Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions

Phone:

0800 035 1231 (Mon to Fri 9am – 5pm)

36B Market Street, New Mills

Derbyshire, SK22 4AA, United Kingdom

The Information Commissioner’s Office (ICO) published its report for the year 2017/18 last month, containing a useful update on the prevalence of information security issues.

Firstly, the ICO reported that the number of data protection concerns raised had risen to 21019 (up 15% from last year).  In a similar pattern to last year, 32% of the investigations conducted into these concerns resulted in no action being taken and 35% were resolved purely through issuing advice on good practice to the organisation concerned.  The concerns appear to have been broadly distributed across all industry sectors.

Secondly, the ICO announced that self-reported data breaches by organisations had also risen to 3165 (up 29% from last year).  Of course it is not clear how much of this increase may be driven by better awareness of the need to report data breaches stemming from the publicity surrounding GDPR.  As before, the top sectors for self-reported breaches are:

  • Healthcare – 37%
  • Education – 11%
  • Local Government – 9%

Once again though, it is impossible to day if this is due to a greater frequency of breaches in these sectors or better awareness of the need to report.

Finally the ICO stated that they had issued fines totalling nearly £1.3m for breaches of the Data Protection Act, including the £400 000 fine issued to Carphone Warehouse in January.

Follow the link for more information on how to improve your information security.

The Business Continuity Institute (BCI) recently published its 2018 Cyber Resilience Report.  In many ways this year’s report confirms the findings of the previous reports in 2016 and 2017:

  • 66% of organisations experienced at least one “cyber security incident” in the last 12 months (64% in 2017);
  • 11% of organisations experienced more than 20 incidents in the last 12 months (10% in 2017); and
  • The impact of the majority of incidents was estimated at less than €50 000, but a very small number cost over €1m.

The figures on the response time to an incident were also consistent with previous years, with 38% estimating that they responded within an hour of detection and 79% within 3 hours.  Taken at face value this seems quite encouraging; however, for the first time, the 2018 survey also asked about the time taken to detect an incident.  Only 28% of respondents estimated that they detected incidents within an hour and 34% estimated that it took over 4 hours.  Clearly one cannot respond to an incident until it has been detected, so reducing detection times would appear to be the key challenge going forward.

The inability of BP stations to handle card payments for a period on Sunday evening has been widely reported.  There have been no reports of further problems since then so it appears that the glitch has been successfully resolved.  Meanwhile, the fault  in the UK’s Faster Payments system, which occurred a few hours earlier, has been much less widely talked about; but, as of this morning, work is still underway to clear the backlog of payments.  Then, this morning, numerous accounts appeared on social media of problems with the TSB banking app.

Taken in isolation, each of these incidents is relatively minor.  However, taken together with the massive disruption to Visa payments in May/June and the IT meltdown at TSB in April; it points to a systemic problem with this vital part of our national infrastructure.

We blogged in March about the frequency of product recalls in the US; concluding that there were no particular trends (upwards or downwards) in any particular product category.  However, looking at the corresponding picture for Europe (once again using data from Stericycle) , there is one product area with a distinct upwards slope: automotive.

Whilst still the smallest of the three product categories (by some way), the number of automotive recalls grew sharply from 160 in 2013 to 442 in 2017.  Whilst there have been some very high-profile recalls in recent years, principally the “Diesel Dupe” scandal; it is not clear what has caused this significant rise in the total number of recalls over the period.

Hundreds of passengers faced delays and disruption on Tuesday evening when Terminal 2 at Manchester Airport lost power.  Power was restored within a few hours but, whilst the power cut lasted, passengers could not check in and planes could not be unloaded.  Luckily, due to the time of day, it was possible to divert some incoming flights to Terminal 1.

As usual in these sorts of situations, most of the complaints from passengers seem to focus on a lack of communication.  This was partly due to the precise nature of the disruption, with the loss of display screens and other normal ways of communicating with passengers in the Terminal.  However, some comments on social media make a more general point; saying that airport staff, whilst trying to be helpful, had simply not been given the information they required to answer the questions that people were asking.

Whilst not knowing how accurate this criticism is in this instance, it is certainly true that many organisations’ crisis communications plans focus on communicating with the media and external stakeholders and neglect communication with their own staff.  Not only are staff an important stakeholder group in their own right, but many of them are also in direct contact with customers so are an important communications channel too.  A little time taken in planning and rehearsing procedures for communicating with staff during an incident will pay big dividends.

Media reports yesterday highlighted a “perfect storm” for UK producers of beer (and soft drinks); where high demand due to the good weather and the World Cup has coincided with a significant fall in production of CO2.  Whilst this is a problem across Europe, the loss of production is particularly acute in the UK where 3 of the 4 largest plants are currently shut.  It is anticipated that consumers will start to feel the impact within days.  Understandably, people are asking how could this happen.

“Supply Chain Continuity” has been a hot topic within business continuity management for many years now; and much good practice has emerged around getting to know and understand your supplier base, and contingency planning for failure of individual critical suppliers within it.  However, the current shortage of CO2 is an example of a growing problem where there is disruption to supply of a key raw material across an entire industry.  (In fact the shortage of CO2 affects multiple industries including food production and aviation).  This is clearly a more difficult problem to resolve – one doesn’t simply want to resort to costly and inefficient stock-piling of raw materials just in case.

What’s the answer then?  There is no simple solution if you happen to be a beer producer although, in this particular scenario, it might have been worth building a closer relationship with your CO2 suppliers to ensure that they don’t all shut down simultaneously.  For retailers though, the solution lies in a flexible business model: if you cannot replenish stocks of beer for a period of time what else can you sell instead?  As ever in these situations, a challenge for the beer industry represents a big opportunity for somebody else!

Last week was a very busy week for the ICO – and nothing to do with GDPR….

First came the announcement on 12th June that Yahoo! UK Services Ltd was being fined £250 000 for the massive data breach in 2014 (disclosed in 2016) affecting 500 million users globally.  Specifically, the ICO’s investigation focused on the 500 000 accounts for which Yahoo! UK Services Ltd was the data controller.  The investigation found that Yahoo! UK Services Ltd had failed to take appropriate technical and organisational measures to protect the data; and that it failed to ensure that its data processor, Yahoo! Inc, complied with the appropriate data protection standards.

Then, the very next day, the ICO was asked to comment on the massive Dixons Carphone data breach, announced that day.  Obviously they could say very little at this stage but did point out that “…when the incident happened and when it was discovered…will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”  With the recent huge increase in the level of fines that can be imposed, following the implementation of GDPR, this is a chilling message for the company.

Finally, also on the 13th, the ICO announced a fine of £80 000 for Gloucestershire Police for revealing the identities of child-abuse victims in December 2016.  In an all too common mistake, an officer sent an email to 56 victims, witnesses and lawyers with everybody’s name visible in the “To” field; thus every recipient could see all other recipients.  This is yet another reminder that information security management is primarily about managing people: not technology.

Major Outage at hostinguk

Web hosting firm hostinguk suffered a major outage at their St Asaph data centre.  Despite having “diverse fibre paths” to the site, the connection to the site was lost just before 9pm last night.  For many customers, the shock of finding that their website was down was compounded by the fact that they couldn’t contact hostinguk because their phones were not working.

Firstly, credit where credit is due.  Unlike may firms in the midst of an incident, hostinguk communicated well throughout the disruption; the status page on their website was regularly updated with detailed information on the progress of the recovery, and social media posts were responded to promptly.

However, there are two very interesting aspects of this incident.  Firstly, the initial estimate for “full service restoration” was “2-12 hours”; in actual fact, service was restored by way of a temporary fix after 17 hours and the permanent repair took a further four hours.  This is an excellent example of the prevalence of “optimistic overconfidence”: people tend to be overly optimistic about favourable outcomes and discount the probability of less positive scenarios.  This phenomenon is often then exacerbated by “anchoring”: it becomes clear over time that the initial estimates are wrong but people are still “anchored” to them and fail to adjust their estimates sufficiently.

Secondly, we return to the issue of “diverse fibre paths”: what does this actually mean?  The reality is that a single event managed to sever both fibres so I would caution against being too reassured by this statement from your providers.

Business Continuity Awareness Week (BCAW) 2018, with the theme “working together to improve organizational resilience”, ends today.  As usual there has been a busy programme of reports published, webinars hosted and live events around the globe; but what always interests us is the real business continuity stories going on around all this.  For some reason, BCAW usually sees a disproportionate number of incidents (apart from BCAW 2013 which was very quiet) – is this because all the resilience experts are busy attending seminars???  We may never see the likes of BCAW 2017, which kicked off as the WannaCry ransomware saga was still ongoing, again; but this year has nevertheless seen a range on interesting and thought-provoking stories.

Starting on a lighter note (unless you happen to be getting married in the near future), over the weekend 12/13th May users of the John Lewis wedding list service were unable to access the website.  Media reports state that this was because of a failure to renew the domain name, but it is not clear how this issue arose.  Anyway, everything was back up and running by Monday and the company has issued a very public apology.

More seriously though, on Tuesday Musgrave Group announced that it was recalling its “Daewoo” branded electric blankets because of a manufacturing defect which “…may cause the blanket to spark or go on fire.”  The averages success rate of electrical product recalls in the UK is only 10-20%: we can only hope that this one is more successful.

As the week progressed we returned to a familiar theme, data breaches, with a particularly serious example.  On Thursday the Information Commissioner’s Office (ICO) announced that the Crown Prosecution Service (CPS) had been fined £325 000 after they lost unencrypted DVDs containing recordings of police interviews.  The DVDs contained recordings of interviews with 15 victims of child sex abuse, to be used at trial.  Further aggravating what was already a very serious breach, the ICO highlighted the fact that this took place despite the CPS having been fined £200 000 in November 2015 for another breach.

Finally, and most disturbingly, were the stories in today’s news of the increased spread of Ebola in the Democratic Republic of Congo.  Hopefully the lessons identified from the devastating 2014-16 outbreak have been taken on board and will be applied to minimise the impact of this latest emergence.

So, just in the space of a week, we have seen examples of four of the most frequent forms of disruption – IT disruption, product quality issues, information security issues and natural disasters.  Clearly the importance of “working together to improve organizational resilience” has never been greater.

 

Based on information from four of the five recognised accreditation bodies (CREST, IASME, APMG and QG Management Systems), there has been another big increase in the number of organisations achieving certification under the UK Government’s Cyber Essentials and Cyber Essentials Plus schemes.  As of last week 7794 organisations had achieved certification through these four accreditation bodies, a rise of 22% in only three months.

With GDPR coming into force later this month, there has never been a better time to get your information security management in order!  Follow the link for more details of how we can assist you with your information security management.