The recent Staysure fine of £175,000 by the Information Commissioner (ICO) serves as a timely reminder to check that you have basic security hygiene in place. Whilst the breach itself occurred in October 2013, it was only recently in February 2015 that the ICO fined Staysure following an extensive investigation into the security breach which affected circa 100,000 customers. There were several key issues which contributed to the security breach:
Over-confidence in being PCI-DSS compliant
PCI -DSS (Payment Card Industry - Data Security Standard) is a minimum standard of security compliance for firms that process card payments. PCI-DSS and other security certifications, whilst very important, are not a panacea to prevent security breaches and should not replace an active and regular risk-based security assessment to ensure that compliance is not just a ‘tick-box’ certification exercise.
Firms need to ensure that security is reviewed on a timely basis. Leaving it for external PCI DSS quality assessors (who often only need to examine a tightly segmented part of your security practices) is a recipe for failure. This is an area where IT internal audit teams can get involved and add real value to the organisation.
Lack of basic IT health-checks
- The organisation had no policy or procedures in place to review and update IT security systems.
- Security risk assessments for potential new IT threats and risks were not embedded into the organisation. The company failed on two occasions to update database security software which could have prevented the breach. As a result, systems and data were vulnerable for over five years.
- Management had not checked to ensure that all sensitive data, such as customer names, addresses, medical information and financial data was properly secure and encrypted.
- CVV card data was stored and was not encrypted (in contravention of PCI-DSS rules).
- Stored encryption keys were not secure (therefore any encrypted data could be easily compromised by criminals).
Data destruction policies were ineffective – where management had identified sensitive data to be deleted, the checks to ensure this was completed were ineffective.
As with any security breach, the impact on an organisation can be significant – reputation and customer brand can be very costly to recover from, as well as the personal impact from a major disruption to staff and management. Regulators also take an increasingly hard stand on security and a highly intrusive regulator investigation is something to be avoided where possible.
How can Moore Stephens help?
Moore Stephens can perform an IT health-check on your organisation or provide a ‘deeper dive’ systems and data security audit if you have any key concerns in this complex area. If you would like to discuss this in more detail, please speak to Gavin Davey
or your usual Moore Stephens contact.