Knowledge is power and data is the new gold!
Data has many characteristics similar to gold. Data can be reused for creating new knowledge, just as gold can be remelted and turned into new valuables. Gold has higher value when turned into jewellery, and also data has higher value when organised into a nice-looking and clear report. And just like storage of gold requires precautions and incurs security-related expenses, also data storage requires constant investment into security. Unlike gold, however, new data is created all the time.
Already in 2020, each person on Earth created in average 1,7MB of data per second, which means 143GB of data per day, i.e., about 7 hours of film with 4K resolution (zipped). The volume is large as the new content created is mainly audiovisual. Many Teams meetings are recorded for record-keeping, new cars record rides to train AI, apps buffer films, music and web pages to ensure higher speed on our devices, and phones allow us to create high-resolution photos and videos of any moment of our lives. Also, video surveillance keeps an eye on each step we take in public places, and each move we make on the web is recorded to decide which ad to display.
Cloud services add responsibility to companies
If people used to save data in their computers, now all the documents, photos and videos are saved directly in cloud services, which adds responsibility to service providers. If a company provides a modern working environment to employees, the responsibility to store and protect all the data lies with the employer. This requires increasingly sophisticated IT architecture.
During the pandemic, new ways of work were quickly adopted and new, untried apps were implemented to support those. The IT management in companies lacking remote work experience quickly lost control over data-related processes. It is not easy to regain central management of cloud services once the control has been lost. Many new apps have been created paying no heed to security or central management. Companies struggle with employees not wanting to give up the apps they are used to, and retraining employees to be able to use the apps that the company prefers is a time-consuming affair.
User accounts are vulnerable to cyber threats
In an infrastructure built on cloud services, data is accessible anywhere – both at work and at home. The only things you need for access are the correct user name and password. For the sake of convenience, employees tend to use the same user name and password in many different services. Therefore, when one service is breached, it is easy for cyber criminals to attack the next systems used by the company.
To manage this risk, Single Sign-On (SSO) and Multi-Factor Authentication (MFA) are used. Single Sign-On is a system where the company uses one centralised system for user rights (Active Directory, Entra ID) to manage all the computers, servers and service users. Every next service commissioned is connected with the centralised system of user rights so that the employee uses the same account for all the services. At first glance it may seem to a person that the system is also built on the principle that they use the same user name and the same password in each of the services. However, this is not the case, the services in the SSO solution do not store passwords in their databases. If a person wants to use a service, the service contacts the centralised system of user rights of the company. Once the centralised system of user rights has identified the person, they confirm the authenticity of the account to the service and the person can access the service. Even though all the services are indeed used with the same user name and password, personal identification for all the services takes place in the controlled system of the company.
Multi-Factor Authentication (MFA) requires the use of an additional device for identification that cyber criminals cannot easily access. For instance, it is possible to download the information of someone who has used the same user name and password over the internet from a service with a security breach. However, it is not that simple to access their phone where the security code is sent by SMS.
Therefore, contemporary authentication must make use of Multi-Factor Authentication so that unauthorised access would not be possible as soon as the user name and password are leaked. Company data is best protected by using both systems, Multi-Factor Authentication and Single Sign-On. It is easier then to prevent an attack, and if there is an attack, close the account quickly from one place.
Only centralised management is fast
In addition to account management, it makes sense to centralise also other cyber protection services of a company. Centralised data access management, centralised logging of use, centralised backup and other centralised operations are increasingly inevitable in the era of cloud services. This is the only way how people responsible for cyber security can have a complete picture. System logs and backup copies never cover a long period.
The survey carried out in 2021 by Blumira and IBM revealed that the average life cycle of a cyber incident is 287 days of which 212 days were required for detecting the fault and 75 for blocking and fixing. Successful cyber attacks are usually only discovered once the consequences are obvious. Thus, local device logs stored by the devices for a short time are insufficient, and the logs of systems that have fallen victim to cyber criminals are not reliable. Therefore, it is practical to apply centralised system logging and data backup where data is stored for at least 365 days.
Which security measures are sufficient?
To decide which data should be protected and which security measures should be applied to the data, data should be classified. Some data is always more important than another, and preservation of its original format while maintaining confidentiality should be better ensured. To assess that, it is necessary to measure the importance of data based on the need to use it and the impact of using it. After that, it is necessary to identify the risks applicable to the data, based on which procedures and technical solutions should be created to protect the data.
Companies often decide that all data is equally important or that the same security measures should be applied to all data. If it is financially feasible to apply the highest security measures to the storage of all data, information security standard ISO 27 001 does not prohibit it. However, the obligation remains to instruct employees processing the data if the data includes business secrets or personal data.
Protection of Business Secrets Act states that a business secret is information which is not generally known among specialists in the area, has commercial value because it is secret, and has been subject to reasonable measures to keep it secret. If a business secret is protected equally with any other data, and a specialist has access to all data equally with the business secret, it is impossible to distinguish a business secret from other data. A specialist who works for the company and has daily access to data cannot know that the given data is not generally known in the area. If a business secret is also protected exactly the same way as information generally known in the area, the employee treats it as any other information in the area facilitating their work. Therefore, it is important to designate a business secret so that it would be distinguishable from the information generally known in the area.
Personal Data Protection Act establishes even stricter requirements to processing of personal data. For instance, paragraph 14 establishes a requirement to identify a data subject only as long as the purpose of data processing is followed, and a permission to process personal data only for specified, explicit and legitimate purposes. And paragraph 17 requires that once the term for retention of personal data expires, the controller and processor are required to permanently erase the personal data. Such requirements can only be followed if personal data is separated from other data and if the legal procedures applied to it are different from the storage and processing requirements applicable to the remaining data of the company.
Which cyber protection requirements should be applied first?
The practical technical data protection measures to be applied include at least the following:
- applying encryption both for data storage and data transfer;
- keeping a secure backup copy in another location;
- updating all the equipment in centralised way;
- application of Multi-Factor Authentication (MFA) to the accounts;
- Single Sign-On (SSO) in all services;
- training of employees so they would recognise cyber threats and phishing emails.
Once the steps above have been taken, the next practical steps include:
- application of technical measures for blocking data leaks;
- logging of access to confidential data;
- logging of the activities of users and administrators;
- centralised management of all logs for a complete picture;
- documentation of operational instructions for fast response to security incidents.
The recommendations above are the first steps in development of security. The specific measures and systems applied by each company depend on the particular industry, sensitivity and value of data.