Data security is a staple topic in enterprise IT, but few technologies exist to mitigate one of the main threats to digital assets: human error.
It is estimated that 60 per cent of enterprise data breaches are a result, not of hacking or malpractice, but of carelessness. In light of this, Allianz Insurance’s Ireland business decided to begin assessing its data security at a user level, and it took the installation of a new office software infrastructure as the perfect opportunity to revise its security protocols across the business.
“We’d been scoring quite low in relation to ISO27k data classification regulations,” said Orla Barry, information security officer at Allianz Ireland, highlighting a score of just 27 per cent awarded in 2011.
“We knew there was technology then that would allow us to do better, [but] it would be a huge project to classify every item of information across the system, and also to introduce that into the culture moving forward.”
It was Allianz’ 2013 decision to upgrade its office software to Microsoft Office 2010 that persuaded Barry to take another look at classification systems in more detail.
“We’d been getting quotes for data classification solutions for a couple of years,” said Barry. “We never proceeded because we needed something that worked with a Citrix and VDI environment, so we needed a product to fit both, as well as our new version of Office,” she said.
The answer came from Boldon James, a company that specialises in data classification products. Its snappily-named Classifier product worked across every system it needed to, and in a remarkably simple way. And all for around £9,000 across all Allianz Ireland’s 700 end-users.
Classifier works by drawing together Microsoft Office, SharePoint, Access and other file types, and tagging them according to whatever level of security a user ascribes.
The label goes into the file’s metadata, which can be read by any system that needs to process that file – not just Boldon James’ own solution.
Labels drive the rest of the security policies on the network, explained Boldon James CEO Martin Sugden. “You have much less discussion around explaining rights management – it doesn’t need to be done. All users have to do is put a label on [the file], and access control software can look at the label and make its own decision,” he said.
Another benefit of the product seems to be its psychological impact on the end-user, who, according to Barry, often adopt a very different attitude to security once they’ve become accustomed to the product .
“It’s huge. It’s been amazing,” said Barry. “The classification system allows you to change the colour – so we have blue for confidential, and so on for each level, to help staff understand requirements. In October 2013 we saw a 60 per cent improvement [in correctly classified data by end-users] since June. As the product was rolled out, people just simply began to understand how data could be confidential.”
The ISO27k scores, meanwhile, have risen from that underwhelming 27 per cent in 2011 to 87 per cent in 2013.
The software’s capabilities even extend to print-outs, which are automatically given a mark showing the document’s classification level.
This feature has also helped to heighten staff’s awareness of the need for certain documents to be kept safe, said Barry.
“Staff asked us for more lockable office storage because they saw the need to lock away all the sensitive data. And people would phone between departments asking when they were going to get various pieces of data back that they’d sent to other users.”
Allianz is now considering rolling out the Boldon James Classifier solution across other departments, and perhaps not a moment too soon: in January 2014, details of 20,000 international customers were leaked from a Dublin branch of Allianz as a result of “human error”.
Sugden was quick to point out that “that particular part of the business isn’t using Classifier”.
“So far, that’s one department we haven’t reached,” he said. “There are a number of others who will be building data classification in soon.”
It seems Dublin might be the place to start.
By eliminating high entry costs for big data analysis, you can convert more raw data into valuable business insight.
A discussion of the "risk perception gap", its implications and how it can be closed