The recent fines British Airways (BA) and the US hotel group Marriott International are facing from the Information Commissioner's Office (ICO) for data breaches is a warning shot to all businesses. In response to these high-profile fines, in our blog this week, our experts are offering practical advice to reduce the risk of security breaches and what to do in the event of an attack.
In a GDPR landmark case, BA is facing a record fine of £183m for security breaches to its systems. The incident is believed to have begun in June 2018 after criminal hackers injected malicious code into BA’s website, diverting visitors to a fraudulent site. Through the false site, details of around 500,000 customers were harvested by the attackers.
In a separate case, Marriott is facing a £99.2m fine that relates to a data breach that resulted in around 339m guests having their personal details exposed. The incident is thought to date back to 2014 but was only detected in 2018.
The breach occurred within Starwood - a rival hotel group that Marriott acquired three years ago. The ICO said that Marriott had failed to properly review Starwood's data practices and should have done more to secure its systems.
Having a good understanding of the threats you face, how they have developed over time and which tactics are most likely to be used can prepare you to manage these risks more effectively and efficiently.
Let’s look at some of the best steps you can take to prevent security breaches...
Meet PCI DSS requirements: Any organisation that stores, processes or transmits cardholder data is required to meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS). The standard outlines 12 requirements that are designed to ensure the safe and secure transmission and handling of customers’ card data.
Requirement 10 of PCI DSS for example, includes tracking and monitoring all access to network resources and cardholder data. This is done to link all access to system components to each individual user. If system usage is not logged, potential breaches cannot be identified. Secure, controlled audit trails must therefore be implemented to determine the “who, what, where and when”.
Businesses that handle customers’ card data also need to have a defined cardholder data environment (CDE) – put simply, this is where your cardholder data is processed, stored and/or transmitted. PCI DSS defines the specific controls that should be in place (relative to the scope) to protect the data within the CDE.
Regularly test your networks and infrastructure: New vulnerabilities found in software and operating systems can be quickly exploited, so it is essential that you have processes in place to help manage and remediate these vulnerabilities swiftly. Vulnerability management services from security experts will include scans of your network to give you a comprehensive view of any weaknesses present. We recommend businesses carry out these scans on a quarterly basis, and they are a good starting point for checking and testing your networks.
Testing your systems and processes is also a good prompt to ensure that your employees know how to use your security mechanisms effectively. This can be achieved by conducting a range of incident response scenarios with varied attacks. Having a robust training programme in place, both for new members of staff and refreshers for long-serving employees, will stand your business in good stead for making sure best practice is implemented.
Carry out penetration tests: Once you have established regular network scans across the business, it is a good idea to arrange a penetration test. Penetration testing is a great way to test your security systems for any weaknesses, assessing how far a potential hacker could go before being discovered.
Our trained penetration testers can mimic the types of innovative attacks nefarious hackers would use to gain unauthorised access into your network. When it comes to penetration testing, there are a number of factors to consider. Whether your business would benefit best from an external or internal test is one consideration.
We recommend that a penetration test be carried out at least once a year, in line with regular network scans, as well as following any large infrastructure or network changes.
Protect your data: The information security standard ISO 27001 is an internationally recognised standard that tells others that you take the safeguarding of your data seriously. The standard provides a security framework that helps businesses protect their data through effective technology, auditing and testing practices, organisational processes and staff awareness programmes. A security road map can be implemented to enable a business of any size to reach ISO 27001 in a staged approach.
A great place to start is with Cyber Essentials Plus. This is an externally audited certification which will lay the foundation with technical controls and helps you to guard against the most common cyber threats and demonstrate your commitment to cyber security.
When you are ready to add the governance and policy elements, the IASME (Information Assurance for Small to Medium Enterprises) Governance standard is a natural next step. The standard was developed over several years during a government funded project to create a cyber security standard which would be an affordable and achievable alternative to the international standard, ISO27001.
ISAME Gold is the externally audited version of the standard, and begins to build information governance and naturally lends itself to parts of ISO 27001. This allows businesses to reach ISO 27001 a staged approached by already having a solid foundation.
The average time to identify a breach across all industries is 197 days, according to IBM.
While prevention is better than cure, dealing with the situation head on and in a timely manner is crucial to minimise damage control. BA was recognised by the ICO for how quickly it had responded to the attack, a factor taken into consideration when recommending the fine of 1.5% of the business’ global turnover, rather than the maximum 4% penalty.
It is also key to have an effective and robust incident response plan in place. Having an organised approach to security breaches means such incidents can be addressed and managed effectively, limiting damage and reducing recovery time and costs.
We can work with you to advise on what should be included in an incident response plan, based on the individual requirements of your business.
Following that, periodic updates to the ICO are required to demonstrate that your business is taking the necessary steps to get back on track and limit the risk of the security breach happening again.