It was announced yesterday that the personal details of staff and students at the University of York had been compromised, and that a ransom had been paid to hackers, but that the University had no knowledge of it. The breach, which happened back in May, was the result of a cyberattack, but the University didn't know until the 16 July. How could that happen and could your business be similarly at risk?
When we think of data security, we commonly think of our own systems; those which are used internally to manage and store data within the business. This could be an email system, a CRM system, or an accounting system for example, and each will vary in sophistication, complexity, and the type and value of data that it stores. All businesses should have good quality data management systems, be complying with GDPR and data management legislation, and have both an active cybersecurity management process and risk assessment in place. What many businesses fail to consider however is what happens outside of these measures when data is managed or stored on a third-party application or in the cloud for example. This is something that we commonly see omitted from the risk assessment carried out, and it is here that your data could be at significantly higher risk. The problem is that you know your own system and its potential flaws, but can you say the same about a third party's systems?
This was exactly the problem for the University of York, whose data is managed by an American company Blackbaud. Blackbaud confirmed that a cybercriminal was able to remove a subset of data belonging to clients including the University. The problem is the breach happened back in May and a ransom was paid by Blackbaud, but the University wasn't advised of the breach until the middle of July. Officials at the University have notified the Information Commissioner's Office (ICO) about the breach and are currently awaiting guidance, meanwhile a University official commented [we are] "working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security. We take data protection obligations extremely seriously and have launched our own investigation, providing information for those affected which outlines the steps we are taking in response. The third-party supplier, Blackbaud, has confirmed that their investigation found that no encrypted information, such as bank account details or passwords, was accessible." A spokesperson for the ICO said "People have the right to expect that organisations will handle their personal information securely and responsibly. The University of York has reported an incident to us and we will be making inquiries."
Details that were stolen include names, gender, dates of birth, addresses, and contact details along with phone numbers and email addresses. The hackers also had access to professional details of staff and students, including who they now work for.
This incident serves as an important reminder that our cybersecurity protocols must be as robust as possible and that we should ensure third party vulnerabilities are identified and mitigated as well. Obviously, there is a lot that must go into a cybersecurity risk assessment, and it may well be time to review and update the assessment of third party providers in yours, but here's a brief recap of the minimum you should be doing:
- Audit your data: take the time to document what data you are collecting in every aspect of your business; where you are storing that data primarily as well as any platforms which may store a portion of the data temporarily or permanently e.g. email marketing software for example; how that data is protected and documented; and how long the data is and should be stored for. You may well have completed this step as part of your GDPR compliance for which it is also needed.
- Identify and document threats: you need to identify both 'adversarial' threats (threats which are created or exploited by third party attackers) and 'non-adversarial' threats (threats created internally through staff negligence or mistakes for example, but which ultimately create a threat to the organisation). This step is not about quantifying the likelihood that something happens (that comes later), but about identifying what could happen in certain circumstances.
- Assess the threats: there are several tools and models available to help you assess the threats that you have identified, but ultimately what you need to evaluate is the capability, intention, targetting, and perceived likelihood that this threat will come to fruition. For example, a nation-state could be listed as a potential threat, but how likely are they to take an interest in your specific organisation? What about an employee's mistake? It's all about taking the list of what could happen and evaluating what is most and least likely to happen for your organisation. As a pro-tip, this is not your personal opinion; you need to make attempts to specifically quantify the risk if you can, looking at similar incidents, competitor incidents, industry incidents, and wider global incidents to make your assessment.
- Assess the potential impact: there is a scale of severity for incidents and their results; for example, an employee mistake could leave data vulnerable, but if that data is not breached before the vulnerability is identified then the impact is relatively low. If however the database is compromised in a hack, then the potential impact could be huge, financially, ethically, and reputationally, not to mention the loss of data itself.
- Identify and quantify threat 'events': once you have identified who could potentially attack your organisation, intentionally or otherwise, and how bad those attacks could be, you are then going to need to list every single potential scenario in which these breaches can happen. This could be a direct attack, exploitation of the potential vulnerability, a software glitch, or a mistake for example. Your assessment should include a list of the threats as well as a description of the scenario in which they could occur, the likelihood that the threat will occur, and the vulnerabilities that make them possible. You're looking to include as much data as possible about the risks and their probability.
- Rank the risks and identify mitigations: based on the potential impact, the likelihood and the risk to the organisation, rank the threats so that you have a priority order in which to deal with them, and then set about identifying potential mitigations. As before, this is not about your personal opinion, but should evaluate rankings based both on the severity of the potential incident and the likelihood that they happen. It is impossible to eliminate every risk your systems face - and your cybersecurity insurance will not expect you to - but you must be able to demonstrate that you have done everything in your power to minimise your risk. This could be anything from systems testing to software or hardware upgrades, the introduction of new protocols and procedures through to staff training, but the important thing is to identify what will help and why, and then to implement these strategies.
Have you considered your third party vulnerabilities and are your strategy and risk assessment up to date?