You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
OPINION<br />
THE RISK OF LIBERATED DATA<br />
AS ORGANISATIONS ADVANCE THEIR DIGITAL<br />
TRANSFORMATION NEW SECURITY GAPS WILL APPEAR, AND AS<br />
JON FIELDING, MANAGING DIRECTOR AT APRICORN EMEA<br />
POINTS OUT, THIS INCREASES THE RISK OF A HIGHLY<br />
DAMAGING AND COSTLY BREACH<br />
With reports that nearly half of all<br />
UK businesses suffered at least<br />
one cybersecurity breach or<br />
attack in the past 12 months, what should<br />
be done to reduce this? The answer lies in<br />
a multi-layered approach that combines<br />
people, process and technology.<br />
UBIQUITOUS THREATS<br />
Digital transformation creates many new<br />
risks. Cloud and mobile platforms extend<br />
the traditional network perimeter, but all<br />
too often the safeguards for data stored in<br />
these environments either don't exist or<br />
are inadequate.<br />
Because smartphones, tablets, USB drives<br />
and laptops provide huge storage capacity, it<br />
is easy for remote workers to carry immense<br />
volumes of corporate data with them - but is it<br />
secure? The most recent Home Office figures<br />
say that there were 538,000 victims of mobile<br />
phone theft in the UK, and Apricorn research<br />
has revealed that 29 per cent of organisations<br />
suffered a data breach as a direct<br />
consequence of employee mobility.<br />
This employee risk is amplified for many<br />
organisations by the often complex networks<br />
of partners and suppliers they interact with.<br />
These relationships carry their own risk,<br />
especially if these partners are not audited or<br />
covered by a robust cybersecurity policy.<br />
COST OF BREACH<br />
The need to get data security under control<br />
has become even more urgent with the<br />
planned introduction of the European General<br />
Data Protection Regulatoin (GDPR), which<br />
comes into force in May 2018. This sweeping<br />
new EU legislation mandates that firms must<br />
notify regulators within 72 hours of a breach.<br />
Additionally, those found not to have taken<br />
adequate steps to secure customer data could<br />
face a maximum fine of 4 per cent of global<br />
annual turnover or 20m euros (£17m),<br />
whichever is higher. Even post-Brexit, UK firms<br />
will be forced to comply with these rules.<br />
NCC Group research revealed that ICO<br />
fines last year would have risen 79 times to<br />
roughly £69m if the GDPR had applied.<br />
MOVING FORWARD<br />
There is no silver bullet but best practice will<br />
help. Start with a comprehensive data audit,<br />
mapping what your organisation stores and<br />
processes, where it flows, who has access to<br />
it and how it's controlled. It would be a<br />
good idea to minimise your risk exposure by<br />
ceasing to collect, and securely deleting,<br />
any data that the audit determines not<br />
relevant to the business.<br />
Next, create, document and enforce a<br />
watertight data security policy covering every<br />
aspect of the business. Don't forget BYOD<br />
devices and home offices, because some<br />
Government reports claim that only 25 per<br />
cent of firms currently cover this vulnerable<br />
area with policy. This must change by<br />
consistently enforcing security policies across<br />
all mobile devices, including removable media.<br />
Strong encryption is also essential and it is<br />
mentioned explicitly in Article 32 of the<br />
GDPR. IT should approve specific<br />
encryption-protected storage devices and<br />
then enforce their use through whitelists at<br />
the endpoint, blocking those not approved.<br />
It's important not to forget the people<br />
aspect in all of this. A well thought out<br />
education and awareness programme will<br />
ensure that employees form a strong first<br />
line of defence against cyber risk and<br />
understand why certain policies are<br />
necessary. Ensure temporary employees<br />
are also included and provide refresher<br />
courses annually.<br />
What's much harder to change is<br />
organisational culture. This really needs to<br />
come from the top down and certainly the<br />
prospect of huge fines that can be levied<br />
because of GDPR should begin to make<br />
data security a board-level issue. The<br />
appointment of Data Protection Officers - a<br />
GDPR requirement for most mid-to-large<br />
sized firms - will also help by creating a<br />
semi-autonomous champion for data<br />
protection inside the organisation. Creating<br />
this new function should be a priority.<br />
Breaches may be inevitable, but a few<br />
simple measures can make your<br />
organisation more secure, more compliant<br />
and ultimately, more competitive. NC<br />
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards<br />
JULY/AUGUST 2017 NETWORKcomputing 21