page contents

Data Security
Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach. Business data has always been at risk from the activities of criminals and fraudsters. It’s been routinely stolen from companies by disgruntled salespeople and unwittingly lost on trains and in cafes by workers in a moment of forgetfulness. It’s becoming an ever-increasing risk in the digital age as people and businesses become ever more dependent on the use of data in their everyday lives.

 

Where Data Security Risks Come From

 

Today, the risk of data loss has never been greater. The perfect storm of data risk comes from four main areas:

  1. Pace of data capture – We capture more data than we ever have. Mobile phones, sensor networks and the Internet of Things, digital cameras and CCTV, cloud computing and big data – countless more ways to rapidly capture and publish data, more places to put it.
  2. Digital economy reliance on data – We depend on data more to live our lives. Imagine what would happen if there was no Internet for just one day!
  3. The appeal of cybercrime – It’s more rewarding and less risky for criminals to profit from data than it is to break into a bank.
  4. Cyberwar – Nation-states identify data as a key battleground and are investing in billions in their attacks to dominate the cyber-world.

 

Risks to Data

 

Risks to data will generally fall into two categories – best articulated by Hanlon’s razor aphorism, ‘Don’t assume bad intentions over neglect and misunderstanding’ – where either:

  1. Data is unintentionally exposed by an individual through an error of judgment, inappropriate user behavior, a poor governance policy, or a poorly constructed technology architecture – or an unlocked door or access point that gives a third party access to data.
  2. Data is intentionally targeted by a third party conspiring to use it for inappropriate reasons. These individuals will use hacking attacks, bribery and corrupt means to acquire the data they seek.

In both cases, organizations have a vested interest to establish effective data security. This should include clear security governance protocols and ecosystems to master control over who can access data and to what end. Accountability for the design, implementation and operation of such a regime will normally fall to an individual charged with the Information Security role.

A recent survey of directors responsible for IT, resilience and business operations at major companies globally found that 73% said digital security was on the agenda of board meetings at least quarterly or more frequently.

Source: BT and KPMG Research Report 2016

 

The Scale of the Data Security Threat

 

Today’s businesses greatly rely on information, creating complex networks of connected technology, processes, people and organizations, spanning beyond national boundaries. Where people come into contact with this global digital ecosystem at work is the humble office workplace. That too is changing over time. New agile working practices emerge, reshaping the office and how people create, share, and consume information in the workplace and beyond. Securing data in this intricate environment is more challenging than ever before, and most businesses invest in sophisticated technologies such as robust firewalls, up-to-date anti-virus protection, security software and more. However, they often fail to recognize the need to extend that protection to their office printers, leaving themselves more vulnerable than they realize.

SOME INSIGHTS

 

Ransomware is the fastest-growing cybercrime tool, with more than 6,000 online criminal marketplaces selling ransomware products and services, and ransomware-as-a-service gaining in popularity. Source: The report titled ‘The Economic Impact of Cybercrime: No Slowing Down’ – Strategic and International Studies (CSIS) and McAfee, February 2018

  • Some 945 reported data breaches in the first half of 2018 led to 4.5 billion data records being compromised worldwide, a 133 percent increase over H1 2017
  • Social media incidents account for over 56 percent of records breached

 

Gemalto Breach Level Index, a global database of public data breaches, October 2018

 

 

  • 65 percent of data breach incidents involved identity theft

Quocirca Global Print 2025 study published 2018, www.print2025.com

 

  • 84% of organizations report that security will be the most important area of investment from now to 2025.

 

 

 

Humans – the weakest link in your security plan

 

 

In your workplace today, people are using and distributing information. People are arguably the weakest link in any given process chain because they’re emotional and unpredictable, while machines are not.

 

 

Machines have no ‘intent to cause mischief’, people do.

 

That statement places people in an incredibly negative light – but the reverse is also true: humans have the potential to make a positive contribution to security by spotting undesirable behaviors, understanding the impact of events and appreciating risks resulting from the context of data use; things that robots struggle to do. While the tech-industry consistently places its tooling at the center of initiatives to protect data, these mechanisms are unlikely to stand up to a prolonged and determined aggressor committed to accessing your data. This is particularly true of internal breaches, perpetrated by disgruntled or corrupt employees, contractors or visitors.

 

 

Technical controls

 

Technical controls represent only one form of information security control. There are also different forms of ‘human control’ that can be installed to govern, dictate and/or influence the role and influence of people in a secure ecosystem.

 

 

These include:

 

 

 

POLICY CONTROLS

 

These articulate expectations placed on people and how they’re expected to access, share and use data. It’s surprising, for example, how rarely organizations provide guidance to new starters on employer policies surrounding information security.

 

 

EMOTIONAL CONTROLS

 

There are many forms of data security breach but without exception, they start with a human making a decision to do something. These decisions are motivated by some sort of driver, the most common being:

 

 

  • A Malicious Act – Someone wanting to cause a business harm
  • A Financial Gain – Someone seeks to profit
  • Self-Gain – The data in question has a primary value to the individual themselves
  • The Accident – When someone unwittingly puts data at risk
  • ‘Because They Can’ – Some people harbor a desire to see if they are capable of taking data.

 

Keep users happy and, so the argument goes, they’re less likely to want to steal your data in the first place. A recent report from IS Decisions found that the vast majority (86%) of IT professionals consider insider threats to be a purely cultural issue. If that’s true, then it makes sense to keep workers happy. Emotional controls remove the reasons why people choose to breach data security in the first place. An example of a ’emotional control’ is a regular mentoring and coaching meeting that ensures workers are engaged and equipped with the information and tools they need to discharge their role. Studies found that highly engaged employees are 87% less likely to leave their companies than their disengaged counterparts. They are also significantly less likely to walk out of the door with your data.

 

 

Another form of emotional control is to publicize audit procedures so people know that what they do is being monitored. The extent to which organizations can legitimately and legally monitor people will vary from one region to the next but it makes sense that individuals are less likely to steal your data if they know they’re more likely to get caught. Some organizations have taken the step to focus on this approach as their primary strategy to secure their data and rather than investing hugely in technology, state in HR policies and handbooks that robust auditing of data use exists.

 

 

Whatever your views on this approach, a policy decision commonly exists for Information Security practitioners to decide whether they want to:

 

 

  1. Install security technologies and tell everyone they exist.
  2. Install security technologies and tell no-one.

 

PHYSICAL CONTROLS

 

The physical controls to managing people’s behaviors are the more obvious ones – like restricting access to files containing sensitive information.

 

NETWORK SECURITY

It’s hugely important to protect end-points essentially because they give aggressors access to networks. They are the point of interface between hardware and software, humans and machines. Ask most organizations how many end-points they support across their enterprise and they’d most likely struggle to answer. This lack of visibility towards the total extent of the challenge, further exacerbated by the proliferation of sensor-based and mobile computing devices, makes the securing of end-points one of the hottest topics in enterprise computing. Given that end-points are so commonly the point of access to data for humans, there will always be questions of trust surrounding the end-points.

Do you offer people access to devices to get their jobs done, or do you prohibit access and make your enterprise safer whilst at the same time increasing levels of intrusiveness? With increasing numbers of connected devices and as their use within the workplace becomes normalized, the protection of this ‘black box’ becomes increasingly challenging. Should you prevent their use? Can you prevent their use? Securing your device and network infrastructure starts with understanding that the incumbent office environment is ‘safe’. Canon recommends organizations consider an information security health-check to review the status of information security threats.

 

Things You Can Do To Protect Data

 

Install controls to permit only authorized access to the network. Aspects to consider include:

 

 

  • Port control – Configure ports as part of your security policy setting.
  • Proxy server configuration – Set a proxy to handle communication instead of your machine, and use it when connecting to devices outside of the network.
  • IEEE 802.1X authentication – Unauthorised network access is blocked by a LAN switch that only grants access privileges to client devices that are authorized by the authentication server.
  • Log monitoring – Various logs allow you to monitor activity around your device, including blocked communication requests.

 

Discover unauthorized or unusual activity through monitoring. Aspects to consider include:

 

  • Secure data transfer between the device and the network
  • Encryption of data in transit to and from the device – This option encrypts print jobs in transit from the user PC to the multifunctional printer. By enabling the universal security feature set, scanned data in PDF format may also be encrypted.
  • IP and MAC address filtering – Protect your network against unauthorized access by third parties by only allowing communication with devices having a specific IP or MAC address for both outbound and inbound communication.
  • IPSec communication – IPSec communication prevents
 third parties from intercepting
 or tampering with IP packets transported over the IP network. Use TLS encrypted communication to prevent sniffing, spoofing, and tampering of data that is exchanged between the machine and other devices such as computers.
  • Wi-Fi Direct – Enable peer-to-peer connection for mobile printing without the mobile device needing access to your network.

 

Access Control

 

This is the selective restriction of access to a place or other resource (i.e. consuming, entering or using). Knowing who is (and can access) premises, networks and end-point devices, and privileges they hold is a key aspect of security governance.

My title page contents