Down to the bone
Human error can be the undoing of the best data security measures, so the most effective place to secure data is at its most basic level.
Information security has never been a higher priority than it is right now, with new risks emerging daily and significant penalties for non-compliance with the gamut of data protection legislation.
The need for data security and privacy is now pervasive among financial services and any organisation that processes and manages private and confidential data or acts as a custodian of clients' data.
Enterprises across all industry verticals are investing heavily in multi-layered security, staff training and awareness in a bid to lock down their sensitive data and ensure only those authorised to access it can do so.
Unfortunately, most security measures are prone to human error, particularly when people are working under pressure.
A new Bitglass report finds one in three companies surveyed had a data breach caused by an insider in the past year, and over half said these had become more frequent in the past 12 months. 71% were most concerned with accidents and inadvertent corporate leaks and breaches caused by risky mobile app usage or the accidental external sharing of corporate data.
Employees rushing to deliver on operational needs may share passwords or access to restricted data. Developers designing and building new systems or functions may be tempted to use live, unencrypted data to test them, raising huge risks for the organisation. Off-site copies of sensitive data likely exist on memory sticks and employee laptops which are then taken home; and data in transit on memory sticks and mobile devices can mean data at risk.
These accidents and malicious breaches come at a significant cost: the recent Ponemon Institute 2016 Cost of Data Breach Study: Global Analysis Benchmark revealed the average cost of each lost or stolen record was $158 last year, with the average total losses due to data breaches topping $4 million among respondents in the research study.
Putting the likelihood of a material data breach involving 10 000 lost or stolen records in the next 24 months at 26%, the report cited the incident response teams and the extensive use of encryption and endpoint security as being among the most effective measures in lowering the costs per breach.
So regardless of all the checks and balances put in place to safeguard data, organisations are still very vulnerable, especially when data is in transit.
Regardless of all the checks and balances put in place to safeguard data, organisations are still vulnerable.
Training and awareness, while important, are not a guarantee of compliance with governance, risk and security protocols either. A recent information security survey conducted by Ipsos found that security training is not having the desired outcomes among staff. 78% of US SME owners and 51% of C-Suite respondents report they only conduct employee training on their company's information security procedures once a year or less, and experts suggest employees may forget 50% of training information within one hour of a presentation.
The best way to ensure almost complete security and privacy is to entrench or articulate all the necessary security and privacy rules and controls into actual business and technical processes and databases 'at the bone' - on the artefacts themselves, right down to table and field level.
When all rules and constraints are built in at this level, the security travels with the artefacts, ensuring security and access rules are enforced wherever the data is. For example, encryption on documents will only be decrypted upon a correct password being used, or an unauthorised person opening a spreadsheet might be able to view only the spreadsheet template, with no fields visible.
The tools to embed security at this level have been available for some years, but this approach was typically not taken due to concerns about the impact on processing and performance. Fortunately, advances in technology mean this level of security will no longer hamper processing and performance. Even if it did, the need for information security has become paramount, making security the winner in any toss-up between security and performance.
With security embedded at a granular level and effective data lifecycle management tools supporting masking, encryption and decryption at every stage of the data lifecycle, the organisation's investments in broader multi-layered security are better supported and the risk of human error is mitigated and active data governance is supported.
Mervyn Mooi is a director of Knowledge Integration Dynamics (KID), and also a key resource within the company's information management, data warehousing and business intelligence teams. He has been in the IT industry for 36 years, beginning his career as an operator at the CICS bureau in Johannesburg in the early 1980s. Thereafter, he was appointed as a programmer at state-owned oil exploration and production company SOEKOR. In 1986, Mooi joined Anglo American's head office IT department where he remained for almost 12 years. Here he progressed to become a senior programmer, analyst, database administrator and technical support specialist. After completing his degree in informatics, he then left to join Software Futures, where he worked as a senior consultant for 18 months in the data warehousing and business intelligence arena. Mooi joined KID in 1999 as a data warehouse and business intelligence specialist. Mooi's experience in ICT disciplines includes operations, business and systems analysis, application development, database administration, data governance/management, data architecture/modelling, production application and systems software support, data warehousing and business intelligence. He now focuses on enterprise information management, information governance and cloud solutions.