CS Nov-Dec 2020
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
health monitoring<br />
within the company itself does not make it<br />
any less harmful. All organisations must<br />
ensure they employ systems and procedures<br />
to identify and prevent potential vulnerabilities<br />
being exposed, including staff training."<br />
LITMUS TEST<br />
"These past few months have been<br />
unprecedented in lots of ways, with many<br />
new working practices thrust upon businesses<br />
that were generally unprepared to such<br />
sudden changes," says Steve Jackson, sales<br />
director at Clinical DPO, one of the largest<br />
outsource data protection officer suppliers in<br />
the healthcare sector. "With a very challenging<br />
economic environment ahead of us, many<br />
are saying this is the litmus test for data<br />
protection."<br />
Will it be viewed as too difficult and too<br />
restrictive in the fluid new normal business<br />
environment, does he think? "Not necessarily.<br />
With many businesses now capturing clinical<br />
data about their staff and their customers, in<br />
order to protect both from COVID-19, CDPO<br />
has received many calls from clients now<br />
seeing the importance of data usage in a firsthand<br />
way and, with that, a new appreciation<br />
to the risk to data posed by many of these<br />
new working practices."<br />
GDPR COMPLEXITIES<br />
So, why has it taken such a dramatic event to<br />
have organisations reassess their own attitude<br />
to data and to their own risk regarding<br />
potential brand and financial exposure?<br />
"The answer lies in a cursory review of the<br />
two years plus since the introduction of<br />
GDPR," states Jackson. "This new legislation<br />
brought a wave of products encouraging<br />
businesses to buy a flat-packed tick-box data<br />
protection compliance solution and today we<br />
are still told by organisations that they have<br />
'completed their GDPR', not appreciating that<br />
GDPR is not a one-time project, but, much<br />
like financial accounting requirements or<br />
HR, data protection must be integrated into<br />
the organisation, so it becomes part of the<br />
company DNA and embedded into 'business<br />
as usual'."<br />
How exactly can this be achieved? "GDPR<br />
introduced a mandated approach to the<br />
appointment of a DPO for organisations<br />
processing large-scale health data," according<br />
to Jackson. "A glance at the ICO's public<br />
register, however, indicates that many<br />
organisations both large and small are still<br />
to appoint a DPO. The single greatest reason<br />
that we see for this lack of appetite for<br />
change is a lack of time that business allocates<br />
to effect this change."<br />
Many data protection issues are not simply<br />
data problems, he adds - they often arise<br />
from an organisation's governance and<br />
culture, as well as operational decisionmaking,<br />
"whether it be understanding the<br />
need, implementing the correct resource<br />
or service, or, as we have seen on many<br />
occasions as an outsourced DPO service,<br />
taking the time to implement the processes<br />
and support being provided by the DPO".<br />
There are no silver bullet solutions, Jackson<br />
concludes. "However, embedding data<br />
protection by design is better in the long<br />
run, but a business must engage to effect<br />
this change. Until this is accepted and<br />
understood, data protection will only<br />
remain on the periphery of a business."<br />
INADEQUATE TESTING?<br />
The root cause of the Babylon Health breach<br />
has never been fully disclosed, but may be<br />
attributed to inadequate testing of the new<br />
feature before moving it into a production<br />
environment, suggests Rob Treacey, MD; cohead<br />
of Xcina Consulting and Shearwater<br />
Group DPO. "Although it seems that Babylon<br />
Health has tried to downplay the significance<br />
of the exposure and remediated it in a timely<br />
manner, such breaches can have an adverse<br />
impact on an organisation."<br />
It remains to be seen whether Babylon<br />
Health will experience any longer-lasting<br />
reputational damage or if it will be able to<br />
fully recover from such a breach, he adds.<br />
"However, one thing is for certain: users will<br />
be more cautious about using the App in<br />
future or may simply refuse to use it<br />
altogether, especially if they have an<br />
alternative."<br />
CONFIDENCE AND TRUST<br />
As Treacey points out, end users need to<br />
have absolute confidence and complete trust<br />
in an organisation's ability to safeguard their<br />
personal data, especially where that involves<br />
sensitive personal data.<br />
"As a risk management consultancy that<br />
performs regular reviews and audits of our<br />
clients, we see such process and control<br />
weaknesses within the software development<br />
lifecycle as not uncommon." These are<br />
normally the result of:<br />
Failure to adequately test and sign off<br />
software updates or upgrades before<br />
release into a production environment<br />
Lack of oversight by organisations that<br />
outsource their software development<br />
to third parties<br />
Lack of awareness by developers and<br />
testers around the latest software security<br />
risks and vulnerabilities, such as injection,<br />
security misconfigurations, sensitive data<br />
exposure and authentication<br />
ssoftware design or architecture that is<br />
inadequate<br />
Cutting corners, due to the pressure to<br />
release software updates or upgrades<br />
against tight deadlines.<br />
"Any organisation that experiences a data<br />
breach, due to a software weakness or any<br />
related software processes and controls,"<br />
he says, "is merely putting itself in the shop<br />
window for a future cyber-attack, not<br />
to mention any subsequent fine from a<br />
supervisory authority. Some organisations<br />
may be able to minimise their reputation<br />
damage or loss of users, but others may be<br />
less fortunate".<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Nov</strong>/<strong>Dec</strong> <strong>2020</strong> computing security<br />
9