The Principles of Other People's Data
Australian organisations are today acknowledging in an unprecedented way, the importance of security technologies and the investment in security infrastructure required keeping data safe. The traditional rule of thumb of investment in data security is no longer adequate. When things go wrong, ‘reasonable efforts’ by organisations and departments to incorporate minimum security needs into systems are negatively impacting the bottom line.
For a growing list of organisations, things are going very wrong. Data breaches are becoming significantly more expensive to resolve and reputational damage is negatively impacting share prices and profit margins. In extreme cases, data breaches have destroyed organisations. By now, we are all familiar with the trials of Sony, the closure of Distribute.IT here in Australia and the ongoing challenges that News Limited faces in investigating potential data security incidents. These are the newsworthy incidents that are reaching the public. Here in Australia, everyday organisations are dealing with unexpected Denial of Service attacks or data hacks that target random clients with discouraging outcomes.
So we operate in a new security environment, how does this impact the role of CIO?
The traditional role of technology and its implementation by the CIO and IT team has been to deliver a return on investment. Boards demand it; shareholders expect it and CIOs have had to prove that there was a business case for each continued technology rollout. How does the CIO negotiate security in an environment that requires you to increase your investment in data security with the outcome that the organisation simply stays in business? When do you know it’s your turn to be hit?
I wish I could answer that question for clients but for some there is no reason as to when a data breach occurs. We sometimes never understand who is behind an attack. The good news is that we do know that if you mitigate the risk, then you stay in business.
It may sound simplistic but the role of the CIO is to communicate the message of security to all parts of an organisation. Privacy principles and policies must be translated into business requirements. Those in the business team need to understand the potential threats that result from violating security policies. CIOs must set the agenda and it can no longer be about ticking boxes. Project managers can no longer kick off a project and revisit security when the project is being implemented. Often, the budget for security is not considered or is simply inadequate.
So where do you start? Let’s take a look at the National Privacy Principles. These guidelines are often interpreted differently by different organisations, often causing the most grief due to misinterpretation. “Must take steps” to protect information is sometimes not appreciated by CIOs and Boards. They effectively water down their investment and approach to security. “Must take steps” needs to consider industry best practice security processes. Best practices include establishing data security policies and implementing effective encryption standards to ensure the storage of sensitive information. These practices are in fact an investment to help protect your business and CIOs need to challenge those individuals that push back on these security budgets.
Also, may need to re-calibrate their understanding of the sensitivity of data and how it is handled. For example, we often speak to clients that rate storing credit card details as sensitive, but address details as non-sensitive. On the open market, address details may have a greater value than the credit card data. From this perspective, it stands to reason that address details are highly sensitive. For some organisations storing data, it is categorised as non-sensitive. If this is client data, the organisation should consider this highly sensitive.
To reduce cost, virtualisation and cloud computing are a default answer in some organisations. Cutting costs may come at a price. Attack vectors against virtualised and cloud environments are often unknown to both CIOs and hosting providers. This exposes the organisation to unknown and severe risks. Virtualisation and cloud computing have introduced a host of new attack vectors for hackers.
The major concern around cloud hosting and cloud applications is a lack of access controls between organisations’ systems and application accounts. You no longer know who is located on the same network as you. Hackers can now sit on the same network as you and have far more direct attack techniques available to them. These techniques bypass access controls to attack your systems. Cloud hosting is almost always implemented on virtual infrastructure, causing Virtualisation Threats to also be available to hackers.
If you are not sure where to start or just need to re-confirm you are tackling the issue of data security effectively, there are standard principles we use to help guide our clients towards safe data. Ask yourself:
- Do I have a data classification policy and understand the classification of data at hand?
- Do I have an up-to-date data register?
- Do I have systems that expose my sensitive data to the outside world?
- If my data is disclosed, what are the likely outcomes?
- What is my backup data plan and how do I manage the redundancy of stored data?
Of course, it stands to reason that you can engage a qualified security governance professional to help you manage your data and understand the latest threats. You don’t need to take my word for that. Just look at what’s happening around the globe.