Your company has lost sensitive customer data. When do you find out: immediately or within the next 24 hours, the next time you make use of that data, during annual check-ups, or perhaps never?
This is not a problem that only affects other people - according to the 2013 Information Security Breaches Survey, published in April by the Department for Business Innovation and Skills, 93 per cent of large organisations and 87 per cent of small businesses had a security breach last year.
When your security is breached, whether by an outsider or a member of staff, it is rarely out of casual interest. Attacks are sometimes motivated by malice and lead to a denial-of-service, but many have a more criminal intention - to steal valuable personal information that can be sold or used for fraud, identity theft and more.
If it is your customers who suffer as a result, you need to be ready. That means having a plan to guide the organisation from beginning to end of such an incident. For many companies, protecting data begins and ends with intrusion monitoring - in effect, having police officers to patrol your boundaries. If somebody gets through the firewall or accesses data to which they have no rights, an automated report is generated and the relevant security executive alerted.
That’s great for triggering a response, such as fixing a technical vulnerability. It may also be the only way to meet the potential requirement to notify both the regulator and data subjects of a data breach within 24 hours being proposed in the new Data Protection Regulation.
Now suppose that the data loss is not the result of such an intrusion. It may be that an employee with appropriate access has copied customer records and sold them. That’s what happened to T-Mobile several years ago. Or data which has been sent to archive gets mislaid when the physical storage medium is moved from one location to another. That’s what happened to Zurich That happened to Zurich Insurance in 2010 and led to a £2,275,000 fine by the FSA.
Controls need to be in place which regularly check where data assets currently sit and who is using them. These would have helped Zurich discover its data loss much earlier - one of the prime reasons for the size of the fine was its failure to identify what had happened.
For live customer data, tracking how it is being used is critical - this is like having a detective who looks into any reports of misuse. One effective measure is to use data seeding - inserting specifically-created names and addresses into files that will receive any communications sent to that set of records. Checking what has been sent against what was authorised will quickly reveal if data has been stolen or hijacked in some way. That gives the organisation a heads-up which can trigger remedial measures.
There is another benefit of using a seeding service in this way. One of the factors which regulators take into account when assessing a breach is the nature of the data governance programme in place at the affected company. Demonstrating that data is being monitored - from firewall checks through to seeding - is a good way to show that the business has been trying to protect its assets.
No security system can ever be 100 per cent secure. Having a way to identify when there has been a breach and data is being used in an unauthorised fashion gives you a detective to work alongside your frontline police force.