Daniel Cummins, Director @Marketsoft
What are some of the common traps that organisations fall into which can result in a breach of data security?
It’s not something that can be approached casually. Information security must be approached proactively.
Organisations have a clear due diligence responsibility. Without an intentional approach, a breach will inevitably result simply from innocent carelessness. Now that doesn’t mean the response should be a punitive, policing exercise. What organisations need to cultivate is an ingrained culture of information security. If an organisation superimposes a compliance regime without regard for how it integrates with the way staff go about their everyday work, you are asking for trouble. You can’t have a disconnect between your information security compliance policies and day to day practicalities. There needs to be some thought put into how compliance can harmonise with your operation. A good start is to look at real-life situations in your organisation. Places where information may be circulating in the normal course of doing business. This can be something as innocent sending data via email. Or sharing project details between departments. Then there are less obvious but equally vulnerable situations. Say someone has chosen to re-use data from a previous project rather than re-requesting or re-building their database. Now this could be out of a genuine desire for efficiency, but it’s a classic example of where compliance may unintentionally be breached.
Organisations need to be proactive in making their employees aware of the dangers, but what are some of the actions they can take to instil the culture?
Well, in my experience I have seen the whole spectrum.
There are companies out there who really have made an impressive cultural shift in the way they implement information security. At the other end, there are some that have given it more superficial treatment. They are the ones that are struggling. The common thread in all the successful examples is that compliance has been blended the employee’s daily life. It can’t be obstructive and it shouldn’t feel clunky. Of course there does have to be an element of formal implementation. Audits have to be carried out. Training has to be continuously delivered. But it can’t just be left at that.
You have to get creative and interactive to engage people. That’s the only way it will become ingrained. I’ve seen some really inspiring examples of this in action. Things like developing a game platform to make security evaluations a stimulating experience. You can introduce incentives for teams to lift their information security awareness rankings.
Or develop a certification system that gives employees a qualification status for their information security awareness.
Compliance doesn’t have to be dry and intrusive. It can be made very engaging.
Give us a few examples of the things organisations could do to avoid a breach of security?
Well the first thing is not to wrap management of security in a shroud of technical mystery. Sure, there are complex systems and protocols behind security maintenance. But that doesn’t mean the interface with everyday users needs to be inaccessible. Information security controls have to be easily usable for the average, non-technical employee.
They need to be able to go about their business and be a part of the security solution in their daily activity.
Encryption, secure FTP’s and the like, are the technical skeleton, but this must be fleshed out with good habits and accessible, human technology. I would go one step further than that too. A successful information security culture needs to be championed. People need to see a credible example of accountability in action. This gives a positive impetus to the security culture and the evolution of information security policies. It can’t be achieved through technology alone.
One client that comes to mind has an entire department that champions the cause in that organisation.
Nowadays much customer data is hosted in the cloud – what specific challenges does this present?
There’s no doubt that the concept of detaching direct control away from IT departments has consequences. Governance becomes blurred so businesses should not just blindly embrace it. The key is to be selective in the use of the cloud.
Use it in situations where you have the resources to maintain close scrutiny. That way you can build your competency and confidence in a gradual and measured way. By all means take advantage of the opportunities the cloud presents. But make sure you employ it on your own terms. It all comes back to the human element. Exercising common sense and using your discretion. Don’t delegate responsibility to a technology, no matter how clever it seems. The overriding principle in all this is to apply the litmus test of whether the customer’s interests are being upheld. Your policies and practices must be customer-centric. Any new risk to their privacy must be tested against that principle.
If an organisation outsources its database management, what sort of safeguards should they look for from a vendor?
Well the first thing is data partners need to practice what they preach. The complexities and risks in data management these days make it very attractive to use external expertise. But you need to see hard evidence of their credentials. Don’t just assume they have it. Ask to see and review their information security policy. Get them to show how it’s embedded in the organisation’s culture. That way you can ensure their information security values are complementary to yours. To be more specific, there is a checklist of key aspects that a vendor’s policy and practice must cover.
This can be split broadly into three areas. Firstly there are the physical and technological factors. This includes asset management and the standards partners set for the physical working environment. It should also cover communications, operations and development and maintenance. Secondly, there are the human-related factors and the procedures that guide human action. This includes daily operational issues like access, roles, and permissions guidelines and Risk and Incident Management. Thirdly, we have the broader organisational principles and policies. What are their contingency plans for business continuity? How do they implement compliance? What are their HR policies and how do they manage standards of employee compliance? All the ideals that you want your business to have must be reflected in the business you partner with.