Skip to content

Thinking about data protection – Kate Carruthers – S1.4

Episode link
RSS Feed


Hi, and welcome to episode 4 of the Data Revolution podcast. I’m Kate Carruthers, and this time I’ll be talking about data protection and how we need to work together with colleagues to ensure that data protection can happen effectively. This is because data protection is a team sport and no 1 person or no single business unit can do it all on their own. In recent times, I’ve started to use the term data protection as the umbrella term for the things that we need to manage in the organisation. And this includes things like cyber security, information security, data and information governance and privacy. And today I also want to run through the threat landscape so we can see why this is such a big focus area. Every organization holds huge amounts of personal information for staff and customers. They hold things like tax file numbers or social security numbers, bank accounts, other private details.

And increasingly, every organization holds large amounts of customer and staff interaction data. And this is just growing exponentially. For example, a number of data points that we can capture in relation to a customer interactions and the AI-based analysis that we can do on that data increases every day. And we have an obligation to secure this data. And we also have an obligation to maintain the privacy of this data. So cybersecurity, information security, data governance, and enterprise risk management and privacy are a key focus. And as you all know by now, I believe that data governance is a key foundation for cyber and information security. So for effective data protection, we need to master all of these, each 1 of them, cybersecurity, information security, data and information governance, privacy and their all essential risk management functions.

And these all need to be supported by sound policy and procedures, But we also need to make it easy for people to do the right thing. This is especially important because I have found in every single instance that convenience trumps privacy and cyber security in practice, every single time. So allow me a slight reminiscence. My organization got hacked back in 2012, way before it was cool. We got hacked in the same way that the Australian National University did only a few years ago. And since then, we’ve been beefing up our defenses because it was a real wake-up call. We weren’t able to attribute it, but we thought it might be a state actor. And we had been very open to that attack.

So we had to start to focus our cybersecurity and information security. And we appointed our first Chief Information Security Officer arising from that breach. But I want to now just talk about the difference between cyber security and information security because they’re not the same thing. As I mentioned in an earlier episode, cyber security refers to the ability to protect or defend the use of cyberspace from cyber attacks. That’s the definition from NIST. Whereas Information security refers to the maintenance of confidentiality, integrity and availability or CIA. That too is a NIST definition and I’m quite fond of NIST so you’ll hear it fairly often. So NIST says information security is “quote, “the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability”.

So both cyber and information security seek to reduce the attack surface. And this is another way of saying the different vulnerability areas. We commonly define the attack surface as between digital, physical and social engineering attack surfaces. And the big part of understanding our digital attack surface is understanding our assets. And these are largely data assets. We often call these known assets, unknown assets, and rogue assets. And a systems inventory is the starting place for understanding what data assets you have. And it’s harder than you might think to do this.

We’ve had several tries, we’re still trying, but we keep finding more stuff. And now that people can just get out through port 80 and use their corporate credit card to acquire software as a service, a lot of assets are outside of our own organizational control. So The other things that we need to look at in addition to our digital attack surface is our physical attack surface and social engineering attack surface. Now physical attack surface is largely the province of IT and that’s things like the servers and things that we have. And the social engineering attack surface is things like phishing and somebody impersonating you to the help desk and obtaining a credential. So that’s a big threat for us now. And increasingly now, things that we used to think were quite solid, like voice prints. So biometrics like voice prints were quite, seem to be quite sound, but now with digital fakes, digital deep fakes, they only need a couple of seconds of your voice to create a deep fake of you and be able to then spoof your voice so that they can do a social engineering attack.

So the thing that we often find with this is that there is a constant arms race. We get better, the bad folks get better, we get better, the bad folks get better. So it is a constant arms race and that’s the big challenge with all of this. Now, the other side of this is the threat landscape. So that is the things that are out there that are coming to get us. And when looking at the threat landscape, and there’s lots of places you can get this, but I like the ENISA version of the threat landscape. The proper name is the European Union Agency for Cybersecurity, and they put out a threat landscape every year. And I find theirs really helpful.

So looking back at their 2020 threat landscape, they noted, “‘Threat Landscape Maps’ Malware Standing Strongest number 1 cyber threat in the EU, with an increase in phishing, identity theft, ransomware, monetization holding its place as cyber criminals’ top motivation, and the COVID-19 environment fuelling attacks on homes, businesses, governments and critical infrastructure.”

Well that seems pretty prescient because that was what happened that year. So I recommend that you go and have a look at the ENISA threat landscape and I’ll make sure that the link is in the show notes. And one of the problems we’ve got now is the perimeter has shifted. Back in the olden days, like 5 years ago, 10 years ago, you used to be able to lock yourself behind your firewalls. And once we were locked in safely behind our firewalls, the bad guys couldn’t get to us there. But increasingly, and this has seen – shift has been driven much faster by COVID – the perimeter is now wherever someone logs into your network. And the weakest link in our security remains our people.

So this means that we need to evolve our practices. You know, we can’t hide behind our firewalls anymore. And it means that we need to up our data protection game. And Data protection, as I’ve mentioned, is not just 1 thing. It includes all of the things. So it’s the practices with data and information governance, cyber and information security and privacy, but it’s also a risk management function. And it means that we actually need to evolve our policies and procedures to provide sensible and practical guidance for people. We also need to improve our data management practices so that we build security and privacy into it.

So we’ve all been talking about DevOps for the last few years. Increasingly, we’re talking about DevSecOps, and we’re also talking about privacy by design. And this leads us into the thing that you actually need to start to shift people and culture. And that’s hard because culture is stronger than most things. There’s a famous Peter Drucker quote that culture eats strategy for breakfast. I always joke that a strategy gets eaten for breakfast, lunch and dinner by culture. Once I worked at an organization and I came back a decade later and the culture was so strong, even though they had spent millions of dollars on cultural change programs, they hadn’t shifted anything. The culture was still the same as the day I walked out 10 years before.

So if we’ve got to change all of those practices, it means that we need an organizational commitment to it. But we also need to pay attention to our perimeter, because The perimeter is wherever people are. So we need to evolve our practices to make sure that we can monitor our perimeter no matter where people are. We need to actually understand our network and understand what normal traffic looks like. And the other thing that we need to do is secure our endpoints. So our endpoints are our devices and we need to secure our endpoints, especially now that everybody uses things like Office 365. Because whenever you’re operating on a file using Office 365 on a device, like a desktop or a laptop, every time you open a file, you’re bringing a local copy down. So this means that endpoint encryption becomes increasingly important.

And then we also need to make sure that we’re doing, we’ve got to focus on application security. And this is a big part of the shift to DevSecOps. You might remember in an earlier episode that when I started the data governance program here at work, many people weren’t really interested in it. And many even said they didn’t want any help. But I got these 5 questions from Mike Burgess, who’s currently the Director General of Security in charge of ASIO, the Australian Security Intelligence Organisation. And after we’d run through these questions, people would often end up sobbing on my shoulder, asking for help. And these 5 simple questions really help to focus people on the reality of how their data is managed. And I think they’re extremely valid even now, and they will help the discussion across all of the things that I’ve mentioned.

So the 5 questions are, and you’re all going to get sick of me rambling on about these because I just think they’re actually profound questions. First 1, do you know the value of your data? 2, do you know who has access to your data? 3, do you know where your data is? 4, do you know who’s protecting your data? And 5, do you know how well your data is protected? And these, These are the sort of fundamental questions that we need to be starting to think about. And I like them because they put it in plain English. There’s nothing technically complex about any of those questions, but they really help to focus your attention because if you don’t know the answer to 1 of those questions, you know you’ve got a problem. I think we need more things like this in our world because in the world of data protection, there is a lot of jargon and a lot of big words that normal people don’t understand. And we need to make this understandable for normal people. So 1 thing that cyber folks often talk about is defense in depth. This is the notion that a series of defensive mechanisms can be layered in order to protect valuable data and information.

If 1 mechanism fails, another can then step in to stop an attack. And I always think that this is an important way that data governance can help because it can help add layers of protection in addition to all the technical layers that the cyber and infosec people can bring to bear. And 1 of the most important things is that data governance can help us to identify data risk, can help us locate sensitive data, and it can also enable us to ensure that sensitive data is stored and managed properly and appropriately. And it can also help us to identify the users of sensitive data and ensure that they have consistent data access processes. And also, you know, things like endpoint encryption and multi-factor authentication and all of those sort of protections that we use in the cyber and infosec space can ensure safer access to sensitive data. And the other thing that’s really, really important is identifying who’s using it and finding out if they actually have a legitimate business purpose for accessing sensitive data and discovering the location of data. It’s harder than you would think. And a lot of us now have a lot of risk around our unstructured data.

So the data that is in a database or an application is pretty well understood in most places. But the data that is stored on file systems and other places like that is often not very well understood organizationally and not very well protected quite often. And often that data flows through the enterprise and we don’t know where it goes. And this is where we need to get tools like data loss or data leakage prevention. And this is all needed so that we can actually get people to help mitigate the risk to data. So most organizations would use the 3 lines of defense model to manage their risk. So this is a risk management discipline that looks at ownership, oversight and assurance of the risk management function. So the first line of defense is the functions that own and manage risk.

The second line of defense are the functions that specialize in risk management and compliance. And then the third line of defense are the functions that provide independent assurance and internal audit. And 1 of the challenges we’ve got now with the first line of defence is that a lot of times business people are being asked to take on management of a risk that they don’t understand, a technology or a technical risk that they don’t have a clear understanding of the implications, especially when they accept risk. And increasingly, we’re going to need to ensure that we actually have cyber information, security, privacy, and data and information governance running across all 3 lines of defense, because the risk is getting too hard for normal people to understand, especially in the AI space. As it’s emerging, we’re seeing a whole lot of new and interesting risks. So I think this is a really interesting area to keep an eye on, But I would say that normal managers are going to increasingly find that they will not be able to properly assess and understand the risk that they’re taking, especially in respect of AI. So what can we do to protect our data? So there’s this 10 things that I think every organization needs to do. So the first thing is understand which data assets need protection.

So it means that you need to have a data classification standard, means that you need to understand how you ascertain a data asset is precious. The Second thing is we need to encrypt important data. And sometimes in databases, it’s actually really hard to encrypt data. You think it’s easy, but it’s not because you take a performance hit when you encrypt. So you might choose to encrypt the overall instance that the database lives on, or you might choose to encrypt the database. But increasingly we’re going to be starting to think that, no, encrypting an entire database is a bit of an overkill because you really do take a big performance hit. And we’re going to start encrypting individual fields. And that means we’re going to actually have to know what fields are important so that we can do that kind of thing.

Then the third thing is user awareness training. Now I’m not a big fan of training being the answer to everything, but users are our weakest link and they need to understand the risks that they’re dealing with. And training is often the only way that we can make that happen. The fourth thing is really going back to your information lifecycle and ensuring that you’re storing only that data which is necessary. So every time we’re storing data we need to ask ourselves if we need to store it, because if we don’t it just adds so much risk to the organization. Number 5 is kind of a technical thing which is closing any unnecessary open ports. Open ports are an external vulnerability and if you leave them open, you open yourself up to unacceptable risk. So get your IT folks to go and see what ports are open and closed, the ones they don’t need.

The sixth thing, and these are in no particular order, the sixth thing I think is multi-factor authentication. As I said, the bad guys keep escalating, we keep escalating, but multi-factor authentication reduces your attack surface as an organization quite considerably, and is probably the single most important thing you can do. And number 7 is again a very technical 1, but review your network segmentation. If your network is designed so that people can’t traverse across it, that is a great protection. And it’s probably worth looking at that together with privileged access management. And then the eighth thing I think is improving email security. So you can implement things like Send a Policy Framework; Domain Keys Identified Mail; and Domain-based Message Automation, Authentication, Reporting, and Conformance that will really help to protect email. So that’s SPF, DKIM and DMARC if you like your acronyms.

So there are 3 things that you can really do that’ll improve your email security. And again, they’re very technical, your IT folks need to be doing this. 1 thing that the business can do is ensure that they have regular access reviews for users. And this is particularly important when people stay at the organization for a long time and have a lot of jobs and aggregate access as they go and never lose old access. So that’s an important thing to be kind of picking up on because if those people who’ve aggregated a lot of access over the years get breached and their credentials are breached, then that’s a real risk to the organization. And number 10 is a particular bug bear of mine, a proper patching schedule. So a lot of organizations do patching projects where they patch and then they don’t patch for a couple of years. You need to be patching.

Some of the biggest data breaches in history have been because somebody didn’t apply a patch to a known vulnerability. So getting your patching done, this is operating system as well as application level patching, get a schedule and make it part of your practice because it will be so much better for the organization if you do that. So What I’ve learned so far is it’s really important to methodically build up defensive layers. Don’t just leave it to 1 layer, have multi-layers. Defense in depth is a real and sensible thing. The other thing is the power of incremental change. If you do 1 thing better every day, we work about 220 days per year. So if we do 1 thing better per day, then that is 220 things that have been improved.

Times that by the number of people in your organization, that’s an awful lot of incremental improvement. The other thing is that if we accept that data is an asset, then it needs to be managed and it needs to be managed sensibly and pragmatically, but it needs to be managed with a security lens. The other thing is that data security is a team effort and it needs everyone to work collaboratively. There is no single person in the organisation, no single business unit who knows how to make sure that the data is protected. It’s a team sport. And data protection is a journey, not a destination. I often say it, but it is true. It’s like painting the Harbour Bridge, once you finish painting you’ve got to start painting again.

So it’s an ongoing effort and it’s important, that’s why it’s important to make it a team sport too, because otherwise you’ll get very tired of it.

That’s all for now, hope you’ll join me again next time. Thank you very much for listening.

1 thought on “Thinking about data protection – Kate Carruthers – S1.4”

  1. Great episode 🙂

    With the prevalence of workloads running on public cloud platforms, something is add to your checklist is: make sure you learn about what security, governance and configuration services your provider has on offer (quite often as a free value-add) and make sure you’re both using them and you’ve invested in people who know how to use them effectively.

    Microsoft, AWS and Google have invested billions into security R&D, so if your company is making use of their platforms, it makes sense to take advantage of that research and the products it underpins. This doesn’t mean you have to relinquish control (or accountability) – think of it as yet another few layers between your data and systems and external bad actors.

Comments are closed.