3 Lessons from July’s Swedish Data Breach “Disaster”

"People are People" and Other Things We Learned

“Disaster.”

It’s a not a term any of us throw around lightly, but when it comes to third party data breaches like the one admitted to by Swedish prime minister Stefan Lofven yesterday, it’s hard to completely fault his choice of words.

According to reports by the BBC and others, the major leak was created by one of the Swedish government’s own internal departments as part of an IT outsourcing program 2 years ago.

The department in question, the Transport Agency, was investigated for bringing in contractors without proper security clearances to handle classified information. The official in charge of the outsourcing also actively “decided to abstain” from legislation such as the National Security Act, the Personal Data Act and the Publicity and Privacy Act while going through the outsourcing process.

Accounts report that the exposed data potentially includes confidential details about military personnel, defense plans, witness protection details and other sensitive information, visible to government workers without security clearance while data was being transferred to the IT outsourcing company.

While the final extent of the exposure isn’t clear yet, the breach certainly was a wakeup call for the government, the officials involved – and the future data policies.

Connecting the Dots to Third Party Risk

That’s all interesting, but how is a government data breach relevant to you as a financial risk management or corporate compliance professional? You’re probably not running for office, nor blithely decided to “abstain” from privacy rules. We’ve never heard of a customer doing that.

On the contrary, the risk and compliance professionals we work with do their utmost every day to stay current with and follow legislation, as well as build defenses against information security threats.

But staying current and secure in a constantly shifting world can be complicated and tiring — to say the least. Managing risk can be an extraordinary competitive advantage – who accomplished anything worth anything without taking well-managed risks?

But it also can be, in a word, hard. And, if not handled well, it can lead to, well… disaster.

So here are a few quick lessons we took away from the Swedish data debacle – and how you can free yourself instead to focus on the upside of risk.

1. People are people.

Remember the Depeche Mode song? “People are people…” You can install all the compliance technology, software and data you like, but ultimately, your risk comes down to the people you deal with – in this case, third parties as well as the people managing the risk internally.

Here, contractors without security clearances put sensitive data at risk. The official elected not to vet the third parties before giving them access to classified data. Human error all over the place.

“That would never happen to me,” you might protest!

Actually, if you don’t have a process to vet ALL of your third parties, partners and suppliers, it very well might.

True, you might not skip checking contractors you consider “risky.” Or you might choose to give a pass to your trusted suppliers, because you feel they’ve proven themselves in the past.

Or you might elect to save time by only focusing your information security and third party risk assessments on larger companies.

None of these is effective.

Bottom Line: None of us knows where information security or other risk will come from. The best practice is to take a risk-based approach and segment all of your suppliers, partners and other third parties by risk level – even ones you consider trusted, like your legal advisors — then vet them accordingly in an objective fashion.

Third party risk, including information security risk assessment, isn’t personal. You can trust your partners – but check them out, too. Not all will need the same level of vetting, but start with a risk segmentation – and then assess as needed.

2. Bad news does not improve with age.

The Swedish data breach happened almost two years before it was revealed. By the time it was made public, the public was outraged.

Are we suggesting you’d hide a breach? Of course not.

But it might be some time before you discover a data breach, or other risk incident. And the longer it goes on, the worse potential damage and fallout.

Monitoring all your accounts – customers and third parties — for ongoing changes to security profile changes, adverse media, financial health changes – is recommended for any best practice risk management, compliance or information security program. Early detection enables quicker containment, disclosure and lower potential for reputational damage.

Ultimately, the fines paid in the Swedish breach were paltry… less than $10,000. But the reputational damage is potentially enormous. In the Swedish government case, political futures are riskier and at least one job was lost.

Reputational impact is one of the largest risk factors after a data breach – think Target, Sony, Home Depot and others. Don’t take risks: Monitor. Protect your hard-earned image, reputation and business.

3. Positive compliance is built on collaboration.

Finally, and perhaps the most striking, there is a “lone wolf” aspect to the Swedish data breach saga that is the very antithesis of what we see today in risk management and compliance.

The official in charge made a definitive decision to disregard privacy laws designed to protect the public.

And, acted seemingly independently – and forged ahead, irrespective of consequences.

It’s not our place to judge the Swedish government or the official, but we find this surprising because it feels so different from our experiences with compliance and risk professionals, for these reasons, among others:

  • Managing risk – information security as well as all its other dimensions, like financial, physical, etc. – increasingly requires intense cross-functional collaboration. Information security risk, as just one example, is byzantine and crosses IT, compliance, audit, data and multiple other areas. Cyber criminals target and flex to reach into these areas. Fending them off takes creativity, collaboration and cool heads. It’s a team sport. Data breaches and cyber criminals won’t be beat by lone wolves – ever. Partnership is a must.

 

  • Compliance and risk professionals are powered by integrity and ethics. Short-circuiting rules for speed is also the opposite of our experience with risk and compliance professionals. True, sometimes regulations are overwhelming, the volume is crushing and help is needed. So let’s offer Sweden the benefit of the doubt. But just as well-managed risk creates advantage, so too do compliance and regulations exist to build positivity and protect private and public citizens. The professionals we work every day with pride themselves on ethics, integrity and using compliance as a tool of good business. Choosing to “abstain” is never the answer. Managing risk and compliance as effectively as possible, and finding a partner to help you as necessary, is.

 

Ultimately, this data breach, like others before it, will fade from the headlines, but we hope the lessons of being prepared, trusting your partners but verifying their actions, monitoring to stay ahead of bad news, and above all, remembering risk and compliance is a collaborative, positive team sport, will remain.

Disaster, after all, means “bad star.” Let’s manage the less-than-optimal and focus on the advantages risk can provide us all.

Need more tips on managing third party risk, especially information security? Check out this infographic from Opus and OCEG:

http://www.opus.com/resource/managing-third-party-information-security-risk-2/

 

Pat McParland