It’s not about you: The complex web of information security
Published: 20 Mar 2018
How can external parties affect your information security? This often overlooked question is one of the hidden risks that businesses fail to consider.
Time and time again, I’ve heard the mantra: “I only use personal information to conduct my business. I trust my employees not to leak data. I just don’t think it’s that concerning.”
The people who subscribe to this pattern of thought are almost always well-meaning, diligent business-people. They have secure filing cabinets for their paper files, their computers are password-protected, and their employees have signed agreements not to disclose confidential information. It is totally reasonable for them to trust that their immediate network will not cause a data breach.
This bullet-proof shell around the physical perimeter of a business leads many business managers to develop a misapprehension that they are invulnerable to any sort of attack on their information security. In reality, physical security and an immediate network of trustworthy individuals are just two patches on a roof with an immeasurable number of cracks, and blindness to that fact could lead to disastrous outcomes if ever it rains.
Hot off the press this week is the news that top managers from Cambridge Analytica, an UK data analysis and political strategic communications organisation, have been captured on video boasting about how their targeted online ad campaigns aided in the election of Donald Trump. The campaigns were developed after the personal data of more than 50 million Facebook users was divulged to Cambridge Analytica, enabling the organisation to identify and advertise directly to swing voters in 3 key US states. The suggestion is now being made that this ultimately won the election for Trump by a margin of less than 40 thousand votes, and despite the Trump campaign losing the popular vote by more than 3 million.
The recorded conversation also fuels serious questions about the role of the Russian government in the 2016 election, with the Cambridge Analytica managers noting that external and untraceable organisations or groups are often used to inject ideas into the ‘bloodstream’ of the internet. It is not clear at this stage whether Cambridge Analytica leaked the Facebook user data to any Russian affiliate.
Now, I’m not one to cry “Poor Facebook”, but I seriously doubt that when the decision was made to allow developers to collect and analyse data relating to the users of their Facebook apps, an expected outcome was that Donald Trump would become president of the United States. Further still, I doubt that there was an expectation that it might spark international political controversy, or that CEO Mark Zuckerberg might be called before the UK Parliament, especially since the leak appears to have been in defiance of agreements in place between Facebook and third-party developers.
But therein lies the point of this article – It’s not just about you.
In the month since the introduction of the Notifable Data Breaches scheme (NDB scheme), the Office of the Australian Information Commissioner (OAIC) has received more than 30 data breach notifications. More than 1 per day. And keep in mind that the NDB scheme is not a retrospective law – all of these data breaches occurred after 22 February 2018. These breaches occurred at companies that had organised data security measures in place, technical legal knowledge enough to understand their obligations under the NDB scheme, and managers skilled enough to act swiftly in response to a breach.
All of them may have felt that their security measures were enough to prevent a data breach, and yet here they are notifying the OAIC that they have been compromised and that it is likely to result in serious harm to the affected individuals. Often, these breaches occur in predictable ways – disgruntled employees or misplaced files. However, it is also possible that bizarre or unpredictable circumstances result in a breach, and equally, that the breach actually occurs at the fault of some external party.
The likelihood of a breach is compounded by the use of information by the external parties engaged by a business to perform business services. If a contractor makes use of personal information collected by a business, the security measures of the business in respect of that information are only as good as the security measures of the contractor. This, I believe, is the hidden risk in information security, and by far the risk that can cause the most trouble when attempting to contain a data breach.
How many managers know where their email servers are located? How many contractors are contractually bound to implement specific security systems? How is it possible to contain a breach if a business has no relationship with the party from which the information is leaked?
Data breaches can happen to the most secure and advanced corporations, and proactive measures alone are not sufficient to adequately manage the security of information collected. Organisations must prepare for the possibility that a data breach will occur by having detailed plans and policies in place setting out the persons responsible for managing a data breach, and the steps that must be taken to ensure that the breach is contained, the legal requirements in response to the breach are complied with, and the harm to the affected individuals is minimised.