By Graham Stevens | Incident Response Consultant at Nettitude
GDPR has been with those of us in Europe since May 2018, and in that time, we have seen a number of eye-watering fines being issued by the Information Commissioner's Office (ICO) here in the UK. This has for the most part been for data breaches and general carelessness with personal data by numerous organisations. In fact between March 2019 and March 2020 the ICO took regulatory action 236 times, with 15 of these resulting in fines for businesses who were in breach of the data protection laws.
It is also evident that the monetary fines being issued by the ICO have increased in recent years, with the average fine for the last 12 months coming in at £252,600, more than tripling from the average fine of just over £73,500 in 2016/17. That’s around $96,600 for our readers across the pond. It is important to note that this does not take into account the multimillion-pound fines issued to both British Airways (£183m) and Marriott (£100m) which have been deferred until later in 2020.
Whilst these alarming fines should get your organisation thinking about what necessary measures you have in place, there’s no need to panic. As we always encourage with our clients, it’s not a case of if, but when, in which a good strategy and solid preparation can mean the difference between thousands or millions of pounds worth of damage. In the following post, we’ll discuss how you get your organisation in the best possible position for handling a data breach and what to do in the case that it happens.
Why promptly reporting a data breach to the ICO makes a difference.
Having reviewed the reports issued by the ICO, where a monetary fine has been issued, there is a believed correlation in how responsive the organisation is to a data breach and in reporting it to the ICO, to the size of the fine issued. For example, DSG Retail Limited (Currys PC World) experienced a security incident within the POS (point of sale) systems, where an attacker was able to remain for almost 9 months undetected whilst they obtained payment information. Whilst DSG failed to proactively detect the attack, they were able to “proactively notify the Commissioner of the attack and fully co-operated with the ICO and other relevant external agencies during the course of the investigation”. This was considered a mitigating feature of the case by the commissioner whilst calculating the monetary penalty to issue, £500,000.
This is a regular occurrence within many of the ICO’s reports, where proactive reporting to the Commissioner is taken into consideration when deliberating on the decision to impose a monetary penalty.
As part of the GDPR regulations, it is necessary to report a breach of personal data to the ICO within 72 hours of it being discovered by the organisation, “unless you can demonstrate that it is unlikely to result in a risk to the individuals’ rights and freedoms”. It is very important to understand that those 72 hours are working hours, but that the clock starts ticking as soon as you become aware of a breach.
It is not necessary to have every piece of information at hand when initially reporting data protection breaches, the ICO understand that incidents can be an evolving situation and will accept reports in instalments as and when further details are uncovered. It is however important that you provide as much detail as possible, and that you are as accurate as possible in your reporting.
Deputy Commissioner James Dipple-Johnstone advised in 2018 that “It is not very helpful to be told there is a breach affecting lots of customers but the reporter isn’t authorised by the general counsel to tell us more than that! If you don’t assign adequate resources to managing the breach we may ask you why not.”
How do you report a GDPR data breach?
If you believe you have suffered a cyber-attack or related incident, you will need to report it to the ICO if there is a personal data breach. In the words of the ICO, “this means a breach of security leading to ‘the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’”.
As mentioned previously, you need to be prompt in your report to the ICO, as you are legally obliged to report a GDPR breach within 72 hours of becoming aware of it. Provide as much detail as you can, but note that it is possible to submit your report in instalments, updating it as the situation changes or evolves.
There are two ways to report a data breach to the ICO:
- Online at ico.org.uk
- Via the helpline on 0303 123 1113 (Mon – Fri; 09:00-17:00)
How the ICO handle the report will depend on the perceived severity, or may require further discussions to obtain further information.
Show the ICO you are taking security seriously
You only need to read one of the ICO enforcement reports, where a monetary penalty has been applied, to see that the Commissioner is not expecting businesses to buy the latest and greatest security tools, but instead wants to see businesses getting the basics right. As an example, the Commissioner directly calls out the following from the DSG report:
- Insufficient network segregation
- Lack of local firewalling on endpoints
- Inadequate patching of systems
- Vulnerability scanning not performed on a regular basis
- Poor or non-existent application whitelisting
- Ineffective logging and monitoring
- Poor management of Domain Administrator accounts
- Use of non-standard builds across the environment
By getting the basics right, your organisation is headed down the right path to ensure your environment is suitably hardened, but also allow you to be able to detect and respond to an incident in a timely manner.
There are plenty of ways to measure your security posture, but two key metrics that the ICO are likely to look to understand are MTTD and MTTR:
- Mean Time to Detect (MTTD) is how long, on average, it takes your organisation to discover or identify a threat or breach
- Mean Time to Respond (MTTR) is how long, on average, it takes your organisation to successfully eradicate or remediate the threat or breach
According to the Verizon Data Breach Investigations Report (DBIR) for 2020, over a quarter of all data breaches included in the report took a month or more to discover. An active adversary in your network for over a month will be able to find, identify, and potentially steal a lot of information, and likely have time to spare to be able to include an alternative entry point should their initial one be discovered.
How can you improve your MTTD and MTTR? Well visibility is key here – if you can’t see and understand what is happening on your network and endpoints, you are effectively blind to any suspicious or malicious behaviour that may be taking place. This is something the ICO are fully aware of, and have called out the need for logging and monitoring in numerous enforcement reports.
Let us help you
Nettitude’s SOC Monitor service provides 24/7 monitoring and proactive detection all year round. SOC Monitor utilises an industry-leading technology stack managed by a knowledgeable team of analysts who are informed by real-world attacks and threat intelligence who are ready to be deployed in your environment.
Find out more about SOC Monitor.