If the future of commerce is online, then the future of loss prevention is online too. This is not a topic you can dodge, but the good news is that it’s not as difficult a topic to comprehend as you might fear.
Your digital assets are no different from any other asset in loss prevention terms—they sit somewhere physically, they are appealing to both outsiders and corrupted insiders, they are portable and resellable, and their loss will damage your business.
The concepts of threat and risk assessments, business impact analysis, control frameworks, and the “onion of security” all apply to information security as they do in equal measure to loss prevention. Once you overcome the mental hurdles thrown up by the arcane language of IT systems engineers, you’ll find that you have more in common than you realized.
More importantly, you will often find that your experiences can bring value to the mix. It is rare to find commercial IT teams that fully comprehend the mindset and inventiveness of the acquisitive criminal. This is the reason high-tech firms full of brilliant technocrats continue to suffer the most appalling data breaches.
A short list of things to do to limit your data breach liability is usually helpful, but it is rare to see any form of practical day-to-day advice in any regulatory guidance.
What follows is a top-level list of some key steps every organization should have already taken. There’s enough here to keep most companies busy for quite some time, either designing, implementing, or auditing their controls.
Inventory. If you return home after a night out to find your front door open and the wall safe breached, you won’t be able to do much about it unless you know what was in the safe. The first step in any loss prevention program is to find out what you have that’s of value to thieves. Precisely the same requirement applies to information security: what data do you hold, and where is it? It might be on-site, held by third parties, in the cloud, on portable devices, or elsewhere. It doesn’t matter where it is. All this data is yours, and it needs to be protected from loss.
Appeal and Impact. Returning to the home analogy, what determines your immediate gut reaction to the sight of the wall safe door hanging from one hinge will be the appeal to a criminal of the safe’s contents combined with the impact on you of their loss. “Did they take my passport?” you may ask yourself as you approach the safe. “Or my partner’s family heirlooms?” This is precisely the paradigm in which you should think about the data entrusted to your business or generated by it. Who would want it, why, how badly, and what’s the impact of its exposure or loss? Only by conducting this exercise can you begin to plan sensibly or to evaluate the planning carried out by others.
Horizon Scanning. Anyone can conduct horizon scanning. You don’t need to be an expert. In this regard, Google is your friend. Search for news articles and subscribe to free publications like LP Magazine. This will be sufficient to keep you up to date and aware of emerging threats.
Risk Assessment. Probability and impact, or whatever terms are currently in vogue—need I say more? Apply common sense and your loss prevention experience to determine your data breach liability, and you will be as well positioned as anyone to assess the key risks to your data assets, be they internal, external, or accidental.
Vulnerability Testing. You can do this with internal resources or hire penetration testers, but demonstrating actual vulnerabilities and then mapping them against your inventory, risk assessment, and business impact analyses can be a very effective way to get the message across and secure budget.
Employee Awareness. Education, education, education. Your team members are 80 per cent of the solution. Don’t patronize them; upskill them. You may be surprised by how quickly they grasp technical themes. Bring them on board; information security is actually an exciting topic as well as a future career path for some in your audience.
Data Segmentation. You probably don’t leave your wallet beside the front door and lock away your fridge when you go to bed. You prioritize and segment your assets, treating the most sensitive with greater care than the rest. Apply this same thinking to your data, and the battle is half won.
Hash and Salt. This will require some further reading on your part, but if a username and password system is still used by your organization, find out how passwords are hashed and whether they are “salted.” Hashing converts plain text passwords to a mathematical expression of said passwords before they are stored in a database, but if the passwords are simple these hashes can be reverse engineered, once hacked or mislaid. Salting automatically adds a strong password component to weak passwords, reducing this risk.
Encryption. Ideally, you should already have full disk encryption in place across the board. If not, why not?
Authentication. Basic username and password security is broken. It’s essentially dead. Read up on multifactor authentication.
Perimeter Security. This phrase will give you that warm and fuzzy feeling. Securing the cyber-perimeter involves digital fencing, lighting, alarms, and guards. Are they all present and correct?
Data Breach Liability Protection and Common Sense
Common sense rarely applies because our systems of incentives rarely reward it; witness every bubble in financial history and every banking crisis. Common sense would see regulators collaborating to develop global standards, not regional ones. It would see the definition of security benchmarks and an international testing and auditing body with powers to ban products, fine the companies behind them, and blacklist directors worldwide.
Common sense would recognize that efforts expended on developing regulations that cannot be effectively policed and enforced are efforts expended in vain.
Common sense would inform us that in a globalized economy, regional regulatory frameworks are akin to squeezing a balloon; squeeze it here, and it simply sticks out over there. You must squeeze the whole balloon at the same time or, better still, burst it. So only a global, common-sense set of regulatory solutions will ever work effectively for us. Having said that, it may be too late.
This post was excerpted from “GDPR, Big Data, and the Internet of Things,” which was originally published in LP Magazine Europe in 2017. This excerpt was updated August 7, 2018.