The Information Security Vacuum

By Michael Gianarakis, Senior Security Consultant

Originally published:

Many penetration testers and information security consultants complain when a client just accepts the risk of an issue or doesn’t provide adequate support to the security team. I often hear “ the business doesn’t get security” and that “security risk is a business risk, they should pay more attention”.Unfortunately, what I don’t see is penetration testers and security consultants actively trying to understand business in order to truly understand, and more importantly, articulate the security risk. I’m not talking about “the business” of a client but rather business in general. In fact I often encounter disdain for the very notion of devoting any time or thought to understanding business and risk concepts. Continue reading

Data breach highlights security risks

Data breaches can have devastating consequences – and one recent incident overseas has illustrated the extent of the damage this type of negligence can cause.

A security breach at one UK health trust has highlighted the importance of keeping data protected – and underscored the risks that enterprises of all types can face when they fail to do so.

The UK Information Commissioner’s Office (ICO) reported this week that one publicly-funded healthcare organisation inadvertently leaked the details of 59 palliative care patients to an external source over a three-month period.

This sensitive information contained details about individuals that was intended for the St John’s Hospice and included information about their family life, medical treatment and instructions for resuscitation.

In March 2011, Central London Community Healthcare NHS Trust began faxing these details to the wrong recipient – with a total of 45 faxes sent over a three-month period.

In June last year, the recipient informed the healthcare provider that it had been receiving – and destroying – this sensitive data.

Checks carried out by the ICO revealed that there were insufficient measures in place to ensure that information was being correctly delivered to the right people, and as such, the healthcare body was fined a total of GBP90,000 (approximately $144,635) for the data breach.

Having the right security processes in place, according to the ICO’s head of enforcement, is essential – especially when it comes to protecting sensitive data such as medical records.

Stephen Eckersley said: “The fact that this information was sent to the wrong recipient for three months without anyone noticing makes this case all the more worrying.”

While this incident occurred overseas, it serves as an important reminder of the consequences of data breaches – both from a financial standpoint as well as the damage to an organisation’s reputation.

Enterprises that deal with sensitive information – whether this is in the form of medical details, financial records or other personal information – may wish to have their security processes assessed through penetration testing.

This can help to expose vulnerabilities in your system before they are discovered by malicious parties, who can cause significant embarrassment, reputation damage and financial losses to your organisation.

If your business is also evaluating new technologies, you might want to arrange for a security due diligence assessment to be carried out. This can identify any compliance gaps and allow your decisionmakers to make an informed choice about how best to proceed.