Hot dates and hot data
Reports that an
extramarital dating site has been hacked recently may have given its customers
more than the usual worry that accompanies news of cyber-crime.
Following
on the heels of many other high profile hacking cases, such as Sony in the
United States, organisations are being forced to look ever more carefully at
their information risk management
regime, to make sure they value information as an asset, and assess their
processes with the same rigour as legal,
regulatory, financial or operational risk.
In
the case of the dating site Ashley Madison, which promotes itself with the
strapline ‘Life is short, have an affair’,
it’s been reported that more than 2,500 customer records have been released to
the public by the hackers, who claim to have stolen the total database of the
site, which is said to contain more than 33
million members in 46 countries. The
company has faced a barrage of calls from customers, concerned that their
personal details and credit card information have been compromised.
And
whilst the true picture for the internet daters continues to enfold, Ashley
Madison’s problems are a reflection of a fast-growing area of crime, as more and more criminals exploit
the speed, convenience and anonymity of the internet. The Metropolitan Police
has recently announced it is boosting the size of its team to tackle cyber-crime
and the Government has issued guidance for companies, in a bid to stem the range of criminal activities that know no borders, either physical or
virtual.
For companies, cyber-criminals may
attack the functioning of computer hardware and software, or try to commit financial
crimes, such as online fraud or by penetrating online financial services, or go
‘phishing’ for confidential information.
For company directors, the advice is to ensure the topic is at the top
of the boardroom agenda.
As well as having to meet the requirements of
the Data Protection Act and the Communications Act in the UK, also up and
coming is the draft EU Data Protection Regulation and the proposed EU
Cybersecurity Directive. There are
requirements under the Companies Act 2006 also, which place a duty on directors
to keep themselves informed on relevant issues.
They may be held to be negligent if they do not take appropriate
professional or expert advice to tackle any identified threats.
The key components for business
are to undertake a risk analysis, develop a cyber-security programme, set in
place the right policies and take appropriate technological measures.
“Every business must ask itself
what value there is in information they hold electronically, for example, it
may be intellectual property, customer information or client funds. Then they need to consider where the risk lies;
as well as outside criminals, the risk could come from current or previous
employees or competitors,” explained commercial law expert Glyn Morrice-Evans of Gamlins Law
in Rhyl.
“The response to that review
should include a clear cyber-security strategy, with policies in place and
staff well informed, backed up by a regular review and updating of
technological practices.”
IT system reviews would range from
how networks are monitored for attack and what firewalls and malware detection
software is in place, through to how internal and external users are controlled
and how access may be segregated or restricted.
“It can come down to the most
simple things, such as who holds the passwords and making sure staff don’t open
spam mail,” added Glyn. “Thorough education of staff, with regular updates, is
essential. As well as demonstrating that
the company takes the matter seriously, staff are often in the front line, and
if they are well informed of the risks, and encouraged to take responsibility,
they can be more effective gatekeepers.”
No comments:
Post a Comment