One data breach can be catastrophic but taking five simple steps can ensure greater resilience
Every organisation’s cache of data is constantly increasing; information on products and pricing, prospects and customers, employees and business partners – there seems to be no end to the confidential information entrusted to employees that needs to be controlled and managed. Risk managers need to trust IT to deploy the security measures required, but with constant IT innovation, even IT is sometimes behind the users’ demand for new methods and more innovative applications. One of these is the use of cloud computing.
One data breach can be catastrophic. We can all name some major breaches that have cost the company involved dearly (Target, Sony, Ashley Madison, TalkTalk) and the fines, resulting loss of customer confidence, and ongoing brand reputational issues can haunt the organisation for years. The new EU GDPR will increase fines, allow class-action lawsuits and demand that regulators are informed, so there’s no time to lose.
As was said in the roundtable, employees often think that they haven’t got any confidential data, until you ask them the right questions. The IT solutions we use mean that individual employees have access to much more information than in the past, we have to assume that employees will make mistakes and act accordingly. Surprisingly, the one area of data that is often forgotten is the data on your own employees. Morrisons is currently being sued by its employees after their employment data was uploaded to a cloud service by a disgruntled colleague.
Everyone underestimates cloud use, even the IT team - the group you are most likely to ask first. Our statistics from over 500 customer engagements is that IT are usually aware of less than 5% of the cloud services in use in an organisation and it’s the previously unknown areas that are usually the highest risk. As IT rarely like to share bad news and don’t actually know the total cloud usage, this issue is too important to be purely a guess. Frankly, if anyone tells you that there’s no cloud use in the organisation, they are not looking very hard, and risking the organisation by sleepwalking into traffic. We have run hundreds of cloud risk assessments in Europe and never found less than 300 different services - and this was in an organisation of only 150 employees.
As most cloud service providers are based outside the EEA, organisations need to check the legal basis used for data transfer of personal data and with the recent EU Court of Justice ruling declaring Safe Harbor to be invalid, all current contracts should be reviewed.
You could be forgiven for thinking at this point “we’ll just ban all cloud use”, but that’s frankly not technically possible, nor usually desirable as it can result in the exact opposite of the outcome you want – leading to greater risk not less. If you block the known cloud services, with over 16,000 different services available, users will simply search and find another one – and those less well-known are often the most dangerous.
Five suggested steps to address cloud security needs:
1. Ask IT for an assessment of current cloud use by employees, showing the services in use, the amount of data transferred and a risk rating for each cloud provider.
2. Create a cloud adoption team inside the organisation that is peopled by staff from multiple departments; risk, IT, finance, HR and legal all have a place at the table.
3. Define your policies regarding cloud services, how users request access to new services and the decision-making criteria to add to the approved services list.
4. Educate employees on the risks of data loss, the dangers in cloud and your procedures.
5. Even trusted cloud services may have areas of weakness, such as full transaction logging and encryption of data. Ask IT about the additional security services that they are deploying.
6. Keep on top of it - in a typical organisation employees sign up for one new service per day, so there’s an ongoing issue to check and manage cloud computing.
To read more on cloud-related risks, click here
No comments yet