The Digital Deluge: Protecting Data in an Age of Insecurity
If there is one thing that has changed about data, it would be how accelerating digitalisation has culminated in an avalanche of data that is generated and broadcasted today, notes Ilias Chantzos, Global Privacy Officer and Head of EMEA Government Affairs, Broadcom.
Unsurprisingly, the result is a greater focus on data governance and the distinction between the different types of data, whether personal, business confidential, or intellectual property. In the words of Chantzos, “Whoever can manage this data effectively will have a massive competitive edge.”
Evolving nature of data
Of course, what is left unsaid is the crippling damage that can stem from unauthorised data access. In an era where data is regarded as the crown jewels of an organisation, how can businesses ensure the sanctity of their data, especially as cybersecurity practitioners have largely given up on a citadel approach and now actively plan for the eventuality of a breach?
To Chantzos, one common mistake he sees is cybersecurity practitioners adopting a one-size-fits-all mindset when drafting security policies and implementing protective measures.
“Certain job functions are designed to do the opposite of what the policy requires. Take the common policy of not opening email attachments from strangers. Yet the recruitment team in the HR department is expected to regularly receive and open attachments called CVs, usually in PDF format from people they don't know,” he said.
This means an attacker could potentially embed zero-day exploits in PDF files with the expectation of recruiting managers opening them. The onus is hence on CISOs to implement additional protection for those under the most risk.
“Employees need to have an equivalent level of protection. But this means [some will] need more protection because their level of risk is disproportionately higher in comparison to others in the organisation,” Chantzos explained.
As governments and organisations do more to tackle the threat of data breaches, one development is a shrinking notification timeline that is increasingly enshrined in regulations. Chantzos cautioned that shorter notification timelines do not automatically lead to better outcomes.
“[There is a notion that a] short notification timeline of 24 hours or less will somehow increase the level of security investment, improve security response, and reduce the risk to individuals. [But] most incidents, even if notifiable, are a result of an error or malfunction, and not the result of a malicious attack.”
“It’s not a problem to have a tight notification regime. But mandating shorter notification timelines pushes organisations to do a half-baked job and makes it much more important to inform someone than [performing a thorough investigation].”
The morning after a data breach
While much has been written about preventing data breaches, less is discussed about what happens after a breach. When asked about the implications of a data breach to a CISO, Chantzos quipped: “It's not at all the end of the road. In fact, it's the beginning of a very demanding exercise.”
“The very first step would be to determine whether data exfiltration has taken place and the types of data that are impacted. The next step would be to mitigate the incident, to make sure data is no longer accessible, and that the attackers have not left backdoors to re-enter the system.”
“Notification obligations will need to be assessed. In Europe, if you lose HR data, the notification obligation is on you. But if you lose customer data, the notification obligation is to notify the customer who may have to notify the regulator. In the US, you must notify anyone whose data you lose. And if you are a stock market listed company and you lose your intellectual property, you may have to notify the stock market authorities if the impact is material.”
Identifying lost data would also have to be established to a high degree of certainty, no easy feat considering how cyber attackers would almost certainly have used evasion techniques to mask their tracks.
“[Organisations need to] understand what got lost: How much of it? What is it? Who is impacted by it? And where was that thing that got lost? [Establishing the where] is very, very critical.” Of course, there will also be penalties, reputational damage, and stock market price fluctuations that organisations need to be prepared to manage, says Chantzos.
Protecting the data
Data backups have never been more important in this era of data, yet it is also under growing, sustained attacks by attackers, including ransomware designed to corrupt data backups. Chantzos compared data backups to an insurance policy.
“[Your backups] is the card you're going to pull when all other security measures have failed. Obviously, one needs to treat their insurance policies with a high degree of diligence. This same diligence should apply to backups.”
In his view, an inability to recover from backups is doubly damaging, first from the inability to restore data, and then from spending money for nought.
“Backups need to be treated as a significant component of the overall security and resilience infrastructure. It needs to be regularly tested and subject to similar security controls as the primary infrastructure; we need to treat backups as a component of the resilient strategy of the organisation,” he emphasised.
Finally, CISOs need to work together with the legal team and key executives such as the chief privacy or chief compliance officers, says Chantzos.
“If I had to give one advice to the CISO, I would recommend that he or she try to understand the viewpoints of their attorneys… their cooperation is extremely important. There will be situations where the CISO will be directed on how an incident must be investigated due to legal requirements. Although the CISO is the master of the technology domain, sometimes the problem must be tackled from a completely different direction.”
“If I had to give one advice to the CISO, I would recommend that he or she try to understand the viewpoints of their attorneys…. Although the CISO is the master of the technology domain, sometimes the problem must be tackled from a completely different direction.” – Ilias Chantzos, Global Privacy Officer and Head of EMEA Government Affairs, Broadcom.
“And while the chief legal officer knows the rulebook, implementing the rules is impossible for them – they need the CISO. [Everyone] must work as a team to protect the data, protect the people. I say it because I know that this is not always happening. And that's a big mistake and a big risk. We need to work together,” summed up Chantzos.