CIA is not enough
The three basic principles of IT security are confidentiality, integrity and availability - sometimes known as the CIA triad. Briefly, information should not be made available to those who are not authorized to use it, it should not be subject to unauthorized modification and should be available to those authorized to use it as and when needed.
Information assurance (IA) goes further - requiring that the authenticity of information can be assured and that actions cannot be repudiated.
Successful IA depends on cybersecurity - security that takes into account all aspects of the interactions between physical and technological environments and the people who use them. It includes IT security governance, risk management and compliance (GRC).
N+S has many years of experience in dealing with companies across these areas.
Well, they got our attention
The eye-watering fine regime caught everyone’s attention. Then, a flurry of policy-making activity, first as organizations sought to ensure they were legally covered, then to assure users that their personal data was safe. Much of this activity was lawyer-led and focussed on privacy.
Being lawful - necessary but not sufficient
The problem with a legalistic approach is that it ensures that policies are legally compliant but does not necessarily capture the technical difficulties of implementation, let alone address them. Likewise, privacy is an essential requirement of information security, ie ensuring confidentiality. But confidentiality is not enough, the integrity and availability of information also need to be protected.
Data protection - a work in progress
From our experience of talking to many companies about data protection, and cybersecurity more generally, it is clear that much still needs to be done, particularly in relation to data integrity and availability. Legacy data and applications are a case in point. There are sometimes unresolved issues around the mechanisms for transferring personal data securely to other data controllers, as well as providing data subjects with information regarding automated decision making.
For companies developing applications to process personal data, there is a requirement for security by design and default - not only to implement it but to demonstrate that it has been integrated into design and development processes. This is an area that has historically been poorly addressed.
The IT environment is changing rapidly. Dealing with AI, big data and IoT, will all affect how data protection will need to be implemented. Then there is the (as yet unresolved) way which the UK’s data protection environment will be affected by our changing relationship with the EU, particularly as far as the European Data Protection Board is concerned.
In short, data protection is likely to require considerable attention from companies for the foreseeable future.
Interested in how we can help? Find out more about our DPO services and Bespoke training.
A moving target
You cannot afford your cybersecurity defences to be static. They need to evolve to meet continually changing threats and vulnerabilities.
Know your weaknesses
This is the easy-ish part. Vulnerabilities are (for the most part) internal. You can seek them out. New technical vulnerabilities are being discovered on a daily basis, so most companies have a rolling program of automated vulnerability assessments.
Know your enemies
Many of the threats you face will come from external sources. Identifying these is harder, it requires research. Once you have identified the likely sources and their motivations, you need to understand what they will target. Thinking like the hacker and carrying out penetration (pen) tests will help you understand how they could exploit your weaknesses to achieve their ends. Companies will often engage independent consultants to carry out these tests, typically on an annual basis. These are useful as they bring an outside perspective. However, you will gain extra benefit from running your own pen tests more frequently, particularly when new threats are identified.
So far, we have referred to external threat sources. Of course, the most dangerous threats are likely to arise from malicious insiders. Tailored internal pen tests can also identify the damage that they could cause.
Call us to find out how we can help you to train you staff to carry out pen tests safely.