Not All Data is Equal in the New Threat Landscape facing CIOs

Hands-On with the Cyber Security Twitter Clinics by Dr Guy Bunker. 

This week’s blog is a round-up of the insight into the Live Twitter Clinics held on Twitter to celebrate Cyber Security Month. I was very pleased to be able to participate and contribute to the engaging discussion that took place.

To summarise the insights, questions and key messages taken from the conversations, I’ve provided some in-depth answers to a few common - and important- questions.

We’re happy to hear your comments back or if you have any questions you’d also like to ask.

For a full summary of the Business Value Exchange Twitter Clinic, visit Not All Data is Equal in the new Threat Landscape facing CIOs, and search #IT Value and @Clearswift.

Is the ICO regulation’s new enforcement of data protection, including its imposition of huge- possibly detrimental; fines on companies indicative of a real threat, or just another way to extort money from UK businesses?

New regulations are constantly being introduced and the impact is then felt on many organisations, big and small. These regulations are being introduced (and constantly tightened/refined) as security breaches and data loss/ theft are evidently having a big impact on individuals and organisations as a whole, through reputational damage. It is the latter, reputational damage, which is more concerning to most organisations rather than the fines that can be imposed, although the introduction of fines based on global turnover will probably focus the minds of many executives, especially in the EU.

While it is often thought that information security frequently plays on FUD (fear, uncertainty and doubt) the reality these days is that the technologies used to help in security can also be used to drive good governance within an organisation, or good Information Governance as the case might be. New Information Governance solutions are emerging to help organisations understand where their critical information is, how it is communicated and with whom. Understanding this can help make the business more agile as well as help in putting together an effective information security programme. 

While the regulations and legislation will continue to change, good Information Governance will help the organisation effectively understand the impact of the changes and how to address them.

Work is becoming an experience, not a work place – security needs to adapt to the mobile environment – with so much software available, how can I determine what I need when BYOD is such a broadlyused term?

The biggest problem which organisations face is that they don’t understand where the value in their information lies, or where their information is stored. Without that understanding, it is very difficult to put in place a protection strategy.

Terms like BYOD and cloud are thrown about, without the fundamental understanding around where they actually apply. Organisations need to look at their information and the value it holds (what would be the effect if it was lost, or fell into the wrong hands?) and then look at the policies protecting it and the technology available to monitor and enforce that protection. For some information, it may be that it NEVER leaves the organisation and so is NEVER sent or able to be accessed from a mobile device, for example patient records.

For other information there may need to be encryption to help prevent it from falling into the wrong hands. For most devices there will need to be security policies, use of a password on a smartphone is really important, and perhaps backed up with some technology as well, e.g. encrypted partitions, segregated data areas, remote wipe/kill.

So, it all comes down to risk… and understanding the consequences associated to the risks. Without this, and the misconception that all information is equal, the organisation could end up spending large sums of money which are ineffective.

In the growing world of freelance working, how can companies instil a uniform data security standard and enforce its policies?

In the good old days, there was a perimeter around an organisation and it was this which could be protected with firewalls and gateways. While these are still valid, the perimeter is also changing and it now needs to go around the information as well. Security has always required a defence in-depth strategy and that is still the same, the depth is just a little deeper!

It is interesting to note that freelance working (also known as collaboration...) is to all intents and purposes similar to BYOD and even inter-company collaboration, in that the information that ‘you’ are responsible for and that needs to be protected is stored and accessed from a device which is not under ‘your’ control. There needs to be policies and processes around how people work together and, ultimately, these need to be backed up with technology to monitor and enforce. 

In many cases, the use of Adaptive Redaction (consistent, automatic, policy-based removal of critical business information that is not supposed to be shared) can assure the business that only the correct information is shared. It can also be used to ensure that ‘hidden’ information from comments, revision history and hidden properties are also removed before content is shared. Finally it can be used to protect organisations from hidden active content which may inadvertently travel inside a document which is then shared.

With technology changing so rapidly, and hackers advancing so quickly in their methods, how can I be sure my security policy is constantly working? A product is no longer “100%secure”, regardless of what I pay – it needs to adapt to threats and maintain the level of defence. How can I be sure this is happening in my company?

It is not just technology that is changing, business practices and threats are also changing very rapidly. It is becoming increasingly difficult for the CIO to keep up with the changes – but they need to. Along with all the other changes, the changes in legislation mean that there could be potential ‘company killer’ events that occur through information security breaches. Businesses have always run on ‘risk’ – after all it is ‘risk / reward’ which mean that companies exist. Without the reward, there would be no reason to be in business.

This is where SMEs should seek help and advice from their suppliers about the newest threats and how they can mitigate them.

Whereas security policies used to be reviewed once a year (if lucky) today they really need to be looked at once a quarter – just to see if there have been changes to business practice which need to be taken into account. For example, is the use of ‘social media’ something the company uses? If so, are the policies in place adequate to protect the company from inadvertent or malicious use of the corporate login? Is there a trend towards a new mobile device, or even a new release of an OS for an existing one? What are the opportunities for data loss and how can they be prevented? For example, when automatically backing up information from a device to the cloud, if it cannot discern personal from company information then it should be switched off to prevent the possibility of a data leak.

So the challenge is to stay ahead of the curve… regularly check policies. Regularly check whether the technology you currently have can be used to mitigate new threats – it is surprising how many organisations have technology which is underutilised. For example your email gateway, which was bought for anti-virus / anti-spam, may also be capable of DLP but as it wasn’t bought for that purpose no-one has noticed that the existing functionality can be used to solve the new problems. Regularly check employees are aware of changes in policies and inform them on how they can keep the organisation’s critical information safe.