Source:
https://scmp.com/comment/letters/article/2170314/why-cathay-pacific-data-breach-should-trigger-talk-about-data
Opinion/ Letters

Why Cathay Pacific data breach should trigger talk about data classification for cybersecurity

  • No matter how small or simple the business, data protection must be a priority and the starting point is data classification
  • In seeking cybersecurity, we need to make sure we are aligning data protection strategies with the actual threat
Letters
Letters

Updated: 5:19pm, 26 Oct, 2018

Why you can trust SCMP
A Cathay Pacific Airways plane prepares to land at Hong Kong International Airport in August 2017. The airline and its subsidiary Hong Kong Dragon Airlines announced on October 24, 2018, that the personal data of nearly 9.4 million customers had been leaked earlier in the year. Photo: EPA-EFE

Cathay Pacific’s recent data breach (“Personal data of 9.4 million passengers of Cathay Pacific and subsidiary leaked, airlines say”, October 24) was an unpleasant shock for many of us. Suddenly, the phrase “not if, but when”, usually reserved for events with information security on the menu, took on a profound personal meaning for those affected.

This episode should be a wake-up call, reminding us that information security must not just confined to conferences attended by the big targets: finance and insurance.

First, we need to look at data protection as a cyber-risk problem, not a cybersecurity problem per se – and the two must not be mixed up. Second – and this is an uncomfortable truth – there is no such thing as complete security although there is an acceptable level of risk.

Most importantly, however, business leaders need to start paying attention to looking at a company’s cyber risk in terms of impact on customers, share price or reputation – and this applies to all companies, whether a supermarket chain or a food-delivery app.

No matter how small or simple the business, data protection must be a priority and the starting point is data classification: classifying data into distinct categories based on the sensitivity of the data and risk of harm if the data is breached. Such classification allows a business to effectively and efficiently align appropriate security controls, such as encryption or other access control measures, according to relative risk.

Watch: Inside Cambridge Analytica’s data collection methods

As Hong Kong moves to become a smart city, we will see the collection of more personal data and greater use of that personal data across more platforms. Correspondingly, the potential for data breaches will increase. And this is why we have to keep sight of the real objective: cyber-risk management. If we can’t get this piece right, Hong Kong stands to be even more vulnerable as cyber attackers become increasingly sophisticated.

So, while it’s encouraging to see the term “cybersecurity” in the popular lexicon, we need to make sure we are also speaking about data classification, to make sure we are aligning data protection strategies with the actual threat.

Laura Winwood, director, and Stacy Baird, consulting director, TRPC Ltd, Hong Kong