So you find yourself at the blunt end of Donald Trumps Presidential campaign, after he states that to keep you all out of the USA he’s going to build a wall of such monumental proportions that the Great Wall Of China will be comparable in stature to that of a small wall retaining the perimeter of a domestic patio. Being in Mexican high office at this time is probably not much fun on the World Stage. If the proposed masonry madness of Mr Trump wasn’t enough, especially as the political knife twisting footnote suggests that ‘you’ are expected to pay for it, then you’d be forgiven for wondering why lady luck has dealt you another knockout blow as you discover that the names, addresses, dates of birth and voter ID numbers of 87 million of your fellow residents has been made publicly accessible online.
Chris Vickery, a US Security researcher, discovered that a massive database of Mexican voters was available online as he was scouring the web for unsecured databases. He told the BBC that “When I opened it up in my database viewer I saw names, obvious addresses and identifying numbers. I started Googling the addresses to see where they were. All the addresses turned out to be in Mexico. I thought, This is a Mexican voter database – it has to be.” Although he attempted to inform the necessary officials in Mexico to warn about this leak, he was unsuccessful – you have to assume they were locked in meetings about how to safely traverse brick built boundaries – but when he mentioned it during a talk at the famous Harvard University a Mexican citizen who was in the audience helped to authenticate his findings. This helpful individual assisted in gaining the attention of the Mexican Electoral Institute who then started to take remedial action and had it removed from its new found resting place on the servers of all round internet commerce giant, Amazon.
Why is it so hard to report these incidents? and then why are we in a mode of such reactive resolutions? Cyber crime, Cyber security, Cyber risk, Cyber fraud and a dozen or more cyber prefixed terms are discussed almost continuously in newspapers, magazine, trade journals and in the marketing material of almost all major IT providers. The mantra of ‘do nothing’ until ‘something’ happens still appears to be the default setting of most. On the webpages of Information Week they listed out five actionable strategies on how to pivot this culture of reactivity into one of proactivity. This advice, like so much in cyber, came across as common sense, but common sense is often overlooked. Their five points were – 1. Maintain a business focus 2. Don’t reinvent the wheel. 3. Understand costs 4. Keep tabs on external relationships 5. To remember that security intelligence goes beyond threats. It’s that final one that resonates the most with me. Security intelligence does go way beyond threats. Security intelligence is to treat security intelligently by developing a risk averse culture; to question, to test, to be open about the current state of any form of computing implementation. Too many individuals are basically frightened to address issues due to fear of recrimination in one form or another. So it’s best to leave it until something happens then the ‘blame’ can be apportioned elsewhere – towards the perpetrators – as opposed towards those who have the responsibility of information assurance and good governance.
Of course the more reactive approach can also be due to lacking the understanding of the true worth of any organisations digital assets, as it was wonderfully displayed to me this week at ‘Blast Cyber Fast’ a cyber security seminar hosted by the local Chamber Of Commerce. At the event one of the presenters explained how a company finds it easy to insure hardware, to see how much it costs, to determine its value for financial reporting but they find digital assets a more challenging beast. The website ‘Business Review : Europe’, prepared and published a list of pointers to try and guide companies into how they can put a monetary value on their data. Their first pointer – take stock of all data – is simple yet highly valuable advice. Many organisations don’t’ know how much data they have and what’s contained within it. I have had personal experience of this when I was working on backup strategies in a former professional incarnation. Determining what you would most miss if it was gone, usually sharpened the focus of what data had significant value and thus drove what level of backup and protection would be applied to it. All companies have a backup strategy, so perhaps that can be used as a start point to take stock of their data.
Despite what happens to the UK in June 23rd, the date of the EU referendum, organisations must still be prepared to implement new EU General Data Protection Regulation (GDPR), as pointed out by the industry trade magazine Computing recently. They reported that the GDPR has been more than four years in the making, with the European Parliament only finally voting in favour last Thursday. The vote means that the GDPR should come into force during 2018, giving organisations just two years to adjust to the new rules governing data collection and processing. One of the measures of this new regulation is that when an organisation suffers a breach then they can be subject to fines up to four per cent of annual turnover or €20m, whichever is greater. If such a regulation had been in force in Mexico I wonder what the fine would have been? Probably enough to build an unwanted wall.
For links to all these stories and more, or to contribute with some comments join us by searching for the National Cyber Skills Centre on our social channels of FaceBook, LinkedIn and Twitter, or just click the relevant links from our website.