So what does Moby Dick and data loss have in common?
Susan Daley: Friday, May 23rd, 2008 | 10:00 am
The answer is of course the importance of a taking a holistic approach to information security that addresses the role of people, process and technology. Well I got your attention at least! At the InfoSecurity Europe conference held recently in London, Symantec's Guy Bunker spoke to delegates about a new phenomenon in the online threat environment of "whaling"; which should now explain the Moby Dick reference. This is a trend where people at the top of organizations such as CEO's are being increasingly targeted by online criminals. Gone are the days or discussing phishing or spear fishing, whaling is now the big thing and you heard it first in London! Guy's comments were made in response to the launch at InfoSec of a joint UK government – industry bi-annual Information Security Breaches Survey Report published in association with Symantec. According to the survey report (http://www.pwc.co.uk/pdf/BERR_2008_Executive_summary.pdf) online fraud is costing the UK economy alone around £6 billion a year with 96% of large companies (+ 500 employees) suffering a security incident in the last year. The conference discussed the important role technology has to play in helping organisations remain secure but also the need for companies to ensure that employees are trained to be aware of the risks and do not become the weakest link.
In light of the number of recent high profile data losses that have occurred across all sectors in Europe the challenge of responding to IT security breaches was another key issue discussed. Currently there is no specific legal requirement in Europe, as there is in many different US states, for organisations to notify individuals if their data has been lost or stolen. However, it would appear that the tide may now be beginning to turn in this important area. Currently being discussed in Brussels is the European Commission proposal for the introduction of a data breach notification requirement for the telecoms sector. This is seen as an important move in the right direction to increase levels of data security. However, it is vital that any move towards data breach notification is one which is carefully considered to ensure an appropriate and clearly defined legal framework and operational procedures are established that are workable and not burdensome on European companies or citizens.
Symantec has been calling for further clarification on the European Commission's initial proposal to address a number of concerns. As I write this the European Parliament is preparing to consider amendments to the European Commission's proposal which will introducing wording to determine the definition of an incident that would be considered a "breach" of data and the level of seriousness a breach would have to be to trigger a notification obligation and introduce a "safe harbour" provision that recognises organisations that have in place appropriate technological protections that can demonstrate data which has been lost or stolen remains unintelligible (such as by using encryption would not be required to notify subscribers of a breach. This is seen as important step forward because it protects the diligent companies, avoids over-notification and is in line with the data protection principles of proportionality. Symantec has welcomed these and other key amendments and is urging Members of the European Parliament to support the changes proposed to enhance the level of security given to European citizens personal information and help raise awareness, and reassurance of how citizens data is secured and protected.