Confidence in data security part 2 - Weak links - the info supply chain

A previous blog post, Room for improvement, showed that organisations which invest in user education, advanced technologies and the ability to co-ordinate both security policy and incident response, improved their confidence in data security. All well and good, but what does this do for an organisation other than help prove it is able to meet various regulatory requirements?

The research reports behind this series of blogs also looked at the impact confidence in security had on information supply chains. Manufacturers and retailers in particular have extensive physical supply chains to move goods around. However, all organisations now share data with external users across public networks through information supply chains and all can exploit these better if they improve their confidence in information security.

The complexity of these information supply chains varies. They are more complex when overlaying an extensive physical supply chain, in larger organisations and when the individuals and organisations involved cover a broad geographic area. More complexity provides more motivation to invest in the measures that improve confidence in data security. The investments made vary depending on the types of data involved.

In retail, distribution and transport, payment card data is by far the greatest concern. To protect this there is more likely than average to be investment in next generation firewalls (that help deal with the PCI DSS requirement to secure applications), policy based access rights to cloud resources and locking down user end-points, for example through configuration change controls and mobile app management.

Financial services firms also worry about payment card data, however personally identifiable data (PID) comes a close second. To protect PID similar technologies are favoured; however, the degree to which a given organisation is more likely that average to invest is considerably higher than it is for payment card data. The reason for this is that the security of payment card data can outsourced to payment gateway providers, whilst the ultimate responsibility for PID always remains with the data controller (the business that owns the data) regardless of where it is stored.

When it comes to intellectual property (a big concern for manufacturers) data loss prevention (DLP) and digital rights management (DRM) are high on the list of technologies that are more likely than average to be deployed. Even higher on the list are ways to monitor user behaviour in the cloud and on end points.

Effective information security is not just about ticking boxes to meet the expectations of regulators (although that is necessary), it is about providing the confidence to safely share information far and wide through the increasingly complex information supply chains that enable business processes. Those which fail to do this will lose the confidence of customers and partners. Losing that will probably damage your business faster than any regulator can.

Quocirca’s report, Weak Links, was sponsored by Digital Guardian (a supplier of data protection products) and is free to download at the following link: