In the past it was much easier to ‘see' information: it was on a server or in a corporate data centre. But now data is escaping beyond business walls: it is out on the cloud, on employees' tablets and mobiles as well as other connected devices.
Visualising and securing data in this changing landscape is becoming an increasingly complex task. As a result, many firms are failing to adequately protect their assets, leading to a rapid increase in the number of data breaches suffered. Sony Pictures Entertainment, TalkTalk, and Ashley Madison are just a few companies that have fallen prey to major data losses over the last year.
Organisations are losing control of their data because they are failing to manage it correctly, says James Henry, UK southern region manager at Auriga Consulting. It is therefore important to assess the risks first, separating the realistic threats from the hype.
Although it can actually be more secure than on-site storage, cloud is still area of concern for many businesses. If implemented using public internet connections without a virtual private network (VPN), the technology can introduce a big risk, according to Luke Beeson, vice president, Security UK and Global Banking and Financial Markets at BT. But there are ways of adopting the technology that are secure, he says – and using a reputable cloud hosting provider such as Amazon or Microsoft will help.
Even so, firms should approach cloud with their eyes open. Outsourcing gives companies very little control over how providers run their own security, says Stuart Facey, VP EMEA at Bomgar. He warns: “External access is typically provided using a VPN connection and little else to manage and control the activity. VPNs give you the connectivity but can also be exploited by cyber-criminals as a piggy-back mechanism to gain access to the network.
Therefore, he says: “Tracking and managing what third parties can do on the corporate network is essential.”
Another problem with cloud is jurisdiction: firms often do not know where their data is being kept, which can raise data protection issues. According to Hugh Boyes, cyber-security expert from the Institution of Engineering and Technology (IET): “What people don't appreciate with the cloud is, it's a series of layers: software providing the app or service; under that you might have platform-as-a-service sucah as Amazon; then you might be buying in storage-as-a-service from another cloud company. So you might have a number of people dealing with your data in multiple jurisdictions.”
Businesses should therefore consider how they will be handling this, says Boyes. “It will cause a lot of interesting questions to be asked of service providers – and the problem becomes particularly acute when we start getting data breaches. If it turns out data was stored in a non-compliant location, you are not only facing the wrath of users, but data protection regulators might come down on you.”
Data protection regulation goes even further than cloud. The legal change that will come in when regulation is updated – expected to be approved in 2016 – will also oblige companies to report breaches, explains Marc Dautlich, partner at law firm Pinsent Masons.
Dautlich thinks businesses are “woefully unprepared” for this. “When you start working with a client that's been affected by a breach, things happen quickly. We get asked: should we notify the Information Commissioner's Office (ICO)? But the ICO will ask the business to relay the facts from the breach and often, companies are unable to do this properly. You may need third party forensics to help establish what's happened. Companies need to preserve evidence, not destroy it – but many aren't aware of this.”
Also, it is hard to identify what defines an ‘incident', Dautlich points out. “Every company will generate thousands of logs. Also, a very significant proportion of business is outsourced so companies may be reliant on the service provider to tell them when there's a problem.”
Adding to this, data protection regulation emphasises that whether organisations use a third party provider or not, they are still the data owner. “This is spelt out in the Data Protection Act,” says Henry. “Personal data can be stored where you like, but if a third party makes a mistake, it comes back to you.”
Therefore, Henry advises: “Whether you keep data in-house or give it to third parties, you need to make sure that policies are geared around that. It needs to be wrapped into contracts and SLAs.”