Breaches and implausible deniability

Share this article:
Alex Horan, senior product manager, CORE Security
Alex Horan, senior product manager, CORE Security
On Jan. 24, the European Information Commissioner's Office (ICO) fined Sony Computer Entertainment Europe Limited £250,000 following a breach of the Data Protection Act

The fine isn't really a significant amount of money for a company like Sony, but what is important is the logic behind the fine. Sony is being penalized not for failing to act on problems it knew about, but for its failure to identify the problems in the first place.

This decision is a clear indication that the concept of plausible deniability is dead, or at the very least dying. The days of refusing to look for possible IT and security threats with the potential to result in the loss of customer data are over. 

The argument that because the issues were unknown it was not possible for the business to fix them is no longer going to be accepted as an adequate defense. 

David Smith, deputy commissioner and director of data protection for ICO reportedly said, “There's no disguising that this is a business that should have known better.” To security practitioners, this is music to our ears. Putting your head in the sand and avoiding learning about security weakness surrounding your IP or your customers' information won't stop the attackers from looking for, finding and targeting those weaknesses. So claiming it is not your fault that they did is illogical and harmful for your customers.

What is the implication? Well Smith went on to say, “It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”

That means that a company can have a reasonable expectation of employing technical expertise and should be performing regular risk assessments of the IT environment, both internal and external. The question then becomes: What type of company would we have a reasonable expectation of technical expertise? Any company that derives some of its reputation or income from its online presence would seem like a candidate to me, as well as a company that would cease to make money if their IT infrastructure went away.

It is in the best interest of customer data that a strong message be sent to organizations that the expectation is that they are to be continuously looking for security issues and developing remediation and compensating controls to reduce or eliminate risk. This would make organizations more secure (and I would argue is likely to make them more efficient), while improving protection of customer data.

But is this possible? Despite what the movies might have told us, running a modern vulnerability scanner is something a child (or an executive) could do. So I find it hard to believe any organization does not have the internal capability to do that. But the critical point is not that they are looking for vulnerabilities, though they should be, but that they are determining which of the risks discovered represents business risk and should be remediated. Interestingly this is easier for a small organization because of the smaller number of assets that need to be assessed.

In summary, this is one of those seemingly rare examples where a ruling reflects what we all know to be true. If something is common knowledge and you fail to even consider doing it, then you are at fault for not even trying.

ng as much as someone else is at fault for trying and failing.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in Opinions

DDoS is the new spam...and it's everyone's problem now

DDoS is the new spam...and it's everyone's problem ...

As new solutions emerge, it's critical for organizations to protect themselves by being informed, aware, and acting whenever possible. Those that don't take action are playing a very dangerous game.

Securing the autonomous vehicle

Securing the autonomous vehicle

We are now in the fast lane towards a driverless future. Will we have to brake for hackers?

CISO: same title, new opportunities

CISO: same title, new opportunities

Despite big responsibilities compounded by a string of headline-grabbing data breaches, the skies are looking brighter for CISOs.