Carphone Warehouse cops £400,000 fine as cyber-security regs are beefed up
via Flickr © morebyless (CC BY 2.0)
- Lax cyber-security no longer tolerated in the UK
- Companies told to improve their act... but how?
- A cybersecurity expert reveals all
Data leakage used to be viewed as unfortunate and embarrassing rather than naughty. Companies often kept the details of breaches from the public and the authorities ‘understood’ that this might be for the best (no copycats, no weakening of public trust in the retail financial system).
But boy do times change. Placing customer and employee data ‘at risk’ is now, quite rightly, a crime of the first magnitude and right on cue in the UK one of the high street mobile service and phone retailers, Carphone Warehouse, has just been fined £400,000.
The case relates back to a cyber-attack in 2015 which resulted in compromised customer data including names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details. Carphone Warehouse employees weren’t spared either and their names, phone numbers, postcode, and car registration numbers were also accessed.
According to Information Commissioner Elizabeth Denham, “a company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring [that they] were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
The money doesn’t matter in the great scheme of things, but the reputational damage from a large fine and a telling off does. And things are about to get tougher on the security front. From 25 May the law is set to get more stringent as the General Data Protection Regulation (GDPR) comes into effect. So-called ‘Data protection by design’ is one of the requirements and must be in every part of information processing, from the hardware and software to the procedures, guidelines, standards, and policies that an organisation has or should have.
Companies and public bodies should ensure strong IT governance and information security measures are in place, tested and refreshed to comply with the provisions of the law.
The way ahead
So with this example (and others before it ) are companies finally getting and opening the memo about IT security? And if they are, what can they do to ensure their security professionals are at the “top of their game”.
This is a difficult one because it’s naturally hard to know how secure you are (or not) until disaster strikes and by then it’s too late. The only answer is to follow strict security procedures and record and measure the company against its compliance.
How to talk 'security' to the board
<iframe src="https://www.youtube.com/embed/3tamm5J1Qx4?modestbranding=1&rel=0" width="970" height="546" frameborder="0" scrolling="auto" allowfullscreen></iframe>
Phil Cracknell, Cyber Security Specialist and Interim CISO
Telecom TV recently explored this exact issue with Phil Cracknell, Cyber Security Specialist and Interim CISO (Chief Information Security Officer), who says that the one thing most dogging the industry’s chief information security officers (CISOs) is not having a robust way to prove performance - reporting to the board that “this month we didn’t have a major security breach” just doesn’t do the trick, he says. Ideally CISOs need a way to express key performance indicators (KPIs) and meaningful metrics to indicate how security is being improved (or not) month by month, if they’re to get taken seriously at board level.
Phil explains all. Watch the video above.
Filmed at: IoT Build 2017, London UK