Cyber-crime is now the leading business hazard of the 21st century. Successful cyber-attacks on commercial and government data continue to make the headlines, with over 1,700 data breaches accounting for 1.37 billion lost or stolen records in 2016.*
It’s clear that data security decision makers, information security managers and IT executives (in both government and non-government organisations) must think differently about data security and how to deal with the increasing threats of cyber-attacks.
Thinking differently about data security begins with making it a core part of business strategy, regardless of what ‘business’ an organisation is in. Whilst the adoption of new technologies such as cloud computing is seen as a core element of business strategy, there is little evidence from independent surveys or other research to suggest that organisations are treating data security with the same strategic importance.
The need for a changed perspective is all the more crucial in the government sector, because governments have a dual role; they are responsible for the creation of policy and regulation as well as being a major services provider.
Governments are typically among the biggest users of data in society and are heavily regulated in terms of data production and consumption. Hence, the challenge begins with government and their role in forming policy and regulation. Until government changes their own perspective on data security and reflect this in the regulations that they set, the non-government sector is unlikely to change its behaviour.
In other areas of business, such as occupational health and safety or corporate governance, government has altered its thinking to reflect the changing demands of day. While it has not always been the first to adopt best practice, government inevitably plays a key role in defining and enforcing standards.
We live in the information age and it is information that is both our greatest asset and our greatest area of vulnerability. Government must learn to make data security a core part of their business functions from the outset, rather than “bolting it on” afterwards, as is often the case. Data security should not be treated as an inconvenience or an avoidable cost.
Traditionally, the business imperative has overridden the security imperative. This needs to change. The prevalence of data breaches over the past 3 years have taught us that breaches have a potentially devastating impact on brand integrity and trust; not to mention the financial penalties and the effects on individuals. Do breached organisations simply hope the victims have short memories?
Government is no different to the commercial sector when it comes to high profile breaches; amongst the most notable recent breaches were JP Morgan Chase, US National Records Office, Sony Entertainment, Home Depot, US Federal Employment Agency and Target.
A new way of thinking. Privacy by design
In government, where data classification is the norm, there are stringent policies and procedures in place for the security of all classified data. Worryingly, there appear to be trends towards the ‘watering down’ of these guidelines by agencies seeking short-cuts or cost savings.
The “flexibility” of risk self-assessment allows agencies to make their own interpretations of unclear policies and adopt a tick-box approach to security and compliance. These weaknesses are going a long way to legitimising unsafe decision making.
The US federal agency responsible for every government employee’s private and privileged information was warned on at least two occasions by its auditors that its networks were seriously at risk and had not implemented appropriate security measures. It took a breach of almost 20 million complete employee records for someone to sit up and pay attention.
The single most important question was asked by an outraged union executive: “Why wasn’t sensitive personal information encrypted?”
Clearly, data security begins with human behaviour. Going forward, organisations need to ensure that staff are properly trained and that ‘security first’ thinking becomes the norm. Integrating security into all aspects of business and IT planning from the outset requires a new mind set the adoption of privacy by design.
The virtual world
For many years, the security industry has become too used to thinking of security as a physical problem. This may have been true once, when IT systems were all at centralised locations, behind a defined perimeter and when erecting a security ‘fortress’ of firewalls, intrusion prevention and anti-malware tools provided a reasonable defence.
Today’s IT systems are increasingly distributed, dynamic and virtual. The notion of managing physical resources behind a perimeter is dangerous; not just because this model no longer matches the underlying physical reality, but because a binary “SAFE” or “NOT SAFE” view of the world is no longer viable.
The security model has not changed in decades, while technology and cyber-crime have. Old tools are less relevant today; cyber-crime is a global issue and involves well-funded criminal groups with strong technical skills.
While the Internet and Cloud technologies are providing opportunities to operate more efficiently and profitably, they come with serious risks. The security industry’s agility in this area is insufficient; particularly in relation to Cloud Computing. While cyber-criminals have advanced dramatically in a few short years, the IT and data security industries have not been able to keep pace and the gap is widening – new weaknesses are exploited too frequently.
Five years ago we were talking about the Cloud as a potential opportunity. It’s now an important and valuable reality. But, it’s also a very real risk for the data security industry to address. Our greatest challenge is to keep up with the speed of Cloud Computing’s evolution. We can be certain that cyber-criminals will be seeking to take advantage of the uncertainty brought about by rapid change.
The new thinking required today must also address data security management issues which are too often avoided or resisted by government organisations. This includes consistency of data classifications; security as a business investment and community obligation; underlying policies such as encryption of all sensitive data and planning processes that integrate data security as a core element.
Data security as a business investment
A key factor in failures by government agencies to adequately protect sensitive data is the perception that all data must be treated equally and secured at the highest possible level.
This lack of discrimination may result in burdensome costs and management overhead. As a result, some organisations could try to spread their resources too thinly and risk underinvesting everywhere.
In addition to overall awareness of security risks, it is important not to overlook the human elements of cyber security. Security vendors must do more to make data security tools simple at the point of use and not impact on productivity.
This requires vendors to focus on both user-friendly and systems-friendly security tools. Data security should not adversely impact on the performance of business systems; just as they must not impose ‘user-unfriendly’ constraints. Users will naturally resist that which is counterproductive or not-intuitive.
There is also a need for organisations to understand the fundamental difference between prevention and protection. They are not the same thing. Too often, we see organisations that invest everything in prevention (firewalls, intrusion detection etc.) but fail to focus on the data itself and protect it from a successful breach of the prevention security. This is where robust encryption technology is so important – ensuring a successful breach only results in the criminals obtaining useless (encrypted) data.
Thinking differently about data security in the 21st century requires addressing both prevention and protection security needs and not simply ‘ticking boxes’. The US Federal Employment Agency failed in a number of ways; but its most fundamental failure was not protecting the sensitive personal information of millions of employees with encryption and multi-factor authentication.
With strong authentication and encryption in place, people would have been less concerned about the successful breach of the agency’s prevention systems (no matter how hopelessly ineffective they are by today’s standards).
It seems too many government and commercial organisations won’t take data security risks seriously enough until something horrible has happened. It may take months, or even years, to discover a breach has occurred and longer still to recover from the financial and reputational effects of a public breach.
Decision makers from both the private and public sector would do well to consider that there are two types of organisation “those that have suffered a breach and those that will suffer a breach.” If a breach is inevitable, protect the data, not just the network.
*Gemalto Breach Level Index 2017.