We’re an ingenious species, able to think laterally to solve the most complex of problems. Yet that tenacity is often at odds with working practices.
In the modern enterprise, staff are encouraged to be adaptive and innovative, to come up with creative solutions and work flexibly, only to then find they are constrained by process and shackled by security.
Do you bend the rules to get the job done or do it by the book and risk losing time or business? Neither is a pleasant prospect.
As employers, we like to think greater awareness over the potential fallout of data loss and better education on data handling are seeing this situation improve.
>See also: The cyber enemy within: Rise of the insider threat
But the truth is that data breach statistics have shown little change over recent years, with the number of incidents reported to the Information Commissioner’s Office (ICO) topping the 400 mark every quarter.
The vast majority of these are down to a breach of Principle 7 of the Data Protection Act (DPA), which states ‘appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.
In other words, a mix of controls should be in place that make it very hard for the user to inadvertently disclose data.
Of the 459 data breach incidents reported to the ICO in the fourth quarter of 2014 (disclosed in 28 April 2015), 102 were down to loss or theft of paperwork, with another 88 down to other Principal 7 failures to protect data.
Data inadvertently posted, faxed or emailed accounted for another 127 cases. Failure to redact or censor data was placed at 23 cases. There were ten cases where insecure disposal of paperwork were to blame, five instances were data that shouldn’t have been was uploaded to a website, and two cases of verbal disclosure.
In fact, only 34 of the cases were said to be contraventions of Principals 1-6 or 8 of the DPA, indicating that 93% of cases were attributable to user error.
What we’re seeing – contrary to security industry preoccupations – aren’t data losses caused by industrial espionage but data compromise brought about by staff, either inadvertently or by sidestepping existing process.
But before we vilify these staff for their actions, however, spare a thought for their motivation. If a hacker is someone who deliberately circumvents existing controls, then the chances are we have all been accidental hackers at some stage.
If security controls are not proportionate they can be overly restrictive and permissive, which can encourage users to sidestep these controls to get the job done.
Clearly, there will be some instances where the business hasn’t got its house in order but that fails to explain the consistency of these figures, which indicate we are failing to keep pace with innovation and failing our staff in the process.
This isn’t just a theory; it’s a practice that has led to the coinage of a whole new term – shadow IT – or the use of technology within the business outside the IT department, often without their knowledge.
Shadow IT ranges individual users deciding to use unapproved services, such as social media or collaborative file sharing (Yammer, Dropbox etc), to whole departments sanctioning and even investing in technologies without the approval of the CTO. What they both have in common is they come under the radar and are therefore incredibly difficult to police.
Businesses and the IT department are going to have to adapt to these new ways of working, which ultimately have the power to confer greater competitive advantage.
Organisations need to re-engine its processes and controls and make them work better for users, so that security is adaptive to the user. Sensitive data needs to be classified, and protected, with role-based access used to limit exposure.
The data lifecycle needs to be mapped to ensure controlled use from creation to destruction. There need to be clear procedures in place for evaluating and securing new systems and working practices, with a top-down approach to ensure the left arm knows what the right is doing.
Changing the way a business operates is a daunting prospect, so it’s best addressed using a methodology based upon business process modelling.
>See also: Twelve tips to combat insider threats
Are there any pinch points or bottlenecks? These are the areas where the user might seek to work around controls. Or are there areas where employees are unsure of accepted practices of working? Involving staff ensures such issues are uncovered and buy user goodwill into the bargain.
Once this business process analysis is complete, it can then be combined with a pragmatic security strategy that applies controls where they are needed, rather than simply taking a blanket approach.
Lastly, acknowledge and prepare for a compromise. Foster an environment of disclosure and you’ll find staff are more open and less likely to cover up a data loss incident, which could make the situation far worse in the long term.
Data loss is never going to be eradicated. But we can at least prepare and empower rather than debilitate staff with security mechanisms.
Sourced from James Henry, Auriga
