The importance of following through on the crucial factors necessary to implement an effective risk mitigation strategy were recently brought into focus again as details emerged on how Europe’s leading police agency, Europol, suffered a cyber breach. The incident resulted in the names and telephone numbers of suspects in terrorism probes being accidentally posted online.
The event occurred as a result of a staff member having taken home electronic data from the agency and uploading it to a private storage device, in clear contravention to Europol policy.
As the EU police agency, it may have reasonably been expected that the entity would have a heightened awareness of its cyber security risk and, accordingly, would have instituted more stringent and enforceable mechanisms to ensure sensitive digital information could not be copied and removed from its premises without prior knowledge and appropriate consent.
The incident also poses larger questions about data protection standards of an agency whose investigative powers are only set to increase in May 2017 with the introduction of a revamped Europe-wide intelligence-sharing programme.
What was also highlighted by this cyber security breach is that any technical solution can be thwarted by a poor implementation. Very few successful breaches today result from an exploit or failure in the underlying technical protocol – but rather by sloppy implementations, or policy and procedure failures in the operations of the technology.
The methods, tools, and attack vectors of a breach are all important elements to analyse in the hopes of further tailoring future risk mitigation strategies and defence systems. In the case of the Europol breach, the actions of an individual either did not follow corporate policy, or the corporate policy was potentially not established or perhaps not communicated.
We recommend any risk mitigation strategy consider not only the best technologies, but also ensure there is careful and audited deployment of associated policies and procedures necessary to allow the technology to function optimally. Constant attention to improving user and relying party understanding of roles and responsibilities through training, education, and awareness campaigns should also be considered.