Who Stole All The PIIs?
It's one thing to accept that your networks will be breached at some point. What you do about it is another matter altogether!
The facts speak for themselves. Whether you take the report from McAfee, Checkpoint or an independent third party, everyone is reporting hundreds of thousands of new malware samples every single day. What’s more, malware’s time to live is coming ever closer to the amount of time that it takes the leading security companies to analyse new malware and produce a pattern file. The conclusion is inescapable.. security companies simply can’t keep up with the rate at which new malware is being produced, and it is this malware that is used to gain access to your confidential data.
To make matters worse, cyber attacks only take seconds. They have an impact that can be high profile and have a high impact on company reputation, let alone the cost of breach notification and recovery. Yet it takes companies typically between 3-6 months to discover a security breach by which time the damage has been done and all you can do is sweep up after the event … an exercise that a recent Ponemon study estimates can take 3 months to complete.
The Stakes Are Getting Higher
Brexit or not, the UK will be a member of the EU in May 2018 when the European General Data Protection Regulations (GDPR) becomes law in the UK. If you haven’t yet familiarised yourself with the implications of the GDPR, I would strongly recommend that you should download and read the ICO’s guidance document "Preparing For The General Data Protection Regulation – 12 Steps To Take Now". The implications of the obligations that organisations will carry for protecting personal data are quite daunting, with harsh penalties for anyone who fail to implement appropriate business practices and technical controls to protect personal data. Sitting on your hands really isn't an option.
Smarter Security Management
Given that cybercriminals demonstrate the ability and determination to outsmart the security defences of even the most security conscious organisations, what should we all be doing to protect our organisations intellectual property and Personally Identifiable Information (PII) that we hold on our networks?
Where Is Your Personal Data Stored
Unless you know where your Personally Identifiable Information Is on your network, you can’t hope to control it. You need to understand:
- What personal data you are storing on your network?
- What does it comprise?
- Who owns it?
- Who uses It?
- How is it being shared?
How Does Data Flow Around Your Organisation?
Technical innovation such as cloud storage and mobile computing help to boost employee productivity, but present major challenges to data security. You need to understand:
- Where does personal information get copied to?
- How does it exit your organisation (laptops, USB’s etc)?
- How is PII created on your network?
- How is it destroyed (including at the end of its retention period)?
Once you have an understanding of how personally identifiable information is used within your network you will be better positioned to construct a GDPR compliant security policy, as well as classify your data so that you can introduce the appropriate technical controls that will help you to manage and audit access to PII. These steps alone will take time to complete, but will provide you with a framework that will allow you to demonstrate the measures that you take to protect personal data to the ICO in the event of a breach.
Of course, the process of identifying and responding to threats that succeed in penetrating your defences is a matter of equal importance, but by understanding how you use personal data and wrapping the right controls around access to it, you will be making the cybercriminal’s life far harder, as well as making your life easier when it comes to investigating and responding to a data breach.
Enterprise Account Manager