine Heyworth is the former head of risk
cautiously. problems.” addresses. “But we do hold technical management of Everything Everywhere, a
03: By embracing Leeman considers there to be a number information on contracts. I have been UK telecoms company formed by the merger
social networking of IT risks, particularly in relation to assured it is impossible for this to be of Orange and T-Mobile. The latter suffered a
with guidelines information security, even for companies downloaded by people with bad intentions data security breach two years ago, when
and training, that are not apparently in the highest risk or employees who leave the company. two employees stole customer data and sold
accidental data areas. He warns that relying on your back-up “There are a number of controls in place. it on to rival firms. “The company had to
slips can be system may be dangerous. “Most companies These include limiting the number of people work very closely with the Information
avoided. have a back-up system but not all of them who can view this information and Commissioner’s office to manage that
can be sure that they will work, for several restricting even further those with the breach. For us it became much more critical
reasons,” he says. For example, it is a ability to download it. For example, people to look at our internal employees, and it was
common mistake to store the back-up in the working in one business unit cannot view the start of a whole range of changes around
same building as the main computer system, contracts issued by another business unit.” personnel security,” Heyworth says.
as a disaster such as a fire may destroy both. Like Leeman, Prysmian Group group Extra layers of protection were added to
Leeman also believes that having a risk manager Alessandro De Felice works for ensure that no single employee had access to
back-up that is specific to your particular an industrial company not a high-risk sector, the data, with two or three employees
system can be a mistake. “Some companies so his data security concerns also focus having to sign off before someone could
have a back-up that works only on their around corporate confidentiality rather than access information. “The information
mainframe. If the mainframe is damaged leakage of individual consumers’ private security team also introduced security for
the back-up will be useless because the information. “Risk perception varies a lot laptops and computers that meant that no
system to drive it is dead,” he warns. according to business sector,” he says. employee could use a non-encrypted
In addition, he says that reports suggest De Felice explains that his company portable memory device and memory sticks
that many back-ups – perhaps around 20% relies on its IT system to provide accurate were only designed to operate for
– just don’t work properly for a variety of and prompt financial and other data. transferring data from one employee’s PC to
technical reasons. “Protecting our data, for example in terms of another employee’s PC,” Heyworth explains.
12 StrategicRISK Executive Report [ 2011 ] www.strategic-risk.eu
ONLINE IN PRACTICE
For more practical advice on dealing with risk management challenges ‘The fact that the two
within your organisation, visit www.strategic-risk.eu/in-practice
employees involved in our
breach were prosecuted and
went to prison signalled how
seriously we take data security’
Elaine Heyworth formerly Everything
Everywhere
There was a general campaign have access to the sensitive data. We have a Delhalle warned that companies have to
supported by the management team and special department headed by our consider that, with new ways of
board to create more data security vice-president of security that is responsible communicating and accessing information,
awareness accompanied with training across for this. But the new law is tough and hard to there are no more boundaries. “Private and
the business. “We needed to make people comply with. The level of security is business lives tend to get mixed up … You
aware of the implications of security failures comparable to that relating to top-level can damage the reputation of a company
or deliberate breaches. The fact that the two government secrets, which may be just by a few words posted on Twitter.”
employees involved in our breach were over-excessive. Delhalle pointed out that anything
prosecuted and went to prison signalled how “My company operates in around 80 written on the internet can be used without
seriously we take data security.” regions in Russia as well as in several other the person responsible or their company
The company is a member of CIPSIE (the countries. All our systems in all the regions knowing or being able to control it. He
Communications Industry Personnel where we operate have to be secured to the recommended that companies follow the
Security Information Exchange), run by CPNI standards laid down by the new law. But we example of an enlightened few that have
(the government’s Centre for the Protection do expect some changes to be made because already written guidelines or a charter for
of National Infrastructure). Since its data of the difficulties associated with employees on using social networks.
breach, it has looked far more deeply into compliance.” This would constitute protection not just
the trustworthiness of its employees, The penalties of non-compliance would for the company but also the employee
exchanging information with other mobile be very substantial, says Mikhaylov. “Users concerned, who might otherwise face an
phone companies. might not be prevented from using our action for breach of confidentiality.
Inevitably, the breach led to a tightening services but our reputation could certainly SICPA Management chief security officer
of external controls as well, with added be affected on a local basis in the regions Christian Aghroum also emphasised that
layers of security around the company’s where we operate.” people give a lot of information on social
networks and customer database. networks about what they are doing, where
Heyworth concludes: “For any retailer, Social networking risks they are going, and so on, without realising
its customer information is a critical part of It is not just the risks of hackers gaining that this can be useful to competitors.
its infrastructure. But the fact is that – unless access to information or rogue employees Dennery said that companies now use
you are very lucky – you cannot completely that are taxing the minds of European risk social networking sites to communicate with
guarantee that your business is secure from managers. The danger of information being all kinds of stakeholders, while their
the actions of a rogue employee. You just inadvertently leaked by employees through employees as private individuals also
have to try to put in as many controls as you social networking was addressed at October’s communicate on these sites. “We are in a
can without restricting business flow.” Ferma Forum in a session called ‘The risks of world where information is open – but we
In the meantime, Russian telecoms the virtual world’. have to take real care of the valuable
companies are struggling to meet the Moderator Michel Dennery, deputy information that produces our companies’
requirements of a strict new law that chief risk officer at GDF Suez, opened the income and gives our businesses a
imposes onerous guidelines as to what these discussion by saying that information is competitive edge,” he warned.
companies have to do to protect their an open door in computerisation. “Who “Information moves from one place to
subscribers’ data and personal information. accesses the information, what is the another in a second, so we have to be
Mobile Telesystems OJSC head of risk value of the information and could your prepared to react quickly. It is not easy to be
management Igor Mikhaylov says: “Like competitors gain competitive advantage if sure that you are informed of any leak and
most companies in this sector, we have they had it?” have a good action plan ready to preserve
certain security measures protecting our Bureau Européen d’Information the reputation and value of your company.
system and we train those of our people who Commerciale secretary-general Laurent You have to consider crisis management.” SR
www.strategic-risk.eu [ 2011 ] StrategicRISK Executive Report 13