Make People Our Best Data Security Asset

Losing USB sticks, leaving laptops on trains, installing malware, clicking phishing links. From maliciousness to stupidity, our people are a constant problem. In fact people are our biggest data security issue aren’t they?

Aren’t they?

We have to ask ourselves, are we doing all we can to help our people? Rather than seeing them as a security problem, have we thought about how we can make them an asset as we continually look to take on the threats to our critical data?

That’s the subject of this week’s podcast, as I chat with Dom Saunders from NETconsent.dom saunders

NETconsent specialise in the human side of technology, ensuring users are fully up to date with policies and procedures, as well as continually educated about new threats and solutions.

Our people can be a huge benefit in our data security and privacy plans. In this episode we look at why many IT policies fail, the risks that poor procedures introduce, why education is so critical and how to make sure our people are getting access to the best help they can.

We wrap up looking at 5 steps you can take to make sure your users are a data security asset rather than a risk.

To find out more about NETconsent then check the NETconsent website.

To see how other businesses have worked with their people, have a look at these case studies.

You can also catch up with NETconsent on twitter @NETconsent

This is the third show in our series on data privacy and security – if you’d like to catch the other two episodes, you can here;

Best Take Care Of Those Crown Jewels – Sheila Fitzpatrick – Ep 17

Don’t Build Your Data Privacy House Upside Down – Sheila Fitzpatrick – Ep 18

Subscribe on Android

http://feeds.soundcloud.com/users/soundcloud:users:176077351/sounds.rss

Don’t Build Your Data Privacy House Upside Down – Sheila Fitzpatrick – Ep 18

There is no doubt that there are many difficulties presented to organisations when it comes to their data.

We understand it’s an asset, something that, if we make the most of it, can be a significant advantage to us, but of course we also understand maintaining the security and privacy of it is critical.

I think it’s fair to say, as organisations and IT professionals we are becoming much more mature in our attitudes to data privacy and security and we understand more than ever the risks posed to it.

This increased level of maturity is going to become even more important, especially with significant regulation changes on the horizon and none are more significant than the EU’s General Data Protection Regulation (GDPR).

In this weeks podcast, the second part of my conversation with Global Data Protection Attorney Sheila Fitzpatrick (You can find part one here), we discuss exactly what GDPR is going to mean to us as organisations, including those organisations that are outside of the EU (including the impact on the UK).022617_1150_Besttakecar1.jpg

Not only do we look at the impacts of the legislation, Sheila also shares with us some of the initial steps you can take to start to build robust data privacy policies.

How important it is to get the foundation right. How we need to understand our data, where we get it from, how we get it and what we keep and how this is much more important, initially, than finding technology tools to deal with the problem. Build the foundation before you build the second floor!

We also explore how data privacy and GDPR is NOT the problem of IT, it’s a business challenge, IT are certainly a key part in helping to deliver security, privacy and compliance, but it not an issue to throw back at IT to solve.

I hope you’ve found these two episodes with Sheila useful in providing an outline of the problem, as well as some of the steps you can take to address it.

If you want to catch up more with Sheila, you can find her on twitter @sheilafitzp and on Linkedin.

Next week, we look at a different part of the data security challenge, People.

I chat with Dom Saunders from NETconsent as we look at how we can make our people a key asset in dealing with the data challenge.

If you want to make sure you don’t miss that episode, then please subscribe on iTunes, Soundcloud or wherever you get your podcasts.

Thanks for listening…

Subscribe on Android

http://feeds.soundcloud.com/users/soundcloud:users:176077351/sounds.rss

Best Take Care Of Those Crown Jewels – Sheila Fitzpatrick – Ep 17

Data, it’s the new oil, new gold, your Crown Jewels. We’ve all heard these phrases, but it is hard to deny that data is a fantastic asset, companies who know how to mine true value from it have a distinct advantage over their competitors and we are continually creating more of it.

However, it’s fair to say that data also comes with its challenges, we must store it all, make sure we protect it all and of course we need to make sure it’s secure.

The challenge of data security and privacy is right at the top of the list of priorities for most IT executives, and, if it isn’t already, it should be high on the list of priorities for business owners and boards as well.
Maintaining the security and privacy of our data is going to continue to be a complex problem, from the multi-faceted security threat, to the introduction of more stringent data privacy laws.

To try to help to address this, this week’s podcast is the first of a short series focussing on the twin challenges of data security and privacy. First is a two-part episode exploring the issue of Data Privacy, with my guest Global Data Privacy Attorney Sheila Fitzpatrick.

Sheila is NetApp’s Chief Privacy officer and World Wide Data Governance and Privacy Council, and has nearly 35 years of experience in the field of data privacy, so is well placed to comment on the current data privacy landscape, the challenges of managing data and the issues presented by changing regulation.

In this first part, we look at what data privacy is, what defines personal data, why it’s important to understand the full lifecycle of your data management procedure, the difference between data security and privacy, as well as an introduction to the upcoming EU General Data Protection Regulation (GDPR).

Sheila couples her huge experience of data privacy with a tremendous enthusiasm for her topic, which makes her a fantastic person to learn from. Enjoy the episode.

If you want to catch up more with Sheila, you can find her on twitter @sheilafitzp and on Linkedin.

Next week we’ll be focussing on the biggest change to data privacy in the last 20 years, the EU General Data Protection Regulation (GDPR), its impact, what it means to us and how to start to build a data privacy strategy.

If you want to make sure you don’t miss that episode, then please subscribe on iTunes, Soundcloud or wherever you get your podcasts.

Subscribe on Android

http://feeds.soundcloud.com/users/soundcloud:users:176077351/sounds.rss

Voting for data loss

Here’s a question for you, if you were sat in a room and someone asked;

“hands up who votes to lose their critical data?”

How many of you, be you a storage admin, IT Manager or CIO, would pop your hands up and vote yes?

None of you I guess, so imagine my surprise when I found this article a few weeks back over on Ciodive.com and as you can imagine what caught my attention was the headline

“Most business owners wouldn’t pay if hit with ransomware attack”

Or, if they were sat in the room when that question was asked they were putting their hands up saying, “yes, I’ll lose data please!”.

The article also contained some interesting statistics;

  • 84% of U.S. business owners would not pay if they become the victim of a ransomware attack, even if that means permanently losing data.
  • 65% of businesses have not budgeted extra funds to regain access to systems and data if they were to become ransomware victims.
  • Ransomware is now the most prolific cyber threat of 2016

So clearly few would pay any kind of ransom for their data even though only 33% of them felt their businesses could survive without access to critical data for any length of time, but surely our survey respondents must have had a plan.

Well some did, they felt they were protecting themselves with appropriate backup regimes, however 22% of the respondents did say they were not sure how to backup and protect their systems and even more worrying they were not aware they needed to!

Just in case you wondered if ransomware was a problem, I loved the closing statement from Adam Levin from IDT911 who said;

“We’re talking about complete and utter paralysis of systems that could spell lost revenue, viciously impacted customers and a potential near-extinction level event for a business,”

Serious stuff then and ransomware is indeed a significant issue and although much of the article focuses on US businesses the threat is no less prevalent in the UK.

With that in mind I thought it would be apt to share a little bit of experience of dealing with this problem and how I’ve worked with a number of businesses to help to mitigate against the risk of this kind of attack and if this helps a couple of you avoid the potentially devastating effects of a ransomware attack, hopefully I’ve done my good deed for the day!

Where to start then? A good starting point can be found at the end of the article with Adam Levin’s closing statement;

“Businesses need a comprehensive cyber security strategy that includes prevention, monitoring and damage control.”

What does a comprehensive strategy as discussed by Levin practically look like?

As mentioned earlier I’ve had a bit of experience with ransomware attacks over the last 18 months with a handful of our customers finding themselves victims , fortunately however they greatly reduced the severity of the impact by having an appropriate strategy in place.

So after been a little surprised at the statistics and attitudes on show in the Ciodrive article, I thought sharing the steps these businesses took to protect themselves may be useful.

As with any strategy it’s important to have the right starting point and today when discussing data threat that place is “assume breach”, that is, the threat is already inside your network. If we start with that assumption, then we can look at how we protect our critical data assets.

In my experience robust protection is built on 4 simple steps;

Spot it

It’s fair to assume signature based AV tools are not going to spot such an attack, we need to be smarter, how are we smarter? By using tools that understand our users behaviour and importantly spot the unusual and ransomware attacks are very unusual.

For example, when Billy who normally accesses 10-15 files, suddenly accesses a 1000 in two minutes, we need to be able to identify this behaviour and address it, because the likelihood is, Bill has not just become super productive, but his account is likely to be carrying out activity it shouldn’t.

Deal with it

We not only need to be made aware of a problem, but have systems that allow us to address this unusual behaviour as soon as we see it, so when Bill’s account is happily opening 1000’s of files in minutes, we don’t want an email in the morning telling us Bill was happily encrypting all of our data, we need a policy and workflow that can spot it and stop it.

Identify the damage

To effectively resolve a ransomware attack it’s important our smart tools not only spot the behaviour and stop it, but also record it, so we can quickly see the extent of the damage that our friend Bill’s account has done, why? because once we have identified it we need to be able to look at our options for recovery of the now encrypted data with a ransom on its head.

Recover it

Our recovery options are dependent on our recovery point objective for our key data, it’s important we understand how much we can afford to lose in any incident, be that loss of a storage device or a ransomware attack, so if your business can only afford a one-hour data loss you best make sure your data protection regime can meet that recovery point, there is no benefit in nightly backups if you can’t afford to lose more than one hours’ worth of data is there?

If we look back at Adam Levins’ quote

Businesses need a comprehensive cyber security strategy that includes prevention, monitoring and damage control

Hopefully you can see how the steps I’ve described help meet that comprehensive strategy of prevention, monitoring and damage control.

We’ve seen real life examples where those simple steps have saved businesses from any significant impact of a ransomware attack, so if you can put them in place, then next time you are in a room and asked “who votes to lose data?” you can keep your hands safely by your side.

If you have any comments on this or any of your own experiences you’d like to share, then please leave a comment on here or find me @techstringy on twitter or on LinkedIn and share your story.

Is data security a business continuity issue?

A couple of weeks ago I was asked to present at the Business Continuity Institutes regional forum in Liverpool, the aim of the presentation me and my colleague gave was to ask the question;

Do you consider data security as part of your business continuity plan?

Surely it is isn’t it?

But you may be surprised at just how many people don’t believe it is. With IT BCP, we look at the big problems and large incidents, the complete failure of a system, the loss of a computer room or the loss of a building, however like with so many things in IT, it’s the little things that can get you and these little things sometimes slip the net.

It’s those perceived “little things” that we wanted to look at with the audience and share why in our opinion data security should be a significant part of your IT continuity plans.

Why The misconception?

Why don’t people believe that data security plays a part?

In many cases people don’t see how a data security breach impacts business process and delivery of services.

How can it impact? Data loss comes in many forms, to simplify let’s look at two categories, loss of access and leakage.

Loss of access can be caused by corruption or loss of a data device which has the potential to impact a production system and cause a major loss of service. What if we lose a system that affects our ability to produce goods, pay bills, pay staff, obvious business impacts and often we do plan for this type of event.However it’s the second category we often see slip through the BCP net.

The impact of the ever growing problem of loss of data from a business is not so easy to quantify, as often a data loss doesn’t stop our systems, but the impact of losing our critical data has just as much potential for business disruption as any system failure.

Imagine if you lost information on a major deal that meant a competitor won it rather than you? what about if you leaked important business sensitive plans, or payroll information, or plans of layoffs or expansions? all of these things can have huge disruptive potential and that’s before we get into the problems of reputation damage, or financial penalties that may also come our way.

With that scene set we wanted to share some steps that business can take to ensure they maintain robust security and continuity planning to mitigate the risks caused by data loss.

Understand the risk

As with any type of IT continuity planning it’s critical we understand the risk

  • What’s the view of risk?
    • Is it taken seriously?
    • Do we see the need to mitigate against loss?
  • Do we understand where the risks lie?
    • Can we identify potential risks?
    • Where data loss may impact us?
    • How data could be lost?
  • Do we understand the importance of IT in our business?
    • It may sound silly but we’ve all seen those leaders that don’t see the value technology brings. If we don’t understand the value, we’ll never mitigate the risk.
  • Do we understand which bit of IT is important?
    • In many traditional plans we see the protection priorities the wrong way around, with focus on systems, when in reality the primary focus should always be the data, if we have that we have something to recover, without it we have a problem!

Where do we start?

Like any IT project, to successfully meet our end goal we have to understand exactly where we are starting from.

We of course have to do basics, firewalls, anti-virus, anti-spam etc. but we have to look deeper.

The data security risk is much more complex and a model built on external and known threats is destined to fail, in fact the opposite is true, the threat is most likely to be internal. Today we coach our customers that you have to accept that your IT systems are already compromised, with that in mind then we have to think how do we protect our internal assets.

  • Understand your data
    • Do we know where it is?
    • Who has access?
    • What does it contain?
    • How many copies do we have?
    • Do people even look at it?
  • Do we understand our people
    • Does everyone, from top to bottom, understand our data security plans and their links to our BCP?
    • If they do not there is a huge risk of failure as our plans are seen as an inconvenience rather than a critical part of our businesses sustainability.
  • Do we educate our staff?
    • When we deliver a BCP a huge part of its success is based on education of our key stakeholders and data security is no different, do we educate staff to the risks, the mitigation we should take and of course the impact if we don’t?

How do I manage this?

If we’ve now understood why data security is a significant part of our continuity plans the next step is to identify a model to allow us to deal with it, we could;how do i manage

  • IT can deal with it
    • We can rely wholly on manual intervention, a team that looks for potential risks and can deal with them, in a small business that may be just about sustainable, however in reality humans can not keep up with all of the potential data risks occurring at any one time.
  • Get tools in place
    • We can supplement our IT staff with appropriate tools, tools that can spot potential incidents as they occur or spot unusual behaviour in our users, this ability to spot changes from the norm is critical in modern data security.
  • Get help
    • We are seeing as the complexity of data security grows, businesses are concerned of how to keep track of it all. There is no point building plans and tools to address the issue when you don’t have the resource to deal with what you find. Do you employ additional resource to deal with it? Or outsource this help? taking data security as a service.

Summing up

That drew to the end our conversation with this group, to sum up, what did we share?

  • Take on the misconception – data security in our opinion is key to a successful business continuity plan.
  • Understand the risk – do we see what and where the risks to our data is? Do we understand the impact of loss of access to it?
  • Where to start – understand exactly where you are right now. Understand your key data, who has access to it, where it is and what it contains.
  • Managing the problem – Do we have the skills, tools and resources to manage the overall problem.

We these simple steps in place, we think you can greatly enhance a full business continuity plan and ensure that the little things are equally as well covered as the big stuff.

If you’re interested in what the Business Continuity Institute does then check out their website and follow them on twitter @TheBCeye.

If you have any comments on this piece as always you can get me in the usual places, LinkedIN, Twitter and via the usual comments box on this page.

 

The Data Security Myth

Data Security is a  constant hot topic in many of my day to day conversations with technology and business leaders “we don’t want to be the next company name spread across the business pages because of a data leak”, they say.

The potential impact of data loss, to you personally and to your business, is significant, so surely we are all taking all the steps we can to protect our most critical asset, our data, aren’t we?

But if we all where, I wouldn’t be writing a post called “The Data Security Myth” would I!?

At the minute we are planning a couple of free educational events for local businesses in both Liverpool and Manchester to share tips on how to ensure we protect our data the best we can, you’d think we wouldn’t still need to be doing this kind of education wouldn’t you?, what with the constant reminder of cyber threats and the regular high profile data breaches that make the news. But of course the threat evolves, even for the most security conscious of businesses, this constantly changing landscape is a real challenge. But the biggest challenge is, amazing as it seems, not all businesses necessarily take the data security threat as seriously as they should.

I saw this great infographic on LinkedIn last week (apologies if you posted it and I’ve pinched it, I didn’t make a note of the source, so thanks for posting it if it was you!)

022016_1519_TheDataSecu1.pngand one thing in particular stood out “70% of cyber crime is preventable”, which begs a question doesn’t it, if 70% of these issues could have been prevented, why on earth weren’t they?

It’s a good question and from experience the answer tends to fall roughly into one of three categories and it is these three that are often the cornerstone of many a “data security myth”;

  1. I’m not a target, no one is interested in my data
  2. Data security is just too hard
  3. But I don’t know where to start

It’s that first one that is perhaps the most dangerous and popular of the myths, why so? I hear you ask.

The view that you’re not a target, allows the other two issues to be easier excuses to accept for not protecting your data assets, for example, you may feel data security is too hard and if your view is, the risk is so small as no one is interested in me, then it becomes convenient not to really bother overcoming those perceived difficulties.

Let’s have a look at this myth and….

Why you should consider yourself a target?

Maybe you’re unlucky

You indeed may not be a specific target, but you don’t have to be…

“I’m not a target” is a popular refrain for many, especially smaller companies and potentially those who don’t see their use of technology as key, but for many of us we realise the problem with that statement, we are all potential targets for cyber crime because of the varied nature of the threat.

You indeed may not be a specific target, but you don’t have to be, malware and viruses are still a huge threat, these kind of “drive by” attacks are still very commonplace, from the annoying through to the potentially expensive and business threatening ransomware type attacks.

These attacks are often random in nature and it is this that puts us all potentially at risk.

What about the threat to your customers?

Another issue to consider is that maybe you are not the end target,a cyber criminal doesn’t have to be interested in you, what about your customers?

Who do you work with that may be a much higher profile target?

Let me give you an example, there is a legal firm I’m working with to help develop their data security polices, they are the definition of a small business in size, however, they are very good at what they do and they work with some of the largest and well known businesses in the world. Because of this, they are also very sharp around their security requirements, they cannot afford to be casual in their data security approach, because they know, if they are impacted by a cyber incident, this potentially exposes their customers and if that happens, just once, it potentially destroys their business over night.

One day your customers may just demand it

The other side of the above example, is that your customers aren’t stupid and not unaware of the data security threats that are out there. We are increasingly seeing customer driven pressure forcing many businesses to review and take more seriously the data security threat, or at least to do that if they want to retain their customers.

This supply chain driven approach, demanding tighter security from suppliers, is fully understandable. You don’t want to put lots of time, effort and financial investment into your data security and then let one of your suppliers drive a bus right through the middle of your carefully honed data security systems.

Summary

That’s just a handful of the reasons that, if you started reading this thinking,  “I’m not really at risk”, they will hopefully make you re-evaluate the cyber risk presented to your business. Once you’ve done that, hopefully those other myths we listed become issues that are now key to overcome. The good news is that, in reality, taking the right steps to protect your data and your critical business assets is not too hard (have a read here how Microsoft Cloud is making data leak prevention easier for customers) and there’s plenty of great advice out there to help you get started.

If this post has got you thinking and  you still want to learn more about how to overcome some of the data security myths and challenges out there and are in the Liverpool or Manchester area, please feel free to join us at our upcoming events. If that doesn’t work for you, as always you can contact me in any of the normal ways, via the BLOG site, Twitter or LinkedIn and I’ll be more than happy to chat.

Join us in Liverpool on Tuesday March 1st

Join us in Manchester on Thursday March 31st