I’ve been trying to make the point that we can’t protect data by following a checklist and filling in an audit sheet. These tools can assist us to identifying where we think the problems are but at the end of the day we invariably get caught out where we least expect it in spite of all the tools that we have.
Let’s take a hypothetical situation. You’ve been asked to assess and identify issues around data security for a particular customer database – where do you begin?
There are numerous places to begin. Some might firstly want to look at policies governing access to the data. This could be followed up with an assessment of the network infrastructure controls . Then you’d probably want to look at how access is granted to the data and so on. So, how does the data get into the database in the first place? Perhaps it’s from a form that customers complete online. In which case, does the data first get stored somewhere else before it gets into the database? Now when you start digging into questions such as this is when you start to realize the scale of the challenge.
It’s likely that the data doesn’t just exist in a single place. It might be on a server that’s hosted externally, it’s likely that reports from the data have been created so it’s also on spreadsheets. These spreadsheets have probably been emailed. Those emails have likely been printed.
What about back-ups. There is more than likely a formal back-up process onto tape. That’s good. But individuals like to have their own back-ups too. So, process owners might also have copied the data into a multitude of locations: local drives, network shares, USB sticks.
So, while the initial task to look into the security controls around a particular database may appear straight forward enough, it never actually is.
At which point in the chain will the data compromise occur? It wont be where you have the strongest security.
If a data breach occurs and you don’t know about it then did it really occur and does it matter? Absolutely it does. Every record in that customer database has cost you pounds and dollars to collect. Every record represents potential revenue to your business. Every record represents an individual or organisation that has a right to expect that the data you have collected about them is something you actually give a damn about and will go out of your way to protect.
In some cases we’ve become fixated on compliance and only seem to care about data if we’re likely to fall foul of legislation in the event of a breach. But let’s step back to some fundamentals of information security: The “c” stands for confidentiality, not compliance.
If this sounds like I’m standing on a soapbox then no apologies. Somebody has to….