Head of Sales and Marketing at Union Street Technologies, Vincent Disneur, takes an in-depth look at telecom billing data security, where we are now and what the future holds.
1. Is it now a case of ‘when’ not ‘if’ when it comes to security breaches?
As with everything, there’s an element of Murphy’s law involved in all things related to data security, but I don’t believe security breaches should be seen as inevitable. By implementing robust security frameworks that are based on assured repeatable process, there is much a company can do to mitigate its risk.
Following independent audits of our information security management systems (ISMS), Union Street has been certified by the British Standards Institution (BSI) for the internationally recognised ISO/IEC 27001 standard in Information Security Management since 2016. Qualifying required us to make some big investments into our security and hardware infrastructure. This included the deployment of new firewalls, improved antivirus and security software, and building a completely new cloud environment to host our solutions. We also appointed a dedicated Standards and Security Officer to continually assess our security processes, to ensure they are followed correctly and to make certain that our organisation operates to the highest standards for data security.
Based on this experience, I can say that maintaining information security is certainly challenging, but by no means impossible.
Of course, in order to mitigate risk, one first needs to understand where that risk comes from. Although high profile cyber-attacks are what tend to make the headlines, human error is usually the cause of data breaches. This was borne out in a report published in September 2018 by leading risk solutions provider, Kroll. Based on the preceding 24 months of data obtained from the Information Commissioner’s Office (ICO), the organisation responsible for monitoring and fining data breaches, the report revealed that just twelve percent of UK data breaches occurred due to malicious attacks. The remaining 88 percent were all the result of human error.
The lesson here is clear; although it’s vital to take precautions against external threats, the importance of comprehensive and ongoing training for any personnel with access to sensitive data, cannot be overstated. It’s also important to look beyond your own organisation. If you work with suppliers that need access to your customers’ data, you must be satisfied that their information security framework is every bit as stringent as your own.
No matter how robust you may think your security framework is, you can never afford to become complacent. Nothing’s ever 100 percent perfect when it comes to data security and there’s always room for improvement. Continually reviewing processes and procedures and identifying risk is the key to reducing the probability of a serious data breach occurring.
2. What have we learned since GDPR regulations came in nearly a year ago?
GDPR has certainly woken the business community up to the importance of data security. In August 2018, the ICO released its annual report which showed a massive jump in voluntarily reported breaches from 2,565 in 2016-17 to 3,311 in 2017-18. This 29 percent increase can likely be attributed to a growing awareness of what constitutes a breach.
At Union Street we’ve certainly noticed a huge increase in the number of requests for information on our ISMS and, post GDPR, we’re frequently asked for information on how we process customer data. We’ve also noticed that communication providers (CPs) of all shapes and sizes now seem to have dedicated information security personnel, whereas before that was a rarity outside of the very largest CPs.
Ultimately, increased awareness can only be a good thing. Perhaps the most important lesson that the business community has learned through its efforts to comply with GDPR, is to view unnecessary sensitive data as a liability. Any potentially sensitive data that is held must be identified, continually reviewed and, if it’s not absolutely required, it should not be stored.
3. Prevention or mitigation? Are both approaches needed to tackle this problem? Are we seeing other types of solutions in the market?
When it comes to prevention or mitigation, I don’t think these need to be viewed as mutually exclusive choices. Removing a risk altogether is certainly preferable to simply reducing it, afterall, if a risk doesn’t have to be taken, why take it? One thing a business should never do is to transmit personal data unless it’s absolutely essential.
For example, our aBILLity billing platform comes with an optional white-labelled billing portal which end-user customers can use to view their billing data. Not only does this empower customers by giving them greater reporting and visibility, it also means the CP does not need to send this data via email or letter, removing the risk of this data falling into the wrong hands.
As for mitigation, given that the highest probability for a data breach resides in human error, it’s advisable to automate as much as possible. All data and processes for managing data must be regularly audited, especially when it comes to any activities related to the transmission or sharing of data.
4. What can we expect out of the next 12 months in data security?
The prediction is that the increasing prevalence of ransomware is sure to continue. Anecdotally, it seems that this is already the most frequent type of cyber-attack to affect CPs. The potentially huge fines introduced by GDPR, make companies that hold sensitive personal data a huge target. It’s very likely that we will begin to see more advanced types of ransomware that are specifically designed to commandeer personal data.
Data controllers need to take appropriate precautions and to have adequate cyber security in accordance with whatever risk policies they might have. When it comes to selecting partners that offer cyber security services, it’s important to do your homework. You need to be confident that your cyber security firm does not over promise, then under deliver.
Check your suppliers’ credentials carefully. Look at how long they have been trading. What is their own information security record like? What qualifications do they hold? Any company that has gained certification for the ISO/IEC 27001 Information Security Management standard is sure to have been audited extensively, so this is a fairly reliable benchmark of quality in this crucial area.