Earlier this year, Vertical Structure made global news by announcing a security breach they’d detected with a Lenovo external data storage device. Due to a serious flaw in the Lenovo devices, researchers at Vertical Structure were able to openly access vast amounts of sensitive data from businesses around the world, who would have been completely unaware that their data storage devices were open to the internet.
Since that time, Lenovo has published a security patch and encouraged any business using the device to update it.
But what does this incident tell us about how SMEs are to protect themselves? We are living in an age where breaches of GDPR and data protection legislation are being actively prosecuted by the government. SMEs are no less culpable for data breaches, even though their cyber security budgets may be far smaller than large companies.
RELATED: Belfast-based Vertical Structure unearths serious Lenovo NAS vulnerability
Simon Whittaker of Vertical Structure had a chat with Barrister Orlagh Kelly from Briefed, the GDPR compliance specialists, about this.
Simon Whittaker:
“It’s scary to think about how we found 36TB of unsecured data. This data included sensitive information including financial details.”
Orlagh Kelly:
“In this case, it was a cost-effective device advised to SMEs to store backups, probably on the advice of an IT consultant. Many business owners wouldn’t understand what the devices are for, how they are used, or maybe even what brand their devices are. This makes it unlikely the patch was downloaded by a high percentage of device owners.”
Simon:
“Not knowing is definitely not an excuse.”
Orlagh:
“Both of the headline-grabbing GDPR announcements issued by the government – the intention to fine BA £183 million, and Marriot £99 million– were the result of cyber crimes. These types of data breaches are very much on the radar of the Information Commissioner. Unfortunately, to the Commissioner, it’s almost completely irrelevant that you’ve been the victim of a crime, rather it just means you were underprotected. And that is a big liability for a business. You can refer to my article about this; it isn’t enough to just fix things after a breach.”
Simon:
“We know from speaking to our customers that most SMEs will not be reading cyber security articles – they should therefore be having some kind of analysis of their protection levels.”
Orlagh:
“If they’ve been using the device and they don’t know about the patch, and then there’s a data breach with information they hold, which could be anything – medical information, personal data such as sexual orientation, highly confidential information – it’s a huge risk.”
Simon:
“It leaves many businesses with questions about whether they are doing enough for GDPR compliance.”
Orlagh:
“In the case of Marriott’s data breach, they had acquired a different business and they hadn’t done due diligence on the levels of security. This is a common fall down.”
Simon:
“It seemed like the liability was clear in that case, as with BA. But with the Lenovo devices, Lenovo themselves haven’t had a data breach, but their customers had – this is where the question of liability becomes quite an interesting one.”
Orlagh:
“Lenovo provided the device as a service – there’s not a secondary way for them to be potentially liable. Customers aren’t legally required to register their device with the manufacturer so Lenovo wouldn’t even know many businesses had it.”
Simon:
“What do you see as being the biggest challenges?”
Orlagh:
“Really it poses the question of what are SME owners supposed to do? How do they trust devices that they buy? The ICO really doesn’t care how they obtain trustworthy storage – but a small business needs disaster recovery. There is a limit as to how much SMEs are expected to spend on security. Twenty years ago, a small business wouldn’t have to spend on security, but they might have had capital expenditure on servers. The trend is now towards serverless computing, with data held in the cloud.”
Simon:
“The reality is that cloud providers only offer security to an extent. We’ve developed a cloud infrastructure testing service to help companies understand what level of security protections they are getting in the cloud.”
Affected by these issues? You’re encouraged to continue the conversation with Simon Whittaker or Orlagh Kelly.