The EU Information Commissioner’s Office (ICO) has stated with its recent fine for Sony of £250,000 that lack of knowledge of a data breach is no longer an adequate defense. This fine was given not because of actions Sony took on breaches they knew about, but on their lack of knowledge of breaches that the EU deems they should have known about due to the technical knowledge and resources available at Sony.
To claim that you cannot act on vulnerabilities that you do not know of has been a common defense and one that seems rational and logical to most companies, but the ICO’s recent fine suggests that it is unlikely to work in the future. This sort of thinking would be an inhibitor to security initiatives because once you know about a problem, you have to make a determination as to the risk it presents and how you will deal with it.
So how do you know what you don’t know? This has been a question for centuries but in this case, the expectation is that companies will perform activities such as regular risk assessments based on data collected from vulnerability scans to identify security controls that can reduce risks to an acceptable level and that they will monitor equipment to detect anomalous behavior. The tools to perform these activities are easily available and various open-source options can be implemented at a low cost to the company. However, it will take someone experienced with risk assessment and the tools used to make the data obtained from them actionable. Consider using a security consultant if this is not a skill your company has in-house.