Regardless of whether information is stored in internal company structures or outsourced to an external service provider, security should be the first priority at every level. Data, though it does not have a tangible physical presence, is after all the most precious resource of every company.
And just how important and relevant data protection is today is confirmed by the recent efforts of the European Parliament. In April of 2015, the EP enacted the General Data Protection Regulation, which unifies and enhances existing standards. These new regulations will take effect in May 2018, introducing new requirements for companies and institutions involved in data protection and processing. Once the regulations take effect, all data will be subject to precise inventory and analysis. This will demand considerable knowledge and the work of qualified IT technicians specialising in data protection.
A report commissioned by Intel, 'Grand Theft Data Exfiltration Study' indicates that as much as 43% of data leaks are caused by internal errors in the organisation, including employee oversight. Maintaining the security of information in a large company becomes increasingly difficult as greater numbers of people from outside the company structure, such as suppliers, contractors, and sub-contractors, become involved in the business.
When making the decision to work with an external organisation, it is important to remember that the responsibility for data security still rests with us. So, it’s a good idea to pay attention to a few factors which can help protect us from a painful leak which may disrupt the smooth workflow of the organisation.
When choosing a partner to store our data or to bring our data management practices in line with the GDPR, we should carefully examine this partner’s competences. This does not mean simply looking at references or opinion, but rather looking for highly restrictive quality certifications. The introduction of airtight security policies in the whole organisation together with mechanisms for their implementation can prevent the occurrence of many problems.
It is worthwhile to look at the type of certificate which a potential partner possesses – there are different types of certification available on the market, such as SAS70 or SSAE16, but one of the most respected and valued of them is the certificate ISO27001, also held by intive. Possession of such a certificate is a serious responsibility for the company, and a company which has this certificate cannot afford to allow potential problems to arise.
Even if we are dealing with the best data storage and protection specialists, we should not be afraid to check their competence. Just as in the case of airline pilots, who know every procedure that must be carried out before take off like the back of their hand and could perfectly carry them out even if woken up from a deep sleep at 3 a.m., it still doesn’t hurt to maintain a checklist; in IT this takes the form of a background check which is routinely carried out for every new supplier.
This verification should involve an analysis of security procedures; it can be a simple list of questions, or could be taken to the level of an external security audit of the contractor or supplier conducted by an independent agency. Our company, intive, stands on both sides of the proverbial barricades – we conduct verifications of our clients, but are also subject to verification ourselves when entering into collaboration with new clients.
A crucial element, both for our own organisation and for our subcontractors, is the conduct of periodic security audits. These can take on different forms; from verification of procedures and to what extent those procedures are respected, to so-called “penetration tests”, which are attempts to gain unauthorised access to data conducted by specialists employed for that purpose. What we deal with at intive is tests in cyberspace involving controlled attempts at breaking through the security systems of a company using the tools and methods used by hackers.
In the real world, these tests often involve breaking through physical barriers meant to protect data security, such as gaining access to restricted spaces by unauthorised persons, or exploiting the momentary inattention of a receptionist to gain access to data storage devices or documents. In data protection, the weakest link is often the human element, which is why tests of “social engineering” are so important. These test the resistance of employees to attempts at manipulation and provocation to – either consciously or without being aware of it - reveal company secrets.
Currently, the majority of serious leaks take place via digital channels, and securing these channels requires narrow specialisation and constantly upgraded competences bolstered by experience. One way of dealing with this issue is to introduce and train units within the company which are permanently responsible for data security.
Our experience shows, however, that the best effects are achieved when responsibility for data security is fully entrusted to an experienced technological partner. The broad and highly varied experience drawn from a multitude of different cases, often of critical importance, which an external data security provider can offer is incomparably greater than what can be achieved by a unit working within the mother company. The best solution is to combine the skills of both groups, a sub-contractor and an in-company unit, which constantly synchronise the operations of the company with its suppliers and contractors in terms of data security.