As recent news items have shown, all organisations such as Talk Talk, Sony, Ashley Madison, Carphone Warehouse, Uber, Target, British Airways….the list goes on and on…are open targets for the bad guys .

What they all have in common is the theft of Personal Data. Not competitive data, not directly commercial data, not credit card data or bank details (although in many cases some limited bank details have been exposed as part of the attacks but were not necessarily the main target).

As I have written previously , requirements for data security are constantly evolving, and will continue to do so, but from a business perspective, what are the guiding principles for securing data?

For many organisations, the starting point is either a regulatory requirement (such as PCI-DSS ), or more generally there are principles laid down by the Information Commissioner’s Office for organisations (in the UK, at least) to follow. Broadly speaking, the focus of these principles is to ensure security of personal information held by others, but it is also important to note that these are not laws, they are guidelines, and therefore open to different interpretation by different people.

To paraphrase these principles, they state that personal data should be used only for the purpose it’s being held for, and that it should be held in a secure manner, with only authorised persons able to access it. This sounds simple enough, but how does one put this theory into practice? There are numerous ways in which this can be achieved including, robust encryption, micro segmentation of the network and stronger authentication for users accessing the data, amongst others.
It is always an ongoing battle to keep up with tracking where and how data is used in internal and internet facing systems, the patching of systems, and securing of systems. As time passes, many organisations struggle to track the many locations that data may reside and the many ways they are using it. Sometimes people leave the organisation taking valuable knowledge with them – immediately putting data at risk.
A couple of questions often come up after any theft of data: “How could these attacks happen?” and “Surely ‘they’ should be able to prevent the attacks?” They will continue to occur, because any system is only as strong as its weakest point, and new vulnerabilities and attack vectors are always being identified (as well as old ones re-used), and attackers are constantly probing from all corners of the globe.
A comprehensive security strategy, understanding data security, looking to current environment, and future developments is absolutely vital, and the only way that any organisation can even have a small chance of minimising their risk and exposure.
As long as your personal data has a value , then it will be targeted.