Wednesday, February 6, 2013

The changing definition of security

The changing definition of security

Technology
As technology continues to advance with the growth of cloud computing and SaaS, data security needs to be at the forefront of every CIO, CEO and IT manager’s mind.
There’s no doubt that the nature of the security industry is changing. Recent high profile data losses like LinkedIn’s loss of user data as a result of a security breach (reported by Reuters) and a breach of security systems at Global Payments (reported by the Financial Times) were met with widespread media coverage and speculation on the readiness of the companies involved to combat the threat from hackers. As a result, security is being pushed further up the news agenda. With the European Commission (EC) recommending its mandatory breach disclosure policy, it’s not hard to see why companies are nervous about what the future holds when it comes to security policy.

For many years, security meant guarding the perimeter, setting up firewalls, securing laptops and protecting data as it left the safety of the company, but that’s all changing. As cloud computing and SaaS continue to take over the office, the very definition of security, and what needs to be secured within an office, is changing. It is now data itself that is at risk. From the moment it is created, accessed remotely, emailed and printed, information is at risk throughout its lifecycle from external threats and internal mistakes. We now live in an information-driven age where knowledge is a valuable commodity.

If the recommendations within the European Commission’s data protection directive go ahead, a mandatory breach disclosure will be enforced, whereby organisations must notify the national supervisory authority of serious data breaches—potentially within 24 hours. The extent to which this will be feasible is still being debated  - but there is a real risk that it could result in businesses being forced to tackle single data breach cases rather than investing in changing the security culture within an organisation, which would have a greater positive impact on the security measures adopted.

One recommendation by the EC for businesses with more than 250 employees is the appointment of a dedicated security officer who can implement a more holistic security infrastructure that encompasses all parts of the network. Whether data is passing through a smartphone, printer or laptop, it needs to be protected and a data protection or security officer needs to take a bird’s eye view to see the security needs of the organisation as a whole, rather than relying on a one-size-fits-all approach that puts a fence indiscriminately around the perimeter.

Security considerations need to be woven into the structure of a company so that if any issues arise they can be dealt with quickly, effectively and within the deadline. Although many companies may be worried about the impact the proposed EC directive will have on their business, it can be turned into a positive if the data officer is employed well by the company to improve the overall security strategy and is focused on locking in data as it is created, rather than solely catching breaches. In Germany, where it is already more common for companies to have a data protection manager, there is a higher perception that organisations do just the right amount to protect both company and customer data. A recent ICM / Canon study revealed that 47 percent of consumers in Germany thought organisations were doing enough to protect data, compared to just 29 per cent of UK respondents.[1]

A recent survey by Shred-it Security Tracker found that 59.8 per cent of SMEs said they don’t believe that the loss of data would have any impact on their business.[2] This is a shocking statistic and while small data losses may go unnoticed by most consumers, the catastrophic effect that a major security breach or data loss can have on an organisation can’t be ignored. When it comes to data security, it’s definitely a case of prevention being better than cure. That doesn’t necessarily mean that consumers need to know all the details about the work that goes into preventing data loss. Most consumers only read through the key parts of security clauses, but overall there is room for improvement when it comes to consumer awareness around the security measures organisations are taking already to protect important data.[3] One in three consumers questioned think businesses don’t do enough to protect data from getting lost or misused.[4]

The findings of the ICM / Canon research highlight that there is a huge difference between the awareness and knowledge held by consumers around security issues across Europe. For example, in the UK 30 per cent of consumers only read the topline parts of security clauses and 37 per cent feel that organisations don’t do enough to protect data from getting lost or misused. This shows that even sharing topline information about the security processes in place can help consumers to feel that a company is doing enough to protect the data it holds.

Whether the European Commission’s data protection directive comes into force or not, security and what it means is changing as the shift to data-led business continues. Whether this translates into security becoming a key purchasing consideration is debatable, but it is clear that data security needs to be at the forefront of every CIO, CEO and IT manager’s mind.

[1]Consumer Attitudes to Data Loss research, Canon Europe / ICM, April 2012
[2]Shred-it survey, Info4Security, June 2012
[3]Consumer Attitudes to Data Loss research, Canon Europe / ICM, April 2012
[4]Consumer Attitudes to Data Loss research, Canon Europe / ICM, April 2012