Advent IM Director, Julia McCarron has turned her eye to the M&S security breach…
Well as our Marcomms Manager, Ellie superbly put it, “This isn’t just poor security, this is M&S poor security”.
The brand synonymous with quality has let the side down following what it claims was an internal system glitch that caused M&S online account users a bit of a surprise. They logged on only to find their account wasn’t theirs.
Following a number of complaints, M&S were quick to take the site off-line and the problem was resolved in 2 ½ hours, but not before 800 people’s personal details including names, dates of birth, contact details and previous order histories were exposed. Thankfully, financial details do not seem to have been breached.
So M&S can expect a knock on the door from the ICO. Commenting on the incident, Phil Barnett, VP Global at Good Technology of M&S, said that many companies are flying blind when it comes to security, because they don’t think it affects them. In this day and age, when cyber security incidents seem to happen every 5 minutes, companies are becoming more aware of the risks and need for good, security controls and practices. I would sincerely hope that companies such as M&S would be acutely aware of the perils. As Mr Barnett points out, “Data is a company’s biggest asset, and as mobility becomes more ingrained across every enterprise, security must become a higher priority”.
So I guess M&S need to ask themselves why this happened? I cannot comment specifically as to the root cause of this particular incident, but often what can be the reason is that ICT systems change management process are either not in existence, not robust enough and/or do not consider the ramifications to security when updates, upgrades, code changes etc… are made. Security must be a key consideration and testing should be carried out before the change is made live, especially on personal data critical systems such as these. In addition, regular penetration testing both external and internal to the system is a must, especially when a major system change is made. Today’s technical vulnerabilities are evolving hourly but these simple actions can be the difference between being a successful big brand today and share prices falling through the floor tomorrow #talktalk #justsaying.
However, I will concede that smaller businesses often don’t see security as a priority. They see it as a business disabler and costly. If there has been no incident to date why worry about? These companies are doing business on luck. The luck of the draw. But luck runs out for us all at some point. Good security is a must for each and every company, be it a self-employed nanny or a multi-national conglomerate. It doesn’t have to be expensive and can in fact give you the edge when dealing with clients or bidding for projects. Who wouldn’t choose the company they know will handle their data securely over the company that does nothing? Often no-cost processes and procedures can mitigate risk simply and quickly, particularly with data handling. We also have the Cyber Essentials certification, which is aimed at small businesses and is a set of technical controls companies can be measured against to ensure they are implementing a baseline level of technical security.
Whatever happens, in a week where security breaches have literally been big business, you need to think carefully about what your company is doing (or not doing) to protect its biggest asset. This isn’t just good security advice, this is Advent security advice.