At Certification Europe we certify lots of organisations for information security management systems. It is one of our main strengths as an organisation, it’s what we do, and we are recognised internationally as the best there is. This might seem like a bit of humble boast but could you imagine the reputational damage that we as an organisation would suffer if we ever allowed our clients information to be breached?
Don’t worry if you can’t imagine. Cintas document management conducted a survey in October last year and the results are scary, 66% of adults would not return to a business where their information was breached.
– 55% would change their bank.
– 46% would change their insurances companies.
– 40% would change their medical provider.
– 38% would not donate to a charity again.
So you can imagine how scared I was when we started getting spam messages to our Twitter account. At first we were getting weird links direct messaged from accounts that we followed, they looked fairly suspect so I didn’t have any fears about our social media team clicking on them.
Then the malware got creative!
“Are you the 3rd from the left in this shot from a couple years ago?”
Sent as a tweet from someone we follow on twitter. It is easy to see why people might fall for it. Luckily our marketing team has been trained in recognising threats, specifically cyber threats and malware.
This leads me onto the subject of the biggest threat to your information’s security. It’s the person sitting beside you, maybe not directly beside you, they might be beside the photocopier, or next to the water cooler, or in the hot desk.
The fact is that the dangers posed by hackers and malware pale into insignificance beside the biggest threat to your information’s security, and directly your businesses future. Staff that have not been trained to handle data properly are the number one source of data breaches.
There have been countless studies conducted by organisations such as Ponemon, Symantec and Compuware that have found that human error causes most data breaches. In fact less than 1% of corporate data losses were caused by hackers.
If you are still not convinced in why training your staff is vitally important you need look no further than the fines associated with data breaches.
In June 2012 Islington Council in the UK responded to a freedom of information request by supplying 3 excel sheets with pivot tables the fulfilled the request. However they also gave a copy of the raw data from which these pivot tables were derived. This data table was hidden from view but still accessible to someone with training.
These data sets contained the personal information of 2375 council tenants or people who had applied for council housing. Some of the more sensitive data breached was ethnicity and gender of local residents the council had rehoused, details about residents history of mental health issues or instances of reported domestic abuse. These spread sheets were hosted on a UK based site https://www.whatdotheyknow.com for approximately 3 weeks until July 2012 before the breach was reported to the Information Commissioner’s Office (ICO).
Islington council conducted their own internal investigation and they concluded that lack of training, specifically around the preparation of data for public release was to blame. They could not however hold any staff member accountable because they had not trained them. There was no standard to bench mark against and there was no ability to recognise or correct the error.
Head of Enforcement at the ICO, Stephen Eckersley fined the council £70,000 and had this to say in his commentary
“Councils are trusted with sensitive personal information, and residents are right to expect it to be handled in a proper way.
Unfortunately, in this case that did not happen, and Islington Council must now explain to residents how it will stop these mistakes being repeated.”
The importance of training is even enshrined in the relevant data protection acts. Principle 7 of the UK act calls for “robust policies and procedures”, “reliable, well-trained staff” that are “ready to respond to any breach of security swiftly and effectively.”
The need for “more effective and appropriate training” is reflected in too many judgements for an activity that is largely preventable. In the UK the ICO hands down harsher fines and punishment because of wilful neglect of best practise. Failing to train staff on the dangers of mishandling data is inviting trouble to your business’s door and this is something every organisation could do without.
Michael Brophy is Founder and CEO of Certification Europe which was founded in 2001 with Head Quarters in Dublin, Ireland. In 2012 Certification Europe Limited opened their London operation which, along with offices in Belfast, Turkey, Japan and Italy, is a group of accredited certification bodies which provides ISO Certification and Inspection services to organisations globally.
Michael is a graduate of the University of Ulster and the Universidad de Zaragoza (Spain), with a Master in European Policy and Regulation at Lancaster University, and is one of Ireland’s leading authorities on standardisation. Michael has a wealth of experience in Information Security and Business Continuity Management Systems implementation for Government, military and various business sectors (pharmaceutical, telco, financial, IT and security printing sectors).
Michael has particular expertise in the field of electronic signatures; developing national legislation and national regulatory bodies to govern the use and legal basis for electronic signatures. He has previously advised on the establishment of standards at a national and international level, and he would be viewed as one of Ireland’s leading authorities on standardisation and has served on various EU Commission committees.
Certification Europe is the only Irish accredited certification body operating in the field of Business Continuity standards, it was the first accredited industry player in Ireland to offer Information Security and IT Service Management Systems assurance schemes, and it is a world leader in Energy Management System certification.
Michael is also Chair of the Association of Accredited Certification Bodies (AACB).
Other articles from Certification Europe include:
– Chasing Shadow IT
– Humans are the weakest part of your information security system
– A Chain Is Only As Strong As Its Weakest Link