Security starts from the ground up, writes Derrick Harris, Product Manager at software platform Pivotal.
The might of the General Data Protection Regulation (GDPR) was unleashed over the summer, with the UK Information Commissioner’s Office doling out a record-breaking £238m worth of fines – a number that is sure to grow. Since its introduction in May 2018, whistle-blower reports over data breaches to the UK’s data watchdog have soared by 175pc.
While a lot of GDPR discussion is still focused around the idea of not abusing citizens’ personal data, companies should not forget that the GDPR also imposes stiff fines for data breaches where companies (or their service providers) have been negligent in securing personal data. The question is, however, will these record-breaking fines establish any sort of baseline for data security practices, and how far will such standards reach both legally and geographically?
Even if companies accept that a cyber-attack is inevitable, there are still big differences between organisations leaving the door wide open to bad actors, and others doing everything they can to secure their operations. What remains unclear is what a defined standard for minimally acceptable security practices would look like.
So, what’s an organisation to do if it wants to keep data—especially personal data—safe? One option would be to consider it a “toxic asset” and store as little of it as possible, as security expert Bruce Schneier suggests and as the GDPR lays out as a best practice. But, as Schneier acknowledges, that’s not likely to happen with many companies, because they still see too much potential value in having it around—if not for analysis, then at least for easier billing, subscriber management, and other administrative reasons.
Given the above, organisations need to be proactive about keeping all their sensitive customer data secure. And that means implementing best practices at every level of the organisation — from infrastructure to applications and email hygiene. Some obvious solutions include:
Making data more secure via encryption, differential privacy, or some other anonymisation technique;
Buying more software to detect threats or intrusions;
Hiring more security personnel; and
Educating employees to avoid phishing and other social-engineering attacks.
They’re all smart things to do, but none of them are fool proof on their own. What’s more, demand for security talent is so high (or, perhaps, companies’ requirements for security roles are so high) that a survey found cybersecurity second only to artificial intelligence in terms of hiring difficulty. In this case, throwing more people at the problem is not a scalable solution.
Some less-obvious (because they might not come from “security” vendors) solutions include automatically upgrading and patching application components, and regularly repaving application infrastructure in order to expunge any system-level malware or advanced persistent threats.
Another practice gaining momentum at the application level is using tools that automatically scan code for vulnerabilities and offer guidance on how to remedy them. However, before jumping the gun, companies must remember to identify the problems or opportunities first, rather than locking into a solution (“We are going to solve this compliance issue with AI!”) and then looking for places to apply it. This is because the ideal solution might look different for everyone and every application depending on business requirements, legacy systems, and what kind of talent a company has in place to carry it out.
Whatever is holding a company back from getting its data security house in order, it shouldn’t be money. Especially for large enterprises storing huge amounts of personal data, all of this might very well cost less over the course of its lifetime than the fallout from a single major security incident.
