Skip to main content

ISACA EuroCACS preview: Protecting data in the security storm

One thing is for certain: the magnitude and severity of risks in business are increasing significantly. A data breach, in the near future may end up costing an organisation two per cent of its global revenue under the proposed EU Data Protection Regulation. Along with the increasing severity, the likelihood of the risk actually materialising is growing on a daily basis.

This is mainly due to the large scale adoption of (1) cloud computing (2) mobile devices and (3) social media. These all come together to create the 'perfect storm'. If these elements together create the perfect storm, then the lightening that is produced is unstructured data, which has now become the norm in most organisations.

The concern around this data set is how do organisations control and monitor something that is inherently unstructured, fluid and extremely dynamic in nature? Especially given that the generation and consequent transportation - and even destruction - of unstructured data is a challenge only just in its infancy.

The risks associated with the perfect storm:

-Unauthorised and intentional data leakage, both of customer confidential (more commonly known as PII-Personally Identifiable Information ) and company confidential data

-Reputation damage due to data breach, social media account hack or other hack

-Web and e-commerce services being unavailable due to denial of service attacks

-Identity theft and abuse

-Privileged user abuse: accidental/intentional abuse of systems by privileged users (privileged users are users who have extended rights and privileges like deleting all files in a server or accessing, copying, changing salaries)

-Big data: missing the "needle in the haystack" - this "big data" is so big, literally, that although there may be tremendous value in it, the risk lies in the inability to find the needle

The threats of most concern:

-Spear phishing, where employees can be targeted with specific emails based on LinkedIn or Facebook profiles, tweets or 'likes' etc

-Advanced malware and advanced cyber attacks: today, the adversary has the money, people and technical know-how to launch some of the most advanced attacks - often zero day - that are simply too difficult to detect for most governments, let alone organisations

-Unauthorised access to confidential data: The rogue insider, the privileged user, whether it's in your organisation or in the cloud/service provider's organisation having the ability to pry into company confidential data

These threats should be of concern to every department within an organisation - particularly, marketing and security. Marketing departments that are heavily dependent on customer behaviour from websites that collect a tremendous amount of data are becoming, second to IT, probably one of the largest generators of data; and emerging technology plays a huge part in this. Technology as a whole is one of the primary contributors to unstructured data, as there are many different sources -including mobile devices such as smartphones, tablets, smart watches and other wearable tech, like Google Glass, for example.

Most organisations still use the awareness approach, where they put someone in front of a machine and require him or her to go to a boring five to 10 minute computer presentation following which they confirm and tick a box that they understand what they have just seen. This is then reported as "we have delivered training". This will often be a compliance exercise rather than proper education.

This is something that is addressed in ISACA's COBIT 5 business framework that helps enterprises in all industries and geographies govern and manage their information and technology. It states that business value and business risk relating to cybersecurity are strongly influenced by organisational and individual culture expressed by end user behaviour patterns, habits and social interactions. In governing and managing cybersecurity, these factors should be taken into account and incorporated into strategic, tactical and operational security measures.

Therefore, my approach involves engaging the end-user on a personal level. The concept being that if I can help the end-user protect and secure his/her cyber life, I can engage him/her at every level that is personal to him/her. Because I have added value to the end-user's cyber life, this user will then use that same knowledge and awareness to apply to the corporate cyberspace.

Help the end user understand two basic concepts:

Personal exposure rating: A term which can help individuals understand what level and type of information is available about them on the internet. The human remains the single weakest link in the chain.

Over-sharing: Relentless, thoughtless or intentional sharing of data using mobile devices, the cloud and social media.

Why are the above two of great concern? There are two approaches in protecting the crown jewels of an organisation (defined as the key, critical, reputation and profit and loss affecting systems and data). One is technology. The other is people. I would argue that technical advances are always getting exponentially, if not incrementally, better at protection. However, humans remain the weakest link.

Until we all turn into cyborgs, we will need to employ humans to plan, build, configure and maintain our digital systems and the data in those systems. These same users are, like the rest of humanity, always connected to the Internet with their increasing multitude of smart devices. These users are intentionally or accidentally sharing mostly useless, but sometimes very useful and critical, information that could form the basis of some of the most complicated attacks (APTs).

In order for security technology to be taken advantage of fully, we have to get the human element right, meaning that we need to ensure the people behind the technology have the best support and education they can get, rather than merely a box ticking exercise.

Amar Singh, Chair of ISACA London's Security Advisory Group, will be giving a keynote speech at the 2013 European Computer Audit, Control and Security (EuroCACS)/Information Security and Risk Management (ISRM) conference that will take place at Hilton London Metropole on the 16th - 18th September 2013. ITProPortal will be reporting from the event.

The "New Era, New Edge" event is hosted by ISACA- a non-profit, global association serving more than 110,000 IT governance, assurance, risk and security professionals—and will address hot industry topics such as data privacy, the consumerisation of IT, bring your own device (BYOD), cloud services and social media governance. To find out more, visit the ISACA EuroCACS event page.