Whose job is it to decide the true value of individual data? This is the first question to ask before you begin worrying about stopping people losing it. Nick Truman, head of information security at construction firm Balfour Beatty, recently told delegates at Computing’s Enterprise Security and Risk Management 2014 Summit that it should be up the customer to decide.
“Our customers tell us quite clearly what they think their data is worth,” he stated.
“So if you’re building a nuclear power station, or a Ministry of Defence (MoD) bunker in the middle of a field, the last thing you want to do is start putting that stuff up on Facebook.”
On the flipside, building a house extension in Peckham would be no problem at all in terms of social sharing, said Truman. But that’s the obvious, everyday basics. Pass that MoD data to workers with more defined roles, who deal with the nuts and bolts of a project, and security relevance becomes a different story again.
This time it’s personal
“I think as far as the business owners are concerned – the people who actually create the drawings – they do some 3D modelling and pass that data on to sub-contractors who drive JCBs.
“They really don’t care what the value of the data is at all. To them, it’s just a drawing, and if they can put it on Dropbox they will do, because it’s a lot easier than the two-factor authentication we use to get onto our collaboration tools.”
Truman remarked that there is an ongoing value of “different things to different people”, which is still proving a huge challenge to manage – people from various angles of a business can only
ever see their own use case.
“Obviously everybody knows about the risk of HR and personal data, and whether you’re dealing with people getting hurt on building sites, but the hard and fast building laws and things like that are a far greyer area for people actually trying to manage this stuff.”
Director of security at Schillings solicitors, David Prince, said his sector can benefit from strict legal frameworks such as those laid down by the FRA [Forensic Risk Alliance], which helps to put in place “processes and technology”, but still believes the most important thing is people, and these assets should be educated as early and as readily as possible.
“You get to a point where information can flow anywhere in the organisation and beyond,” he said, lamenting the patchy personal practice of employees when “information is the lifeblood for an organisation, and is key to its reputation”.
“Creative training” is the way forward for many organisations, Prince said, but in the field of law, keeping in line with the FRA and others is currently enough to avoid serious slip-ups.
Deftly sidestepping any accusations of lax data value training was UK parliament’s ICT director Joan Miller, who explained that 98 per cent of data held by parliament is “published in the end”, thus “not very secure” because it is effectively public data anyway. This includes “financial data” and “some people data”.
“We have a very limited amount of data that we would regard as secure, and mostly that’s kept in locked cabinets – it’s not in our electronic system. So that’s pretty safe, isn’t it?” Miller asked.
“I’m not sure. I’m not sure paper is any safer,” she added.
“The biggest issue for us is what our users think and do about that data. And the biggest problem for us is if we had data hacked. Because that could change our data, and that would be a problem for us. So we concentrate our efforts on that area.”
That’s your cue, Anonymous.
Paper data is another avenue of data value that is still a huge challenge. As Miller remarked, most ICO fines have been given for data lost on paper, not through IT systems.
“I think it’s often forgotten; it’s one of the more difficult ones to fix, but it comes down to culture,” said Richard Norman, head of IS security, risk and compliance in IT at the British Council, before adding that paper offers its own unique “protection” in a way.
“It’s harder to do something nastier with it, it’s harder to copy electronically, it’s not that easy to move too many records on paper…so you have a little protection – thought you shouldn’t rely on it,” he said.
There are probably still more questions than answers with good practice here. Train your staff to see every angle, take full advantage of industry regulation and don’t forget the prevalence of paper. And most importantly: keep everything away from Facebook.