Side by Side: Data Security
Welcome to Side by Side, a new series of Brother Spark blogs where we invite two experienced IT professionals to give their viewpoint on a topic that’s making the news.
This time we’re looking at the issue of data security.
It seems that barely a week goes by without another high-profile organisation suffering a cyberattack or data breach: from Facebook, to the Conservative Party to British Airways.
The government’s latest Cyber Security Breaches Survey found that almost half of all UK businesses had suffered a cyber security breach or attack in the last year.
With that in mind, we spoke with Jonathan Whitley, a director at cyber security technology pioneer WatchGuard Technologies, and Adrian Barrett, CEO and founder of big data and information security experts Exonar, to get their practical advice for IT managers on how to keep business data safe.
Turning a weak link into your biggest security asset
Jonathan Whitley, director for Northern Europe, WatchGuard Technologies
It is no secret that humans are the weakest link in cyber security defences, and the most recent Verizon Data Breaches Investigations Report suggests that some 90 per cent of breaches start with a phishing or social engineering attack.
This is not a new phenomenon, yet most recent investment in cyber security has been focused on securing computers and networks through technical defences.
It’s time the focus shifted to make employees smarter about different types of attacks so they can be transformed from a weak link into one of your biggest assets – a human firewall.
Cyber Security education and intervention
Good phishing education programmes can reduce click rates on malicious links from 40-50 per cent down to below 10 per cent.
These programmes don’t need to be built around sophisticated and costly tools but should intrinsically link technical controls with human behaviour and interaction.
Preventing phishing must start with getting in-between the attacker and the victim to remove or neutralise as many malicious links as possible.
But some will get through, and by using technology like DNSWatch that automatically detects and blocks rogue DNS requests, users who click on a fake Office 365 or Dropbox link, for example, can be redirected to a safe page.
This means that the company is protected and the user can be given a dose of education - a bit like going on a safe driving course after being caught speeding.
Learning from data security mistakes
No one is suggesting it’s easy to spot dodgy links, as the level of phishing and social engineering is getting more sophisticated and attackers gather more intelligence on their victims. There is also an increase in so-called CEO fraud where attackers impersonate senior management.
We need to move away from the blame culture, so it’s OK to make a mistake and learn from it.
Protection, education, evaluation and reporting all contribute to an effective anti-phishing programme; but it is when they all work together with technology that the outcome becomes greater than the sum of the parts.
Only organised data is secure data
Adrian Barrett, CEO & Founder, Exonar
When it comes to data security, one of the first things a company needs to do is identify exactly where all its sensitive and personal data is held, as having unstructured information is a big risk.
It’s a bit like the ‘wild west’ of the security landscape – unmanaged and seemingly unmanageable.
It isn’t just external threats from hackers looking to steal your data, there is also the threat from within, like employees copying the company database to take to their next job or stealing financial information for customers.
Either way, it’s only once you know what data you hold, where it is stored, who has access to it and how old it is that you can put the right processes and protection in place to keep it secure.
Subject Access Requests: deadlines and fines
Understanding where your data is held is also a key requirement to enable a company to respond to Subject Access Requests (SARs) which can be made at any time by any person who believes your organisation may hold data on them.
Businesses are no longer able to charge the requestor for providing them with their data, and failure to provide it within the 30-day deadline can result in a fine by the Information Commissioner's Office for being in breach of GDPR.
On the face of it this may seem like a simple task, but in our experience a typical SAR contains about 800 pages of data, enough to fill two large courier boxes.
That data has come from a variety of files spread across a number of different locations and software platforms including cloud-based storage systems like Dropbox, email accounts, accounting software, payroll, Word documents, Excel spreadsheets and CRMs.
Decreasing technology disruption
The good news is that technology like machine learning is available to help companies quickly map out their data across a plethora of different systems and identify files containing sensitive personal data and passwords, duplicate files that are taking up costly storage space and even old legacy files that should no longer be held.
There are also software solutions like sarlution that provide automated, intuitive and rapid processing of SARs to substantially reduce the cost and decrease the disruption to business.
Read more Brother Spark insight and opinion for IT managers.
