Achieving Effective Data Security
01 December 2016
Whether accidental or malicious, human activity is the common factor in all data breaches. A human problem requires a human solution. Indeed, information security policies are only as good as those who implement and police them. Effective cyber-security rests on a human appreciation of the value of personal data and the consequences of its loss. The ‘human firewall’ is thus the best defence against data loss. Here, I present the four building blocks of the ‘human firewall’.
INFORMATION SECURITY POLICY
To turn the abstract concept of ‘information security’ into concrete patterns of behaviour, you first need a policy that is clear, memorable and easy to adopt. If you don’t, even the most well- intentioned employees will start taking shortcuts and creating vulnerabilities. The best cyber-security policies don’t just acknowledge the human element to data protection, they are built around the specific experiences of the staff who work under them. Remember, it is harder to change human behaviour than it is to redraft a cyber-security policy.
The second building block of the human firewall is data organisation. Too often, data held by a company is not organised according to its value or sensitivity. It is held in unstructured files – made up of emails, documents and other material – that are hard to search through. It is also harder to detect if such files have been wrongly accessed.
If data is not organised according to its sensitivity, it impedes the organisation from developing appropriate rights of access to that data according to the role and seniority of the staff using it. The most valuable data cannot be ring-fenced for additional protection. The more compartmentalised your data storage, the safer it is – and the easier it is to both detect and contain a breach.
A byproduct of better-organised data is that old or low-value data is more easily identified for deletion. Disorganised data is expensive, because you end up paying to store more than you actually need. Deleting low-value data also diminishes the volume of data that could be compromised and reduces the scope, and therefore costs, associated with a post-breach investigation.
Training must involve more than just an element of induction. It needs to include not only guidance on best practice, but also threat recognition: what to look out for and what should raise suspicions. Information emissaries are an effective teaching tool, as they can match the pace of those who are learning and provide immediate feedback. They can establish trust between colleagues, who will then be more likely to support staff in the event of a data breach so that accidental losses become less likely and less damaging. Part of the purpose of fostering an information security culture throughout all levels of the organisation is to create an environment where employees are not afraid to speak up and data losses are not buried.
For training to be effective, it needs to be regular and ongoing to embed the culture of security. As staff rise through the ranks, it is likely that they will be exposed to increasingly sensitive data, so their training needs to keep pace with their progress. In particular, staff need an increased awareness around the risks associated with remote access, company mobile devices, use of personal devices for work, and social media.
Leavers and those transferring from one department to another form a special category of staff that needs particular attention. Their access should be disabled immediately, or as soon as practicable, after they have left the company or department.
RESPONSE AND RECOVERY
The final building block of the human firewall is the incident response and recovery programme. The average length of time between a data breach and detection is 146 days. The longer this period, the greater the volume of data that may be lost. It will also be easier for third parties to exploit the breach and for attackers to conceal their exit.
Under the new EU General Data Protection Regulation, due to take effect in May 2018, organisations in EU Member States will be expected to notify the regulator of a breach within three days of detection. This will require a plan whereby roles and responsibilities have been clearly established, assigned and rehearsed.
STRONG AND SECURE
For information to remain secure, it must first be valued. Only then will employees appreciate the need to protect it, and only then can you start to embed the necessary sensitivity and awareness that is the root of data security. Ultimately, all data loss or theft is caused by either human malice or human error. That is why the solution, too, takes a human form: information emissaries who lead by example.
A strong and secure policy for managing information allows people to do their jobs more easily and generally reduces costs. It also allows an organisation to detect and respond to a data breach in a more efficient and cost-effective way than it might otherwise.
Ultimately, data breaches are an increasing source of concern for all companies, especially for those handling sensitive client data. That is why building a 'Human Firewall' is integral to achieving effective data security.
This article was first published in the December 2016 / January 2017 edition of the STEP Journal.