Last week, the British Pregnancy Advice Service was fined £200,000 after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker. In this right to reply article, two security experts offer their advice on how to tackle the growing threat of cyber crimes.
Lancope CTO, Tim ‘TK’ Keanini:
“First and foremost, we painfully see how the security of systems is everyone’s problem. No matter what the organisational chart reads, no matter if you are a full time employee or contractor, or where you sit in a complex supply chain, everyone in the ecosystem must be diligent and a weakness in one area in this connected world becomes everyone’s problem.
I’m excited to see a fine associated with this event because it unfortunately the only way to change business behaviour. If the fine is too low, it will be cheaper to just get breached and pay the fines so the amount is an important factor.
If this were not a hacktivist, it would have been likely that this organisation would not have known of the stolen data until it was identified for sale on some black market.
While the insecure storage of the data was a poor design, the security of the public website system itself is more important because even if there were no data being stored, attackers would have compromised the system and turned it into a ‘watering-hole’ attack whereby malware would be stored on it and users of the system would have been compromised in the same manner with data stolen and even worse, malware installed on their client machine to then steal even more credentials and data from other sites (ecommerce, e-business, e-government, financial, etc)”
Joel Barnes, senior system engineer at Tripwire:
“As a charity in the UK, they are likely to be constrained on security budget and far more focus has been put on the service they deliver than the security of the data behind it. From an initial standpoint, this looks like they may have outsourced their website and assumed that the provider would deal with the security issues. As such, there was either a failure in due diligence in assessing the third party, or a lack of maturity and time to assess a homegrown solution. Either way, this shows the importance of embedding security into the business planning process and allowing them to have a say in decisions that are made.”