2018 saw a number of large companies suffer from huge data breaches, but it’s so commonplace these days that every announcement seems to follow a standard process: we read about it in the press, mutter to ourselves ‘oh that’s bad’ and then we move on to read the next news story.
For the companies involved, they, too, go through a standard process: they will most likely suffer a significant dip in their share price, a big dent in their reputation and then a sizeable PR bill as they try to recover their public image and smooth the waters.
This was the case for Marriott Hotels when, in November, they announced that half a billion customer records were compromised. This breach can be seen as completely inexcusable, demonstrating not only a lack of technical security, but also a complete absence of organisational security, too.
But with a breach this big, Marriott should also be worried that they could follow in Equifax’s footsteps and be subjected to a class action law suit.
In 2017 Equifax, the consumer credit reporting agency, suffered from one of the most highly publicised and sensitive cyber security hacks in history, when personal information for around 145.5m individuals was exposed. It was data relating mostly to Americans, but also Canadian and British consumers were exposed.
The incident prompted over 240 individual class action lawsuits in the US and then a rare 50-State class action suit was served on the company. It is reported that Equifax has spent over $88m as a result of the breach and that their profits have fallen by $35m. Their CEO stepped down in the wake of the incident and then the company’s CIO and CSO retired a week after the announcement, too.
This fall from grace has been very publicly documented, but will it have any impact on other businesses? I doubt it. I am not aware of any great impact on Marriott’s cyber security efforts.
Think of data security as a line. At one end we have an encrypted hard drive, buried deep in concrete under a 100-storey building. It’s extremely secure but not at all usable. At the other end of the line is a computer in a public space, connected 24/7 to the internet with no password protection. This is very easily accessible, but incredibly insecure. Security policy is about finding the right point on that line between those two extremes. All organisations have to decide for themselves where the right balance is between usability and security for them.
Organisations should be asking themselves: ‘Could we do more to prevent a data breach?’ The answer will always be ‘Yes’, but then someone needs to evaluate whether the options are sensible, practical and affordable.
And there lies the rub. It could cost a company a sizeable chunk of cash to implement the necessary changes, but the alternative could be a lot worse. AIR Worldwide has estimated the breach will cost Marriott around $600m, so even if the cost of getting it right were as much as $20m, it would only be a drop in the ocean compared to the impact of a breach.
There are a lot of companies out there who will never learn from these examples. They are just sticking their heads in the sand and assuming that it will never happen to them, because in the words of Del Amitri: ‘And nothing ever happens, nothing happens at all - the needle returns to the start of the song and we all sing along like before…’
Thursday 27 February 2020
Thursday 6 February 2020
Simon on: The Cookie Monster
Pretty much every website in the world uses cookies, and a few months
ago the ICO (Information Commissioner’s Office) published new guidance on their
use, meaning that the majority of websites are now in violation. But have you
seen any difference in the way that the websites that you visit work? Have you
actually changed your own website? I can safely predict that the vast majority
of you haven’t because a lot of major websites haven’t either. This is partly
because a lot of people aren’t aware of the new guidance yet!
So, do you need to bother? Whilst we haven’t yet seen any fines for
non-compliance, it’s worth knowing that the ICO, and their European equivalents
have been busy of late, they have grown bigger teeth and been working very
proactively rather than just reacting to reported data breaches. The German
internet provider 1&1 was fined £8 million for poor customer security ID
checks, and in October the same regulator punished a German property company
with a bigger €14.5m fine for holding on to people's personal data for longer
than was necessary. Here in the UK, between July and September 2019 the ICO
issued fines to 340 companies for failing to pay the mandatory data
protection fee that all organisations that process personal information are
required to pay.
With this new vigour in mind, let’s explore how most websites are in
violation of the ICO’s latest guidance, and what you need to do about it:
To explain: a cookie is a small piece
of data that a website will place on your device to either make the website
work (known as essential cookies) or to enable the website to feedback
information about the visitor’s usage (the non-essential cookies). Most of us
are aware of the ‘this website uses cookies’ banner that appears and we all
merrily click ‘yes’ because we just want to read the page - digging into
the options and selecting boxes is simply too time consuming and provides no
discernible benefit.
The latest ICO guidance says that
opt-in permission needs to be explicitly given BEFORE the non-essential cookies
are placed, but the vast majority of websites actually place both the
non-essential and essential cookies onto a user’s device as soon as they visit
the page along with a cookies message “asking” for consent. For a website to be
compliant, the cookie permission banner should now tell you that it is placing
the essential cookies and then ask you to specifically choose to
accept the non-essential cookies (the ones that feed Google Analytics etc.).
Strictly speaking (according to PECR)
the reason this has changed is all to do with permissions and ownership.
Installing non-essential cookies enables a website to use the end user’s
computer and so permission needs to be granted by the user, it can’t just be
taken. These non-essential cookies offer no real benefit to the user but most
people are nice (or lazy) and often choose to accept them anyway which is good
for us.
The often used ‘by
continuing to use this website you are agreeing to cookies’ is not valid
consent under the higher GDPR standard either because they have already placed
the cookies. This is the IT equivalent of asking for forgiveness rather than
permission!
In one corner we have the ICO, and in
the other we have the marketers who will want to ensure that their websites are
still using analytics in order to measure audience engagement and to enable
targeted remarketing to provide better revenue streams. So how do we comply
with the ICO guidance? I talked to the ICO and they were pretty vague and
non-committal but they didn’t shoot down my suggestion which is that every
website needs to now have a very prominent cookie permission box with two
options; option one would be ‘accept all cookies’, and option two should be
‘accept only essential cookies’ The first option could be in a bright colour,
whilst the second is grey to help steer the consumer to the option that you’d
like them to take - as long as the options are clearly laid out, then you will
be ok. This box also needs to block your website and shouldn’t be able to be
bypassed by visiting another page on the site.
Only AFTER the user has clicked to
allow non-essential cookies can you place those cookies on their machine.
I’ll be keeping an eye on how the ICO
takes it from here, and if it builds on the proactivity already demonstrated in
2019. Given that we’re now at the mercy of both ICO prosecutions and potential
class action prosecutions - we all need to consider our decisions very
carefully.
Sunday 2 February 2020
Simon on: Analyse This
Google Analytics (GA) was launched in 2005 and over the past 15
years has become the most widely
used analytics service on the web, but with the introduction of the
ICO’s new guidance on cookies, it could signal that it is time for companies to
review how they use it. I do wonder how much of the data that GA creates is
actually useful and actionable. Does the information really influence business
or marketing decisions? Or does the majority just confirm what you already knew
about your audience or simply provoke a ‘that’s interesting’ reaction?
The traditional event cycle means that most websites are pretty
quiet for six months of the year and then there’s a frantic marketing push
pre-event. If you have thrown all of your marketing at an event (like many
organisers do) then how can GA tell you which techniques have had an impact?
Another thing to consider is that Google Analytics is free for a
reason; the data it collects is feeding the massive Google machine and is doing
this for their benefit, not yours. You’d be rather naive to think that they’d
give a powerful, world-class analytical platform to us free of charge purely
for our benefit.
Perhaps a return to the more simple, log based analytics may mean
less but more useful and usable data?
Subscribe to:
Posts (Atom)