At first glance the announcement of a data breach involving data from 57 million drivers and customers of Uber is a case of more of the same: there have been much bigger breaches over the last few years. However, the revelation that the company didn’t acknowledge the breach for a year, opting instead to pay a ransom to hackers, makes the story of real interest. Here in the UK, the Information Commissioner’s Office has expressed “huge concerns” about this lack of openness; and there has been an angry backlash from those who may have been affected by the breach and are now wondering what has happened to their personal data over the last 12 months. The decision to pay a ransom is particularly hard to fathom, and potentially the most damaging aspect, escalating the discussion beyond information security into a debate about the ethics and judgement of the firm’s senior management. We shall follow this story with interest…..
The BCI Supply Chain Resilience Report has become an invaluable source of information for both resilience and supply chain professionals over the last few years. The release of the 2017 report this week brings the picture right up to date.
In many ways this year’s report confirms the patterns seen in previous years: 65% of respondent organisations experienced one or more supply chain disruptions in the last 12 months (compared to 70% in 2016); and the eight of the top ten causes of disruption from 2016 featured in this year’s top ten, with IT/telecoms outages and cyber attack/data breach featuring as the top two causes again. However, buried in the detail of the report there is a striking and alarming change from last year.
In last year’s report 9% of organisations reported that a single supply chain incident had cost them more than €1m, but this year that proportion jumped to 23%. Even more alarmingly 14% of organisations report that a single incident cost them more than €10m (3% in 2016) and 9% report that a single incident cost them more than €100m (0 in 2016). Can there really have been this huge growth in extreme supply chain incidents globally; or is this increase driven, for example, by a small number of respondents severely impacted by the recent string of hurricanes in the US?
I came across a fascinating article recently by Andrew Healy and Neil Malhotra entitled “Myopic Voters and Natural Disaster Policy”. The authors reconciled local data from across the US on government spending on various aspects of disaster preparedness and disaster relief, with election results in each area. Their key finding was that politicians were rewarded, in electoral terms, for spending money on disaster relief; but not rewarded for spending money on disaster preparedness. This is even more striking as the research also estimates that $1 spent on disaster preparedness saves $15 of spending on disaster relief.
The authors also go on to discuss a variety of reasons why this, seemingly irrational, behaviour by voters may be observed; but the more interesting thing for me is the parallels with business continuity management. How often do we see this same “myopic” approach to managing risks at the organisational level? One suspects that, like the politicians, executives are not generally rewarded for investing in resilience. The question then is how can we mobilise directors and shareholders to address this imbalance? Any suggestions greatly appreciated!
We are now becoming so used to data breaches that only the most spectacular example receive much attention. Usually they are spectacular because of the sheer volume of data, such as the Yahoo! breach of 2013; but on this occasion the newsworthy feature of the attacks is the sensitivity of the data that was compromised.
In what many are hailing as the sequel to the “Panama Papers” incident, which led to the resignation of the Icelandic Prime Minister, it was announced last week that an offshore law firm based in Bermuda suffered a “data security incident last year which involved some of our data being compromised.” Few details are available at this stage, but it is reported that some of Britain’s wealthiest people may be involved; and there is already speculation that there may be some embarassing revelations about people’s tax affairs.
Most people would consider their financial affairs to be pretty sensitive but, even worse, it was also revealed last week that a major cosmetic surgery clinic in London had also suffered a data breach. Hackers who targeted London Bridge Plastic Surgery claim to have “terabytes” of data, including photos showing various body parts of clients; and that they are planning to publish names and photos on-line. It has been widely reported that the clinic has many high-profile clients, including Katie Price.
The coincidence of these two data breaches being announced in the same week provides a powerful reminder of the extra care that needs to be taken with such sensitive data. Follow the link to the Information Security section of our website to find out how we can help.
According to the Business Continuity Institute’s (BCI) inaugural Information Security Report, 15% of organisations “lost sensitive data” in the last 12 months. Indeed the actual figure could be higher, as a further 15% don’t know if they did or didn’t. Whatever the precise figure, it is broadly in line with a report from IBM in 2016 which estimated a 13% annual chance of “a material data breach involving 10 000 lost or stolen records”. Other research has found the likelihood of a data breach was about 14% for a organisation with 10 000 employees in 2015, and had been reasonably stable at that level for the last few years. So everybody seems to be in rough agreement that it’s a serious problem.
Another interesting finding from the BCI report was that “human error” was the most frequent cause of loss of sensitive data. Once again, this is very consistent with other reports, such as those from the Information Commissioner’s Office which, for the last two years has found “Data posted, faxed or emailed to incorrect recipient” to be the most frequent cause of data breaches. The key to improving information security lies in effective policies, processes and training: follow the link to see how we can help with this.
The Chairman and CEO of Equifax yesterday became the latest executive to “retire” in the wake of the enormous data breach announced on 7th September; the CIO and CSO having already “retired” two weeks ago. The previous “retirements” coincide with the bottoming out of a steep fall in share price (roughly 33% or $5b) following the public announcement, but it is impossible to say if the two are linked; there seems to have been little reaction from the market to the CEO’s departure, perhaps it was already expected?
Even if the changes of personnel have calmed the market for now, nothing can detract from the fact that this was a huge data breach; with the private data of 143 million Americans being exposed (as well as 400 000 Brits). As well as the sheer size of the breach, the company’s initial response seemed to focus on trying to minimise legal liabilities which, unsurprisingly, has attracted much criticism and resulted in a number of class-action law suits taking off anyway. All in all, the new leadership team have quite a job on their hands.
The International Organization for Standardization (ISO) published the results of their 2016 survey last week and there are big rises in the number of certifications for both ISO 22301 and ISO 27001.
By the end of 2016 there were a total of 3853 organizations globally certified to ISO 22301, a rise of 23% from 2015. As in previous years, the top three countries were as follows:
- India – 1607 certificates
- UK – 574 certificates
- Japan – 226 certificates
Meanwhile the number of organizations certified to ISO 22301 rose 21% to 33290. Remarkably, nearly 40% of these (13 889) certificates have been issued in Japan.
I have really enjoyed this new book from Anthony Fitzsimmons and Derek Atkins, and would thoroughly recommend it to all those with an interest in risk management.
The title is actually somewhat misleading, suggesting a narrow focus on reputation management; whereas the book actually takes a very broad look at a wide variety of behavioural and organisational issues that can lead to crises. The first section provides a very readable summary of current thinking on areas such as reputation, culture and causation of crises; considering everything in the context of the organisation’s stakeholders. The second section is, to my mind, the most valuable; with a fine selection of up to date crisis case studies, including:
- BP Deepwater Horizon;
- Volkswagen; and
- Mid Staffs NHS Foundation Trust.
The final section then attempts to translate the insights from the previous two sections into a practical risk management framework. This is where I find the authors’ use of the term “reputational risk” most problematic and, in particular, their proposals for a “reputational risk management system”. Nevertheless, I think the authors have made a very valuable contribution in highlighting an array of behavioural and organisational issues to a wider audience.
The October 2015 data breach at TalkTalk, resulting in the theft of personal data of almost 157,000 customers and a record £400 000 fine, has been widely reported here and elsewhere. However, another serious breach has not been so widely reported.
TalkTalk began investigating in September 2014, after receiving complaints from customer that they were receiving scam calls; and discovered that personal details for up to 21 000 customers had been unlawfully accessed by employees of a third-party service provider. The ICO found that the level of access to the data was unjustifiably wide ranging and put the data at risk; and have now fined TalkTalk £100 000. As before, the amount of the fine itself is not significant to a firm the size of TalkTalk; but the renewed public attention being focused on their lax security practices is certainly unwelcome. Bear in mind also that with the implementation of GDPR next year maximum fines increase to 4% of global revenues, which would be £73m for TalkTalk based on their 2016 results!
The Hull-based telecoms firm, KCOM, has been fined £900k by Ofcom over a failure of their 999 call service back in December 2015. The 4-hour outage resulted in 74 emergency calls failing, so the fine equates to over £10 000 per call (or £225k per hour)! Although Ofcom accepted that the root cause of the disruption was the flooding of a BT exchange in York, they found “serious weaknesses” in KCOM’s continuity planning: the pre-planned back-up routes also used the same BT exchange in York.
If this fine seems high, much worse could be to come as Digital Minister Matt Hancock has announced a consultation on new proposals for fining critical infrastructure providers for disruptions arising from cyber attacks, power failures and natural disasters. The government’s plan is to impose fines of up to £17m (or 4% of global turnover) on firms who experience disruptions as a result of failing to manage risks appropriately. It is very unclear at this stage though what will constitute acceptable risk management.