The true cost of a data breach (Part Two)

By Mike Jones | March 28, 2012 | 1 Comment 

Mike Jones

Last week’s Cost of a Data Breach Study update had one particular statistic that stuck with me and to which I keep being drawn to when discussing it with others. In the UK study, they discovered that where an organisation that suffered a breach had a Chief Information Security Officer (CISO) or someone with the equivalent level of responsibility in place, the cost per record dropped by an average of £18. I think the key word in the previous sentence is “responsibility” for a few reasons.

Firstly, we have the increasing amount of fines and penalties that can be applied to the individuals involved in failing to deliver against expectations. These have gone beyond the original highly regulated industries and out into the broader business context. With the coming updates to EU legislation, it’s likely to get more attention in the boardrooms of Briton, not less.

Secondly, and contrary to popular thinking, stopping data loss and protection of the key information assets an organisation has goes way beyond using scanners to prevent credit card details being emailed out. Primarily, it’s not a technical problem, it’s a people-process-technology challenge.

In the past, I have heard references to people-process-technology being like a three-legged stool of which you can’t remove any without falling off! This can be considered a fair comparison but, for me, the ‘people’ part of this stool is the most critical starting point. People have negotiation skills. People have perspective. People drive change.

When it comes to the role of technology in stopping data loss I view it like an exoskeleton to the people involved. That may sound a little sci-fi but what they need to be able to do is say “this stuff is important, please tell me how it’s being used, where it’s going and who uses it”. Technology enables them to reach into network pipes with gigabits of data pumping through them. Technology enables them to piece together a process involving four employees and an outside contractor. Technology enables them to see the HR director does not like using the VPN from his second home in the Cotswolds.

The reason I view it as an exoskeleton is that the knowledge of what’s important comes from the people involved, as does the appropriate response and the negotiation to get from where they are today, to a more secure future-state.

The relentless growth in information and systems shows we’re not moving towards a state where data loss won’t happen anymore. However, this report shows that if you put someone in charge with responsibility and authority to make change happen when it does occur, the impact to an organisation’s bottom-line is significantly reduced. I’m happy to predict the gap between those that take it seriously and those that stick their head in the sand will only get larger in the coming years.

 

Common Criteria EAL +3 Security Certification – What’s all the fuss about?

By Guido Sanchidrian | February 3, 2012 | Leave a Comment 

Guido Sanchidrian

Companies have for some time understood they need to safeguard their IT systems from infiltration and viruses. But in today’s sophisticated cyber environment, the protection of data and data integrity needs not only to match the skill and cunning of the cybercriminal; it also has to be in accordance with strict security rules and regulations. Organisations need look no further than the few months leading up to the end of 2011 to see that cyber threats are becoming more frequent and more complex. The Duqu worm discovered in September 2011 is just one high profile danger facing organisations.

In this sense it is true to say that Governments and enterprise businesses face unprecedented challenges in ensuring the confidentiality of data as it is processed and exchanged across data centres. The use of cryptography in the form of encryption offers the most convenient way to protect sensitive data in transit over high-speed backhaul and backbone connections and that is why we went to the trouble of attaining Common Criteria certification EAL +3 for our automated policy management solution, Control Compliance Suite.

Provision of this worldwide standard verifies that the software has completed a rigorous independent testing process of specification, implementation and evaluation, and conforms to standards sanctioned by the International Standards Organisation.

But why should this matter?

Perhaps a good person to weigh in on this is Jane Doorly, Vice President European Research, IDC who commented on the importance of compliance today: “In recent years, there has been a higher level of adoption and spending in technologies and services that enable companies to meet their compliance objectives. As a result of this trend, we have seen the importance and relevance of independent testing and Common Criteria certification increase, making it a vital element of an organisation’s purchasing process.”

To our mind, being awarded a security accolade of this kind is not just a testament to the hard work and commitment that goes into making products good, it’s about meeting today’s security needs for the customer and industry. In an uncertain world where assets are being stolen for profit, intellectual property infiltrated just to prove it can be done and data integrity tampered with, it is crucial that customers have a high level of confidence and trust in their security solutions. What stronger confirmation is there that a product is up to the job than having an international standard stamp of approval?

Racheting Up Information Security…

By Guy Bunker | June 15, 2010 | Leave a Comment 

Guy Bunker

We have been talking about Information Security for a few years now, but with the changes in legislation earlier this year that means you can incur £500K fines, it’s time to look beyond the reactive and towards the proactive. Time to move from Information Security to Information Assurance.

So why Information Assurance rather than just Information Security? Businesses rely on information, and most realise that accurate, available and appropriately shared information is key to growing a business. Conversely, missing or inaccurate information in the wrong hands will damage the business and potentially the business’ reputation.

From a security aspect, it is only the security of the information and systems that is taken into account. Data loss prevention and all the, now commonplace measures to prevent it, coupled with endpoint and datacentre security strategies enable companies to ‘tick the box’. Reporting and auditing are key for this to be provable so that information is kept safe and the newspapers and legislators held at bay. Assurance is all this – and more! Information assurance is about assessing the business’ ability to keep the information safe and that it is accurate and available - to the right people at the right time. It’s about developing a shared understanding across all areas of the business as to how information is used, and its about improving the information available according to business priorities.

As we start to move out of recession, but while the purse strings are still being tightly held it is time to revisit information strategies and look at how information can be used more effectively to drive the business. New rapid assessment services are starting to appear which can build on your information security policies and turn them into information assurance ones.

Guy Bunker

InfoSec 2009

By Guy Bunker | April 23, 2009 | Leave a Comment 

Guy Bunker

Next week is InfoSec in London and this year it’s move to Earls Court. It’s always a good event with lots of new ideas and the usual meeting up with old friends and colleagues. My main talk this year is on Cloud Security, on the 29th April, and I will be previewing my presentation on the Symantec Stand along with a talk on compliance on both the 28th and the 29th.

See you there.

infosec-europe-2009

5 Million And Counting

By Guy Bunker | May 9, 2008 | Leave a Comment 

Guy Bunker

The White House has lost 5 million emails which is a pretty impressive feat. More worrying is that there is confusion over what is there, what isn’t, and who is responsible. If this had been a company then they would have been hauled up in front of a judge and forced to answer diffcult questions, however governments are a different story and seem to operate on their own rules. When it comes to data loss a government does have a reputation, but there isn’t the competition – you can’t choose to pay your taxes to country X… however it is up to a government to set a standard and precedent which will give give its citizens confidence that, if nothing else, they can look after your information.

Perhaps it is time to have a watchdog for governments and information protection?

Technology & Regulations: Which Leads, Which Lags?

By Guy Bunker | April 29, 2008 | Leave a Comment 

Guy Bunker

One great question I was asked during my talk at the Affärsvärlden Bank & Finans Outlook 2008 Conference, was whether the technology to help with compliance and governance was ahead of the regulations or behind.

This is a tough one to answer, primarily because the regulations are always changing. However, from 30,000 feet, the story is the same, you need to be able to prove that you say what you do, and that you do all you can to {protect customer data | ensure that systems are secure | prevent fraud | etc}. To this ends, the technology is there to help with compliance and you can automate a lot of it. Patch management of systems, followed by auditing which ones are up-to-date and which are not can be tedious in the extreme if you don’t have the technology to help. Not to mention the management and monitoring of updates to applications, endpoint protection and password strength checks, the list is (almost) endless. Technology helps and the other big benefit is that you can get a view onto your IT infrastructure and its compliance at any time – not just when the auditors are knocking on the door.

So, if you are looking at compliance, or are just getting into IT governance, look around at the tools available to make it as painless as possible.