Balance your Technology Risks and Rewards
Ask the right questions when considering IT, cloud and mobile computing
Cloud storage offers a number of ready-made solutions for businesses storing and sharing large amounts of data. But prior to adoption, the right questions need to be asked, such as: Where (geographically) is our data being stored? If it’s not within the European Economic Area, there are implications under the applicable data protection legislation. For example, in the United Kingdom, the Data Protection Act 1998 applies.
In any case, you must by law have proper contractual arrangements to ensure that the third party hosting your data is implementing appropriate security controls. For which other organisations is your cloud provider hosting data in the same cloud? Is the cloud a mixture of "public" and "private" for your organisation or for other users? From where is the provider intending its own staff should access the cloud for maintenance, within Europe or outside? A recent study by the consultancy Context revealed that the above data security risks were not mitigated by many of the leading cloud solution providers.
Examine any cloud contract to see what guarantee its gives for data availability. Even 99.9% availability means around 9 hours of problems per year! For businesses working nights, weekends and public holidays, one idea may be to customise the defined "peak time" to avoid business interruptions.
Test your outsourced service partner’s or third party processor’s controls
When formulating contingency plans regarding data loss, organisations often rely on the contractual assurances or policies provided by third parties such as data processors, outsourcers or other suppliers. The latest high-profile example shows that organisations often are more vulnerable through breaches of their third parties: Announced in February 2012, up to 1.5 million Visa and Mastercard records were compromised because of a breach at their payment processor. But data security breaches are rarely straightforward loopholes to be closed. At the time of writing, Visa’s continuing investigations have revealed the breach could have occurred as early as June 2011 – nine months before the announcement.
Another worry is that good IT governance is often not extended, monitored or tested throughout the supply chain. According the influential "Data Breach Report" published by Verizon in late 2011, 67% of breaches were in organisations employing between 11 and 100 people. Often the responsible person examining a third party’s controls assurance report does not possess the technical expertise to assess access controls protocols or IT architecture vulnerabilities.
Will your policies, procedures and practices stand up to EU scrutiny?
Into 2013 and beyond, businesses handling data need to prepare for the eventual adoption by all EU members states of the updated EU Directive on Data Protection. This regime will give more power to local regulators, such as requiring mandatory notification within 24 hours of any data breach. The European Commission will also have the right to levy fines of up to 2% of global turnover on companies breaching EU law. Big businesses, such as Google, have indicated they won’t give up without a fight. Not all local regulators are excited, though: Speaking at the Information Security Europe conference last month, the UK’s Information Commissioner stated the "last thing [the Information Commissioner’s Office] wants is to be deluged with breach notices".
Emerging technologies need careful consideration
Mobile computing has commenced, and is set to continue, changing the face of how many corporations do business. Many organisations are seeing mobility as a key pillar of their consumer strategy, as well as an opportunity to harness and improve business processes. These range from developing "apps" on consumers’ smartphones to simple improvements such as using tablets to present wealth management options.
Strategy Analytics predict the mobile media business will increase business revenues globally by 50% to $150 million over the next 12 months. A recent report (April 2012) produced jointly by the UK government and the private sector for the Information Security Europe conference estimates that only 39% of data downloaded by staff to tablets and mobile devices is encrypted; and that 82% of all companies studied had suffered security breaches caused by staff.
Mark Child, Partner, Kingston Smith Consulting LLP
+44 (0)20 7566 3731