Battle lost? The data protection threat in our digital world

Data breaches represent only the tip of the cybercrime and data breach iceberg, and operatives appear to be breaching enterprise IT security systems with impunity. The data protection threat and continual cyber attacks to organisations is real.

Data protection threat – Legislation and regulation

The effectiveness of any data breach notification or privacy legislation in our fast moving, mercurial and shadowy digital world has to be questioned. The speed and agility of the cybercrime industry stands in stark contrast to the glacial pace of regulatory and legislative evolution.  Legislating across multiple legal jurisdictions only further adds to the overhead of  prosecuting cybercriminal activities. Cybercrime is borderless in our digital world. A recent high profile conviction of creator of the online illicit drug marketplace known as the Silk Road is a rare case of a successful cybercrime prosecution and conviction.  The Silk Road take-down followed a sustained and extensive investigation on a known and visible target – however, the main prosecution related to money laundering and narcotics dealings, not data theft or cybercrime as such. In the face of advanced and persistent threats (Known in the security industry as APTs) , the protection offered by the legislation is limited, especially if an organisation was not aware of the attack having even occurred. Cybercrime is sophisticated, well funded and is big business, and a constant threat.  The addition of nation-state cybercrime is only adding to the challenge.

It is safe to assume that if your organisation has intellectual property, trade secrets or other high-value information, someone, somewhere will probably be taking an interest in it – without your permission

Who’s been visiting in my Cloud?

Mandatory Data Breach reporting legislation also presents a unique challenge for organisations with existing cloud computing arrangements, in that they are, for the most part, at the mercy of their provider’s willingness or ability to meet these legal requirements. In the face of such legislation, it is prudent for cloud customers to reassess their cloud provider’s security measures, loss compensation and remediation approaches.

Quo Vadis your IT Department?

Add to this mix the challenges facing those organisations at war with their own IT departments or IT vendors. Legacy systems, poorly architected IT services based on fragmented technologies, inflexible IT supply contracts and not to mention substandard business leadership and technology management practices are hindering many an organization’s abilities to respond rapidly to meet the rapidly changing cyber crime threats, not to mention increasing demands from regulators and legislators for protecting important information assets. Moreover, the pervasive phenomenon of Shadow IT is also a contributory risk, where individuals, local departments or business units within organisations are implementing IT systems without the appropriate due diligence, contribute to the risk of a potential data breach. Both shadow IT and cybercrime escalate the risks of, and challenges associated with the protection of sensitive data.

The data protection threat – Room for improvement

In an era of financial austerity, organisations are keen to cut all unnecessary costs, and the lure of cutting the ongoing investment in information security is a constant trade-off, especially where they have no history of data breaches.

It’s akin to an airline gradually reducing the maintenance effort of its fleet of aircraft because it has never had an accident yet.

The question is which airline is carrying your personal data, and when it crashes, will you hear the explosion or will it disappear silently and without a trace into the digital Bermuda Triangle?