Getting an unexpected cost is never nice, it hurts. You kick yourself for not foreseeing this, or chastise those involved in the situation that allowed it to happen. If you were an organisation that was already under financial pressure, it just makes the entire situation worse. The Information Commissioners Office (ICO) has recently fined a London NHS trust £180,000 for a data leak. Ouch, in every way. The sexual health clinic accidentally divulged the names and email addresses of 780 patients. From what I understand the mechanics of the leak was when patients who had signed up for email notification of their test results and other information – received an email newsletter with recipients names and email addresses exposed in the ‘to’ line. That’s it – that was an expensive newsletter. The ICO found that there had been a serious breach of the Data Protection Act which was likely to cause great distress.
So essentially that email cost the NHS just a little over £230 per recipient! It would have been cheaper to have written to them, enclosing a lovely bottle of vintage champagne. This style of breach is so common, I’ve seen it personally many, many times. How many other organistions, if reported, could find themselves looking down the barrel of a heavy fine? This surely comes down to lack of training and awareness that sending out an email newsletter to people and listing them all in the ‘to’ field is just a big no, no. According to the reports on this leak the Chelsea and Westminster Hospital NHS Foundation Trust, which operates the clinic, has put into place “substantial remedial work”.
This does go to show that data leaks and cyber breaches can occur no matter what type of business you are. Computer Business Review published a story this week with the title “Is your business a prime target for cyber criminals? Yes, but…” where they went to great lengths to illustrate that pretty much all businesses are a target for cyber criminals of one form or another. As they point out that basic information such as name, address and date of birth can be “easily monetised” as out on the dark web there is a vast underground industry, invisible to most people, solely dedicated to buying and selling stolen data. The ‘but’ in the title was explained as while a business is going to automatically be on the receiving end of cyber-attacks, these will not necessarily be high-quality cyber-attacks. Cyber criminals have to work with the same rules as any other business. When their resources are limited, they will invest in cheap and simple attacks with a wide spread.
The BBC got talking a bit about cyber this week as they responded to the findings of the Cyber Security Breaches Survey and the government’s Cyber Governance Health Check. The findings are that two-thirds of big UK businesses have been hit by a cyber attack in the past year. Digital Economy Minister Ed Vaizey said it was “absolutely crucial businesses are secure and can protect data”, which is an obvious statement but hopefully one that will start to rally all businesses to start taking preventative action, as opposed to paying fines and then tightening up procedures and processes.
The survey also suggested seven out of 10 attacks could have been prevented, and added that only a fifth of businesses understand the dangers of sharing information with third parties. So if you were to take this particular national cyber health report to the Digital Doctor, what would their analysis be? Probably that we have recognised there is an issue here, but not enough is being done to get you good shape! Let’s just hope if they do deliver that prognosis, they don’t deliver it by email.
For links to all these stories and more, or to contribute with some comments join us by searching for the National Cyber Skills Centre on our social channels of FaceBook, LinkedIn and Twitter, or just click the relevant links from our website.