Governments giving regulators the power to levy ever greater fines on organisations that fall short of requirements may not seem to be much cause for celebration, but perhaps UK-based IT security managers can find a silver lining in the Information Commissioners Office's (ICO) newly granted powers to impose penalties of up to £500,000 for breaches of the Data Protection Act. It all comes down to the value proposition.
Quocirca believes a total value proposition (TVP) should offset the cost of an investment by taking into account three factors - reduced business risk, reduced business cost and added business value. For an IT security manager trying to justify a given investment, the ICO's new powers add weight to one side of the equation.
The problem for IT security managers is identifying what technology will best provide the additional protection that this new regulatory power motivates. The ICO is focused on the protection of personally identifiable information (PII) and this underlines the growing need to focus on protecting data itself rather than the network edge that has in the past been considered one of the most vulnerable points of an organisation's IT infrastructure.
This is not to suggest that network security is no longer needed. Attacks on networks, such as hacking, denial of service, SQL injection, will continue. But, as Quocirca research shows, confidence in the security of networks is reasonably high and many businesses have already mitigated these risks through the implementation of firewalls that allow or deny access to a network and intrusion detection/prevention system that recognise and block malware attacks.
As many surveys point out, the biggest threat to corporate data comes from employee error or poor business processes, rather than network-based attacks. The most sought-after type of data is PII in the form of credit card information, which often ends up in the public domain through these lapses.
|More guides to network security|
DLP protects data used and created within an organisation and shared externally. The technology can recognise if data has already been labelled as sensitive or should be considered as such. DLP tools have the capability to search and classify existing data. They also enable the definition of policy about who can do what with a type of data, for example:
- All credit card information must be encrypted for transmission.
- People in the finance department cannot e-mail spreadsheets externally.
- Specifying documents that cannot be copied to a mobile device.
Encryption is already widely used, but could be more so, especially to protect data at rest on end points - the laptops, smartphones and USB sticks that make employees more productive, but are often left in taxis and on trains. This is the most common way in which data leaks into the public domain through loss or theft. In the UK, being able to demonstrate to the ICO that a stolen laptop was protected through full disc encryption should be the difference between a large fine and no fine.
It is one thing encrypting data on user devices, but to remain productive employees need to decrypt it and get on with their job. The third technology - end point protection - extends DLP to user devices, dictating what can and cannot be done with given types of data on them.
There are plenty of good reasons to protect PII, other than the worry about fines, and the technology recommended here provides plenty of benefits, other than protecting PII. When looking at a TVP for a security investment, fines and loss of reputation are becoming an ever bigger part of the price to for lapses, but there is great value in sharing data safely if the risk of the wrong data getting into the wrong hands can be mitigated.
This was first published in April 2010