Data protection and cyber security: the maginot line
During the the 1930s, the French built a near indestructible wall of defence along their border with Germany. It was meant to be impervious to just about any form of attack, including aerial bombing and tank fire. Secure in the knowledge that this wall protected France from a potential invasion from Germany, the nation left itself vulnerable. The German army overcame this barrier by invading the low countries: Holland and Belgium and attacking France by bypassing the line altogether. Maybe there is an analogy here with data protection and cyber security.
Recently, Information Age spoke to Scott Nicholson, of Bridewell Consulting, and he warned that “no matter how strong the data protection safeguard, if organisations don’t employ the appropriate cyber security controls as well, then the data security controls can be easily circumnavigated… in certain situations.”
To paraphrase him, the risk lies with being lulled into a false sense of security.
Scott looks after the delivery services at Bridewell, and he is something of a guru on cyber security, penetration testing, cloud security and data privacy. “They are intrinsically linked, but they also stretch in opposite directions, worlds apart from each other,” he says. He likens the relationship between cyber security and data security to a circle, they meet, they go apart, they meet again.
“You need both” says Scott. The risk lies with too narrow a focus on data security. Attackers can use poor cyber security to bypass any data security controls, no matter how good.”
“Data security,” says Scott “ is about having appropriate security measures around the data you’re processing.” But in order to achieve that, there are several prerequisites, these are:
- information management,
- understanding the importance of data so using a classification scheme,
- and how you handle that data accordingly.
By contrast, cyber security is partly about protecting data but “it’s also about protecting your systems from various cyber threats. There is a heavy focus and a move towards cyber business resilience, and accepting that it is no longer a question of if you get attacked, but when you get attacked.”
He then refers to the NIST cyber security framework , which describes five areas that cyber security must focus on:
The story of the French maginot line is not as simple as it is often portrayed. The French and British were aware of the risk of an attack beyond the limits of the line, and had, to an extent, arranged their forces to cover this risk. They left a weak point by the Ardennes forest, supposedly difficult for German troops to traverse. But they did traverse it and France was defeated.
There is subtly in the interaction between data security and cyber security too. Take encryption “an organisation could have encrypted their data in a database but if they’re not employing wider cyber security controls, like multi-factor authentication, or the ability to identify phishing links, applying anti-malware scanning, for example, such that user ID and passwords could become compromised, then attackers can bypass all the data security controls.”
The General Data Protection Regulation has made a big difference, suggests Scott. Under Article 30 of the GDPR organisations that process personal data are required to maintain a record of their processing activities. “I think security professionals have been able to leverage GDPR to get budgets,” he says.
But how much of an issue is this really? Data security and cyber security are clearly related, but in the real world, do organisations really put too much emphasis on one at the expense of the other?
“It depends on the size of the organisation,” says Scott, “but they either get treated as two different disciplines or there tends to be more focus on one at the expense of the other.”
Maybe the problem lies with the inherent differences between the two, differences perhaps that require different mindsets.
As Scott explained: “Cyber security is often more technical and is resilience focused, while data security concerns issues such as information handling, transportation, as well as encryption.
So cyber security, for example, focuses on having DDOS mitigation on an organisation’s website. Data security applies, among other things, to data stored on paper.
“I’ve worked in public sector organisations that have had a breach and have had to improve those manual practices but, I think there is a case for awareness training, making sure that they do the right things with the information and things like not leaving it in their car overnight. If you look at the ICO’s breach register, the majority of public sector organisation breaches are often due to lost paperwork, or media.”
So that’s penetration testing and DDoS mitigation measures on one hand, training staff not to leave their briefcase in the car on the other hand: quite different mindsets, quite different psychology, quite different skills. But then the maginot line with its concrete bunkers and underground railways linking communication, was quite different from the deployment of troops over the French Belgium border. In the case of the maginot line, the lesson of history is clear. In the case of data security and cyber security the lesson is becoming clearer, you need both.
Bridewell Consulting provides cyber security consulting, a data privacy function, penetration testing and managed security services.