Our expert panel ponders the varying demands of data: preventing its loss, but not retaining it so long the ICO gets antsy.
Paul Fisher, editor, SC Magazine
Data loss is hardly new, is it? In fact, you could argue that data loss prevention is really what information security is fundamentally about. Maybe we should be asking: has it got worse recently? Has it become more difficult to control? Or is the risk the same as it was ten years ago and are vendors just exaggerating the threat?
Mark Logsdon, deputy head, Barclays IRM
That's the point, isn't it? We don't really know. How much do we know for sure is leaking out? Is it a larger risk than somebody not keying information into a database, a customer record, whatever it might be? Is it a larger risk than that?
Andrew Yeomans, Jericho Forum/Commerzbank
Much of the risk is reputational risk and trying to quantify how much it is worth is a significant challenge for the information security profession. It could be anything from the whole value of the company to just a few pence, or somewhere in between. Instances where trade secrets have been taken out are possibly quantified a bit more in what types of risks there may be.
Mark Logsdon I am unclear as to where the evidence is to say that a brand has been seriously damaged as a consequence of data loss. I am not saying there is none, I am just trying to get a handle on how large a risk it actually is.
Martyn Croft, CIO, The Salvation Army
Perhaps we have not been able to put a value on data. It would be great to be able to say, ‘Here is the value of this data' – but we don't do that. We just treat data as data.
Mark Logsdon Rather than value, a better way of thinking of it would be impact of loss. This pretty much drives the Government-sponsored protective marking schemes. Maybe that's one way of doing it, rather than putting pounds and pence on it: use impact of loss.
Andrew Yeomans Also, the concept of labelling data may work in some businesses, where the level of confidentiality stays fairly constant, but in other areas data has an extremely short shelf-life.
Nick Harwood, head of security and governance, Royal London
Where I used to work, everybody was responsible for their data and for the privacy marking of it. There is a wide industry to challenge people as to the privacy marking they have set, because of the cost of storage and the fact you cannot share the information. Of course, information is there to be shared around the company. Then, if you are given something you cannot share, that you cannot talk to your team or manager about, there is a constant battle as to whether to increase or reduce the privacy marking.
Paul Fisher Was each employee allowed to do that? It sounds like a nightmare.
Nick Harwood Each owner of data was, yes. If I wanted to do a study and produced a document, I would decide the privacy marking. And the storage costs were huge, which was why people started to challenge.
Martyn Croft There is a concept I wish I could claim was my idea. Somebody introduced the idea of a ‘toxic data leak'. I thought that was a nice way to say, ‘We have a data leak. Do I care? Not really' – as against: ‘I have a toxic data leak. It is going to do me some harm for whatever reason.' Maybe we should classify the data not as confidential or top secret, but as toxic or potentially toxic.
Nick Harwood Are there not conflicts as well? I work in a regulated industry where the regulator says I have to keep information for more than seven years after the end of the policy or even some information that you never destroy. And then I have the Information Commissioner's Office (ICO) half a mile away from where I sit, which is challenging why I am not destroying data more quickly, because once you have made the sale, there is no need to keep that data any longer. When you come to your retention policies, you have your privacy markings and time is important, but how does a business decide what it can and cannot keep, given that they have conflicting requirements from legislation and regulation?
Darren Johnston, account director, 2e2
Does not a large part of it come down to culture? What about training individuals in the organisation? Look at the military. It has had data losses, but in terms of the volume and sensitivity of the information it has, it was not significant. It has a system that works, broadly, and the culture within the military is very much that restricted information is restricted information.
They know what they can and cannot do with that confidential, secret and other information. Its culture is a healthy one around protection of information, I would say.
Mark Logsdon I understand completely what you are saying, but the point is: how many years does it take to build up that culture? The answer is: a lot.
Nick Harwood That is my point. It cannot start straightaway. I do not think it does. It goes back decades, maybe even hundreds of years, potentially.
Caroline Ikomi, technical director, Check Point
What is the cost of doing that? There is a very, very high cost of having that level of control, and most organisations do not value their data to that level.
Andrew Yeomans It is not even that cost. The cases of people being taken out by ‘friendly fire' are fundamentally a lack of data-sharing. If people have not told these colleagues that they are actually on the same side, because they have not been able to share the data with the hierarchy, well that's a major cost.
Sonney Lalwani, head of risk EMEA, Credit Suisse
There is your value. Every individual in the military knows that the loss of life is the cost you pay for that data going missing.
Paul Fisher That's the military, but does the impact of data loss vary from sector to sector? Martyn, are there aspects of your sector – simply because people think you are a charity and should behave better? ‘I am giving you my money and you cannot look after it,' for example?
Martyn Croft That is a problem for the whole of the charity sector, because you do not see much for your money. If you shop on the Amazon website, for example, you put in your credit card and expect to receive some goods at some point in return for that. To complete the loop, there is fulfilment there. For a charity, you give us your credit card number and think we are going to do something good with it. Increasingly, you find supporters phoning charities and asking what they have done with their money, in a proper way. ‘I gave you £50. What was it spent on?'
It is unique that, in charities when you gift money or leave legacies, you can specify that it is only to be used for that purpose. That is a double-edged sword because, if you are a little short for one project and have a stack of money for something else, you cannot spend that money on it. If you go back to the point about the military, the price is someone's life. For people in the third sector, the price of keeping information safe is often somebody's wellbeing. Yet the resource they have is completely disproportionate. Today, we are launching our mentoring scheme for the Charities Security Forum, just to spread some of that expertise around for the small charities that do not have security. It is incumbent on all of us to share that expertise around.
Nick Harwood Do people not treat information as though it were their own? You are asked: how do I look after my laptop? Imagine something this size, worth £500, important to you, and the loss of which would cause you grief, what would you do? Lock it away – and that is what you should do. It is the same with information. You treat it as though it was your own information.
Martyn Croft It is, but the cynical side of me says that we have a whole pile of IS awareness to tackle in the general population, let alone at work, because all the requests that we see about emails that are obviously scams, spams and sales emails show that people who should know better cannot differentiate.
Darren Johnston That is a good point. My daughter is of the new generation. She is 22, but 22-year-olds are not as old as they were when I was 22. She is completely of the Facebook era. That is the way they live their lives and she is oblivious to security. She has just bought an iPhone 4. I said, ‘When you are buying it, ask them about security on it'. Her answer was, ‘Yeah, whatever'.
Martyn Croft I said it before and I say it again, we brought this upon ourselves. We do not differentiate between consumer computing and corporate computing. You are using the same PC at work with the same operating system and same applications as you do at home, so how do you tell the difference?
Sonney Lalwani The new generation are probably smarter than we give them credit for, because, as you said, they post their whole lives on the internet.
Paul Fisher If your daughter does not care, and she is representative of most, maybe we just have to accept that. They just do not care. They see security as something boring and as getting in the way of what they want to do.
Andrew Yeomans I am not saying users do not care, but there are certain expectations of what is going to be done with the data. Something where you share among your friends and Facebook or whatever means facilitates that, it seems reasonable. If the information was trawled for marketing information and you receive a lot of targeted advertising all the time, it might be less acceptable. If you are being asked by a supposedly reputable financial institution all these pieces of information such as date of birth and so on, they may question whether that is appropriate.
Paul Fisher There is a vast amount of inconsistency in what we share and how we share, even within organisations. Printers are forgotten generally – yet look how much sensitive data is sent to and left lying around the printer.
Caroline Ikomi The problem you have is: what are they sharing? If they are sharing, you are losing your information or data. Giving people – and letting them take – responsibility is fine. However, then, you need to be looking at the data they are sharing, particularly on something that is very open.
Andrew Yeomans You start having to think, ‘What is the job function of this person?' Is it going to matter if their personal machine is compromised, or is it not going to matter?
Martyn Croft It is in the right direction to remove this de facto habit that says we copy data. We are besotted with copying data all over the place. ‘I will copy it onto CD.' ‘I will send you an attachment to an email.' Why? It is quite happy on the database or server. Leave it be. You can have access to it, if you need it.
Caroline Ikomi We have just bought a technology as a company that is not implementation, but a technology idea where, if you were to remove data, you attach the security policy to the data. If that data moves format, say from Word to email, or an extract of it moves and you put the percentages in, the security level you are left with goes with it. Therefore, it does not matter where it goes, its security or value is retained. It is sent out of the organisation, but people cannot modify or change it. It is about taking control. We have not done anything with it yet.
Andrew Yeomans It is going to be a challenge to make much of that work, and try to put something on the endpoints. My gut feeling is, in the longer term view, talking five or ten years, the cloud will help us do this because we will end up with centralised copies of data and it becomes possible to track that because it never will leave the cloud.
Nick Harwood If you are using a data centre, going back to Martyn's point, you should not be copying that data and putting it onto everybody else's servers and PCs. We have one copy of the data. It is the master copy. It resides on the central mainframe server.
Darren Johnston Going back to copying it versus having it in a central location and access, does that not suppose that there is always a link to the centre? I do an awful lot on the train, where I can occasionally have internet access, but I do a lot of my work – four hours today – on the train and I will not have access. There needs to be some mechanism to facilitate that access.
Nick Harwood Faced with your four hours and working on the train, dare I assume that you are then careful as to what you have on your laptop and careful with what you do with your laptop and security controls around your laptop?
Darren Johnston I am fairly aware, obviously, but I am fairly casual with it because it is encrypted.
Nick Harwood Therefore, you have controls around it, yes?
Darren Johnston Yes, but personally, that concern is taken away from me. I am unable to do my job otherwise.
Sonney Lalwani All of this assumes that there is generally going to be one master golden record. When you take enough off that data centre, well protected, put it on your laptop, work on a train, modify it, you may not necessarily sync it back, put it back deliberately, because it has turned into something else.
Andrew Yeomans You need very skilled people to put things out there and we've got those. When we have those, they do really wonderful things with it.
Mark Logsdon Here is a radical thought. Maybe that is one of the ways around data loss. You do not send out the whole document. Like many unopened insurance deals or what have you, you only send out small parts, which people then work on wherever they might be. If that is lost on its own, so what?