Data protection starts with security, but disclosure remains key

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cso.com.au/article/593480/data-protection-starts-security-disclosure-remains-key/

When you lock up your home, you don’t board up the windows nor roll steel
gates across the property to ensure its safety. But while a simple lock
isn’t difficult for thieves to bypass, your home is protected by the bigger
picture; the door lock combines with the alarm system, neighbours, perhaps
a dog barking, the police and common law to deter intruders. In this
regard, cyber security is much the same – networks (and the Internet) are
multi-layered entities containing confidential data that needs to be
protected through a multi-layered strategy. That means defence in depth and
breadth.

To effectively protect clients’ and consumers’ personally-identifiable
information, intellectual property and other sensitive content,
organisations must first evaluate what data should be treated as
confidential. This will vary depending on vertical industry. Once
prioritised, rules must dictate which systems and personnel are able to
access and use it. These factors contribute to a ‘data footprint’ – the
bounds that constrain the data’s flow within the organisation to minimise
risk.

When these parameters are established, organisations need to adopt the
appropriate technologies to safeguard data. These must be underpinned by a
virtualised network that encompasses approved systems and all
communications paths. The network will not only segment business
requirements, but also create a level of invisibility so the data remains
proactively hidden to hackers.

Finally, a set of daily security practices need to be implemented to
eliminate human error, whether it’s eliminating shadow IT (the use of
unauthorised devices and applications within the network), defining data
sharing restrictions, or generally advising employees on what can and can’t
be done with data.

But security doesn’t end with technology and policy. Organisations must
create transparency with their stakeholders by employing data disclosure
directives to keep clients and consumers informed of threats and breaches.
While the Australian Government may soon pass legislation to enforce
mandatory breach notifications, the fact is that there were 110 voluntary
data breach notifications made to the Office of the Privacy Commissioner or
OAIC in 2014-15, while many would have been intentionally swept under the
rug.

A lack of breach disclosure not only risks the integrity, security and
potential safety of trusting consumers, but inhibits the wider community’s
ability to prepare for and prevent similar incidents from occurring.

In its 2015 Australian Privacy Index [PDF], Deloitte reported that 33 per
cent of organisations have had a privacy issue relating to their customers
data, while 18 per cent of survey participants (persons) received a
notification following the loss of their personal data by an organisation.

Perhaps surprisingly, while there is fear around publicising a breach,
Deloitte also indicated 73 per cent of the public who received a breach
notification did not trust the organisation any less.

The reality is that there is no good reason for an organisation to hide a
data breach, particularly if it can prove due diligence and solid forensics
before and after the fact – as outlined in the strategies above.

And breach disclosure will only continue to rise in importance as more and
more devices are connected to networks in the Internet of Things, therefore
expanding the potential numbers of access points through which an attacker
can enter the network.

So in fact, attempting to sweep an incident under the rug could prove more
damaging, particularly if it comes to light through other means or after a
significant period of time. It shows blatant disregard as an owner of the
confidential data, and is likely to have a more profound impact on the
organisation. Should the Government’s proposed legislation go ahead as
drafted, organisations will be forced to take security more seriously,
adding to the breadth and depth of data security strategies to protect the
home with multiple layers rather than a single lock.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.