Page 44

Cyber Security - A Cyber week in London Part II

Everything has relevance but not everyone sees it A Cyber Week in London - PART II

International Security Expo 2018 evening reception, Terrace Pavilion, House of Commons, Westminster, London, UK. Photo Credit: International Security Expo 2018

By Jane Lo ASM Correspondent

“Data drives all we do”, the British data analytics firm Cambridge Analytica at the center of controversy in the United States and United Kingdom announced on its website which attacker accessed a customer information

confidentiality’)”. -GDPR Article 5, Para 1(f), Principles relating

“TalkTalk’s failure to implement the most basic cyber

database), patching out-dated software (which

security measures allowed hackers to penetrate

could have fixed a bug that allowed the attacker

TalkTalk’s systems with ease. Yes hacking is wrong,

to bypass access restrictions), installing defenses

but that is not an excuse for companies to abdicate

against common hacking technique SQL injection

To secure personal data, explicit obligations

their security obligations. TalkTalk should and

used to access the data.

for “appropriate technical and organizational

could have done more to safeguard its customer information. It did not and we have taken action.”

measures” include, in a written data processing “Integrity and Confidentiality”

agreement, “pseudonymisation and encryption

- UK ICO’s Elizabeth Denham, 5th October 2016. TalkTalk Data Breach

of data”, “ensuring the confidentiality, integrity, "Appropriate technical and orgnisational measures

availability and resilience of processing systems

shall be taken against unauthorised or unlawful

and services”.

processing of personal data and against accidental UK ICO’s enforcement actions include fines against law enforcement agency after interview disk went missing and individual health practitioner for

loss or destruction of, or damage to, personal data." - UK Data Protection Act 1998, Principle 7 –

approach to security, and benchmarking against industry standards and best practices. A critical

of TalkTalk

without a valid legal reason.

which is enshrined in the UK Data Protection Act

of £500,000 ICO is empowered to apply, for

2018. Referring to the integrity and confidentiality

contraventions of Data Protection Act 1998.

components of under the classic “CIA” model

cases, bank account details and sort codes.

“Cyber Security is a Board Room Issue” “Today’s record fine acts as a warning to

(confidentiality, integrity, availability), GDPR

others that cyber security is not an IT issue, it is a

stipulates that data be

boardroom issue. Companies must be diligent and

personal data of 156,959 customers, including names, addresses, dates of birth, and in many

weaknesses and external malicious threats.

UK Data Protection Act 1998, is also key in GDPR

fine against TalkTalk, close to the maximum fine

data from a cyber attack resulted in a breach of

aspect is how governance and culture mitigate privacy hazards arising from internal policy

The principle that deals with security under the

TalkTalk’s failure to properly protect customer

Many of these requirements are not new but complying would necessitate a fresh review of

applicable during the 2016 data breach incident

unlawfully accessing a patient medical records

The highest profile is undoubtedly the £400,000

to processing of personal data

vigilant. They must do this not only because they “processed in a manner that ensures appropriate security of the personal data,

have a duty under law, but because they have a duty to their customers.”

including protection against unauthorized or

-- UK ICO’s Elizabeth Denham, 5th October

prevented if TalkTalk had taken basic steps,

unlawful processing and against accidental

2016, on issuing the largest fine, £400,000 to

such as infrastructure scanning (which could

loss, destruction or damage, using appropriate

have uncovered vulnerable websites through

technical or organizational measures (‘Integrity and

ICO found that the attack could have been

44 | Australian Security Magazine


Profile for Cyber Risk Leaders Magazine

Australian Security Magazine, Oct-Dec 2018  

The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is dist...

Australian Security Magazine, Oct-Dec 2018  

The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is dist...

Profile for apsm