Don’t Drop The Ball, eh, Data..!

Infosec is about protecting your most valuable asset – your data. Evading and staying ahead of your opponent and attacker and competition all the way! Yours truly (our CEO) is doing just that securing the ball and sprinting away out of harm’s way.

Our CEO Clinton Walker plays American Football and he knows all too well, the risks that lies ahead or those that are waiting for him on his way to achieving and scoring his goal.

Implementing and practicing and managing information security and associated threats is a game… it is all made up of multiple vectors and actors just like your team in whatever capacity you view it.  It is a collaborative approach that requires great negotiation skills, professionalism and risk taking.

Like any team, everyone is playing to win.  In this case, winning is about protecting clients’ data and evading various obstacles and curve balls hackers throw at you.

So just how do you keep that golden ball/data safe?

  1. Know your asset (data)
  2. Assess the likelihood of risks that could be associated to it
  3. Ensure that you implement controls to address any risks and or potential threats to your asset
  4. Continually review and update the risk profile of this asset
  5. Ensure that this is kept secure at all times whether it is on premise or in the cloud
  6. Know your opponent
  7. Do not get fouled or get caught out with any unnecessary penalties
  8. Build your credibility through good practice, partnership and show good governance and gamesmanship
  9. Educate and continually train your team to identify, report and mitigate gaps in the field and in any processes or in the game they play
  10. Be open to new approaches and thinking in managing risks and ensure that your data is managed securely at all times

The Inside Threat

Insider Threat…The root of all evil when temptations and unfavourable circumstances are over bearing…

Time and time again ‘the Business’ gets panic in a plethora of noise about a new or reincarnated version of malware/botnets. However, whilst we are caught up in the noise/hype, the technical acronyms and the race to get a new fix in, our esteemed internal colleagues are plotting a sly way to steel your treasure – your data.

Insider threat has always been on the radar but the political correctness of organisations tend to be a bit softer and fluffy about the trust of their employees.  On one hand it’s great to have an established view that… I trust all my employees.  However, I am a realist and we must not forget that we live in the real world where data is a strong currency and not everyone who works for you, share your vision and company ethos.

The phrase… keep your friend close and your enemy closer…’ could easily be twisted to say, keep your enemy close and your employee closely monitored’.

Time and time again you see examples of data breach in the news and we wonder why this keeps happening.  Be it deliberate or accidental.

Over the last 12-18 months, there’s been a spate of incidents with household brands such as Morrison’s, The Government and other private entities.  For Morrison’s, lightening struck twice in the same place.  It is a very telling story considering where cybersecurity was in terms of Board level visibility 5-10 years ago.  The board can no longer ignore that fact that they are live targets and it is not a matter of ‘if’, but actually, when do we find out that we have been hacked.  There was a time when most data breach was arising from the public sector and some private sector companies grin quietly as to show their level of investment and robustness.  However, what we are seeing now is a state of humbleness and quiet shuffling of the cards to make strides towards hardening and ensuring that information security is talked about and embedded throughout the organisation.

Whilst most tech savvy and Infosec enthusiast knows or at least acknowledge that cyberwar is currently about firefighting for most companies, it is equally true that some SMEs just do not have the resources, finance or apetite to even start considering defending their business.

However, there are some things that companies can do on their own with ad-hoc or consistent 3rd party support.  Here are some of the things that can be done to start building a foundation…

  • Develop a policy and share it with everyone in the business… discuss the challenges and get feedback to improve as your business evolve
  • Help employees to understand the drivers/reasons behind these policies and the importance of adhering to these
  • Use software tools as part of the strategy to compliment policies and monitor and updated data security controls as necessary.

So what’s the solution?

Whatever the solution, we will always be human and we will always find a way.  This is always going cut across the people, process and technology landscape…

People

Provide current realistic training and awareness for all employees.  The training should be tailored to team and individual roles.  We cannot over-emphasise the value of good training.  After all, most of or a great proportion of the breaches that occur are human error and are accidental.

Process

This is a very broad area and can be lead to various interpretations.  However in terms of process in this context, I am referring to:

(1) A process to access what is considered privileged data

(2) A process to proactively monitor staff activities to spot trends and spike in behaviour.  Not just random behaviours but long-term persistent activities.

(3) Staff profiling and network (external) connection to outside affiliations that could cause concern by association and the potential for blackmail, bribery etc.