Home  |  Sarah  |  Services  |  Blog  Contact

Friday, 28 Nov , 2014

Where The Heck Is Your Customers’ Data?

Share this article

Do you know where data is, what data is with whom and what they are doing with it? This is a post originally published on LinkedIn and prompted by a Business Value Exchange discussion “What’s the correct approach to personal data?” An an InfoSec professional my response naturally focuses on security and data protection. More […]

Do you know where data is, what data is with whom and what they are doing with it?

Needle In A HaystackThis is a post originally published on LinkedIn and prompted by a Business Value Exchange discussion “What’s the correct approach to personal data?
An an InfoSec professional my response naturally focuses on security and data protection. More specifically the fact you can’t do do well at either if you don’t know where data is.
The potential business value to be gained cannot and should not be denied. The Yottabytes of data freely shared via social media and with companies
presents an incredible opportunity to understand and engage with customers. The security function should support the business to reap those benefits, but reap them compliantly and securely. One of the biggest challenges is a longstanding one and it is notoriously hard to tackle. To quote my recent article on cloud security governance;
“If you don’t know where data is, have no useful unique identifiers for records and can’t filter all your data based on age and confidentiality, neither you nor your suppliers can comply with current data protection laws.”
Lack of a definitive handle on this has probably come up in more than one discussion with audit, security, or (if unlucky), the Information Commissioner’s Office.
Q: Which customers do you need to notify of this server breach?
Q: How much customer data do all your suppliers have?
Q: How do you identify customer records in backups that should be deleted under Data Protection retention rules?
Ummmm….
You are not alone. All businesses, to some degree, are scared about this.
Network perimeters, supply bases and end user tools have all become dramatically extended and are increasingly exposed. While at the same time data protection law and regulation gets ever more more rigid.
Securely keeping pace with your commercial data use ambitions
All businesses should catalog types and quantities of data involved during change and supplier governance. I proposed one way of doing that here. Who’ll be given what, by what means and for what purpose. It allows tracking of data to keep pace with business development and sheds light on where most security is needed. At the same time demand the means to retain that control from suppliers.
You also need to get your definitions of risk owner, data owner, data controller and data processor straight (the ICO helps here). Some of these definitions need careful analysis in a social media and cloud supply context.
Make sure everyone understands where responsibility and accountability stops and starts and formally put role holders in the frame. It encourages sponsorship for work to improve things and someone has to own the risk of a breach while problems persist.
But what about the lakes of data previously accumulated?

Everyone is familiar with the concept of an Asset Inventory (knowing what kit you have where is a no-brainer), many understand the term Information Asset Inventory, but almost no-one has one in place.
Here’s where you could share an investment bandwagon with something that has the board’s attention: Big Data taming solutions. Look carefully at functionality and soup up that RFI with an ask to identify, categorise and catalogue personal data. Here, Datamation takes a look at 20 of the leading vendors and their offerings.
The partner to this is the security led approach. Tools to detect and alert when there’s unauthorised movement or amendment of confidential data. Otherwise known as Data Loss Prevention. Not a new term by any stretch. Tech Target looks at lessons learned from real world DLP implementations here (scroll down to read without registering) .
Three things both of these technical approaches have in common;

  • They don’t work if you haven’t defined “confidential”
  • They are no substitute for good, encryption, access management and data governance practice.
  • They come with a big enterprise price tag

So how do you secure spend for this?
You could say, from the board’s point of view, that this is not a profit making investment and you would be right…and wrong. It is a profit protecting investment and increasingly offers a competitive advantage. Encouraging customer trust by enabling secure and compliant use of their data. As this Fortune article calls out;
“Breach-weary consumers don’t know who to trust with their personal information”
“…businesses need to treat privacy as far more than a compliance issue. Approximately one-third of the executives in charge of defining security strategy view this as a potential competitive differentiator—a number that will grow next year, according to a new report by Forrester Research
Not just that. I have recently been party to an actuarial analysis of health industry data breaches and newsworthy retailer incidents. There is evidence of a strong correlation between the quantity and type of data, the number of employees in a firm and the costed impact of any breach (more on this soon). Knowing your data therefore opens the door to finally having a quantifiable way to assess security risks. That means you can efficiently target assessment efforts and build a credible business case for spend on security controls.
Whichever way you start to solve this problem (and you must), your first steps should include understanding your environment and closing glaring access and data management loopholes, both in-house and in dealing with 3rd parties. If you don’t, regardless of the brightness and shininess of tools, you will forever be playing catch up.

Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...