Published: 08 February 2008
The 10 Most Common Data Security Issues and How to Solve Them
Gordon Rapkin, of Protegrity, has come across every conceivable data security issue and in this article he has highlighted the most common ones, along with some advice on resolving the problems.
1 – Not knowing who uses what data and where it is.
You can't secure data without knowing in detail how it moves through your organisation's network.
Begin by doing a thorough inventory of sensitive data and then develop a ‘Sensitive Data Utilisation Map’ documenting your findings. Also consider building a series of diagrams to show where and how data moves through the system.
All the parties involved should check these diagrams and this process will itself raise awareness of both the value and the risk to sensitive data.
2 – Treating all data equally
Business managers need to classify data according to its sensitivity and its worth to the organisation so they can correctly evaluate & fund different levels of protection.
‘Data Asset Valuation’ is a very worthwhile ROI-type of activity. The goal is to correlate a variety of criteria, including regulatory compliance mandate, application utilisation, access frequency, update cost and client / organisation trust vulnerability to arrive at both a value for the data and a ratio for determining justifiable security costs.
3 – Focusing solely on regulatory compliance concerns
Virtually all government and industry privacy & security regulations boil down to the most basic best practices of data security. So being able to pass a regulatory audit does not automatically ensure effective security.
Instead of trying to protect your organisation's data assets by solely striving to meet individual regulatory requirements, focus on complying with security-centred processes, policies & people, reinforced by security solutions such as automated policy enforcement, encryption, role-based access and system auditing.
In other words, do the right things instead of just the required things
4 – Keeping what you don't need
You can reduce the risk of retaining sensitive customer data by removing the electronic and paper data from all systems and files.
However, just deleting files with infrequently accessed, highly sensitive data won’t work - it would violate multiple data retention regulations, not to mention requiring ‘repeat’ clients to have to provide their personal data again.
A better way is to look at the specific data retention & protection regulations governing each of the sensitive data elements that need protecting, working in conjunction with legal department and a relatively senior departmental manager who will usually know the relevant regulations for his service area.
5 – Security triage
We have to move beyond dealing with the crisis of the moment and focus on securing data holistically and consistently.
While it may be difficult to free up the time and the budget to institute a comprehensive data security plan, ultimately a unified approach will be far more effective than the fragmented practices present in too many organisations, increasing security and saving both time & money. Not to mention simplifying the training of staff.
Data-driven security cannot be an occasional event sparked by a crisis; it needs to be an integral part of the organisation's daily routine (as HMRC and other government departments have recently found out).
6 – Outsourcing responsibility
Virtually all data protection and privacy regulations state that organisations can’t share the risk of compliance, which means that if your service delivery partner fails to protect your organisation’s data, your organisation is at fault and is liable for any associated penalties or legal actions that might arise from the exposure of that data.
Laws concerning data privacy and security vary internationally. To lessen the chance of sensitive data being exposed deliberately or by mistake, you must ensure that the organisation you are partnering with — offshore or domestic — takes data security seriously and fully understands the regulations that affect your sector.
7 – Putting too much faith in risk assessments
The simplistic Yes/No questions that are part of the generic ISO 17799 and PCI requirements focus on whether a particular technology, policy or control is in place, and not how effective these controls can be against careless or malicious insiders or outsiders.
Risk assessments tend to look at one item at a time, and do not offer a holistic view of the system. Each component may look secure, but risk may still occur at the interface points or the points of inconsistency across systems.
Think holistically to secure a system, considering the flow of data through the entire system rather than testing individual points.
8 – Settling For Less Than Real Security
Knowing what enterprise data protection technologies, policies and procedures are “reasonable” relative to peer organisations is useful information, but don't allow others' actions to determine your security plan and goals.
Model your policies & processes after the best practices of the most secure organisations in your sector, rather than those used by the common denominator. Strive for excellence.
9 – Fragmented processes and policies
Despite claims that protecting data assets is strategic to an enterprise, the scope of data protection projects is all too often either regulation or department-specific.
Look at developing an enterprise-wide data protection strategy instead. The goal of the project is not to produce a report, but to build awareness and management support for the treatment of sensitive data assets with technologies, policies and procedures that match with the regulations, the utilisation and the potential damage to reputation if the data assets were to be compromised.
10 – Retaining sensitive data without balancing risks against rewards
Retaining sensitive data can be very valuable for analytic, service delivery planning and relationship purposes. The rewards can be very high, provided you can properly secure the data and reduce the risks of storing it.
Make sure that your organisation's risk reward ratio is balanced toward reward and the data is being used in a way that brings real benefits to your organisation. And if securely storing data is costing more than its value to your organisation, it's time to refine your data retention policy.
Don’t forget that if you store something, you will have to bear the cost of making it available under legislation such as the Freedom of Information Act.
Further information
Protegrity is exhibiting at Infosecurity Europe 2008 (22 – 24 April 2008) in the Grand Hall, Olympia. This is a FREE ‘must attend event’ for all professionals involved in Information Security.
To find a business you can trust, click on the related categories below: