Security Think Tank: Ignorance about data is tantamount to negligence

If you don’t know where your or your customers’ data is stored, processed or transmitted, you have already put data at risk; and need to disclose this to the information commissioner and clients.

Not knowing where data is located is a data breach in itself, no matter how harsh this sounds. It’s a bit like not knowing where your kids are. The authorities would have you for negligence!

Figuring out where data flows is pretty straightforward. Just ask your staff. You don’t need technical wizardry to sort this out – it’s basic business process analysis. You might want to task a business analyst to help. The good news is they’re cheap; and aren’t going to break the bank like tasking a Big 4 consulting firm to come in and do it for you.

Your staff should also know with whom they share data, however the common misconception here is that “sharing” is a voluntary, conscious action, whereby somebody gives data to somebody via an email or USB stick. This is wrong. Sharing means “giving access to”.

In a typical small and medium-sized enterprise (SME) environment, data will be shared with a cloud-based accounting system, customer relationship management (CRM) system or backup system and professional service companies like accountants, solicitors, marketing companies and even penetration testing firms like 2-sec!

Data sharing is ubiquitous; and is one thing regulation is trying to stamp out unless absolutely necessary and legally justified.

Even today I received a reference request for an ex-employee. The letter lists all their personal details, including date of birth and national insurance number. Where does it get sent? To our generic inbound enquiries mailbox. In effect, to our whole sales team. They missed the HR department all together.

Stuff like this needs to stop. It won’t be soon until the Information Commissioner’s Office (ICO) starts unleashing fines on those with no apparent regard for privacy; and I hope it starts soon.

Even my own data gets shared. I recently took out a tenancy agreement for a short-term let. The agency passed my details to a broadband sales company, who hounded me non-stop to buy some broadband that I already had.

When I complain, the companies don’t even know what the General Data Protection Regulation (GDPR) or Data Protection Act (DPA) is, let alone the ICO. It is time for it to get some teeth and start enforcing our right to privacy.

The data-at-rest scenario is the trickiest bit to solve. While we might know where data flows, we’ve typically no idea at which point it may be stored. This is where third parties need challenging; and indeed your own staff. Are backup tapes still kept in someone’s garage? Does your third-party supplier just take your money and say they’ll keep data safe, or do they actually keep it safe?

I’ve performed plenty of audits in the past, but one thing that always crops up is clients not challenging their third parties when they’ve every right and reason to do so.

Just because you’re dealing with a big corporate entity, that doesn’t mean data is secure. One of the world’s biggest cloud services providers has had its own challenges, but customers assume that because they’re massive, then surely they know how to look after data and keep it secure... but do they?

Stay vigilant. Ask lots of questions. Be the thorn in the side of your favourite supplier; and let’s start seeing some momentum so that we all start properly respecting our customers’ privacy.