It’s the day after the 2018 Data Protection World Forum and I’ve finished flicking back through the assorted data I collected via print and ones and zeros. Before I assess how to store or dispose I’ve decided to share my takeaways.
Whilst the main focus of the conference was GDPR, my interest was cyber security and hearing how organisations help protect their customer and business data.
I’ve been a strong believer for a long time that technology is not a silver bullet for an organisation’s data and security challenges. This was proved right in my preparation for GDPR and was echoed yesterday by the likes of John Lewis, Bank of Ireland, and the National Police Chiefs’ Council in their cyber programmes. There must be a large focus on people and process too!
Obviously, budget plays a big part in each of those aspects, but organisations need to cut their cloth accordingly and ensure that any investment is in proportion to the risk.
The majority of organisations won’t have the same security budget or staff numbers as John Lewis, but their basic workflow could be emulated by all. Steve Wright’s (former Data Privacy & Information Security Officer at John Lewis) first task was to assess the internal landscape. He broke this down in to five areas:
- Knowing what, where, and why you need to protect data
- Knowing whom has responsibility for data management
- What risk mitigation and protection mechanisms are in place
- Understanding any dependencies on key functions and contractual elements which aid protection (e.g. third-party suppliers)
- And finally, how compliance is monitored, achieved and reported ensuring a baseline is available.
From there the key is to plan your ‘defensible position’ and tactics to achieve this. This can only be achieved by having the entire organisation on board and an ‘Internal communications’ function becomes just as important as IT.
Andrew Could from the National Police Chiefs’ Council explained that the majority of successful phishing and spear-phishing attacks (an email technique to encourage either anonymous or targeted subjects to click on a link to a spoof website in an attempt to defraud them) all stem from the CEO or senior management.
With that in mind how are C-level staff supposed to know what hyperlinks they should click or not click without training and guidance written for them at their level in non-technical jargon, and who should be responsible for that?
IT and Cyber teams also now need to work closer with their Marketing teams (and third parties). Pre May 2018, their remit was to configure systems and lock everything down. Now we all live with SARs and the right to be forgotten, some of these processes will have changed as a result. All staff need to understand these hot topics and collectively work on data breach prevention.
Once an audit has been completed and your staff are in the know, the business as usual would be to constantly assess and improve your position from your initial baseline. You could also assess it against a framework, such as the Information Security Forum (ISF), who recently launched their 2018 framework. To quote Blackadder Goes Forth “security isn’t a dirty word!” and as the landscape is constantly evolving ISF have a formal consultation with members to update their standards every two years.
I guess my final take-way is about passwords. Almost every speaker suggested moving away from Password1 and using key phrases made up of random words to secure their data.
Now where is N1cksGreenUSB?