Data Protection – The Challenges Facing Irish Organisations

Irish Companies are suffering data breaches in record numbers, according to a new survey from The Irish Computer Society (ICS). The survey, conducted among IT administrators in 256 Irish-based companies, revealed that more than half of firms have experienced a data breach in the last 12 months, with 22% suffering multiple breaches.

Over half (51%) of respondents reported the incidence of data breaches in the past year. This is sharply up on the previous 12 months, where just 43% reported a breach.  Furthermore one in three Irish companies’ staff were said not sufficiently aware of data protection issues, with some 40% of staff receiving ‘insufficient’ or ‘no’ data protection training.

The EU Justice Commissioner, Viviane Reding, recently said it was important for EU citizens – particularly teenagers – to be in control of their online identities.  Although several EU countries have found Google’s privacy policy breaks data protection laws, the fines handed out are no deterrent, Commissioner Viviane Reding said at the Digital Life Design conference in Munich.

In France Google was fined €150,000 by data protection authorities, while in Spain the search giant was fined €900,000. Those fines, the maximum allowed, were just “pocket money” to Google, Reding said.

Discussing proposed EU legislation (which when passed will come into immediate effect in Ireland), and its effect on organisations such as Google, she said…

“My proposals will help build trust in online services because people will be better informed about their rights and more in control of their information.”
“Taking Google’s 2012 performance figures, the fine in France represents just 0.0003% of its global turnover,” she said adding that it was hardly a surprise that even two years after the case emerged Google has still not changed its privacy policy.
“Europeans need to get serious,” she said. “If a company has broken the rules and failed to mend its ways, this should have serious consequences.”

Under new data protection laws proposed by Reding, sanctions could be up to two percent of global annual turnover. In the Google case, that would have meant a fine of €731 million.

The commission says that key changes to the 1995 data protection rules include:

  • People will have easier access to their own data, and will find it easier to transfer it from one service provider to another.
  • Users will have the right to demand that data about them be deleted if there are no “legitimate grounds” for it to be kept.
  • Organisations must notify the authorities about data breaches as early as possible, “if feasible within 24 hours”.
  • In cases where consent is required organisations must explicitly ask for permission to process data, rather than assume it.
  • Companies with 250 or more employees will have to appoint a data protection officer.

She added that companies responsible for more serious violations could be fined up to 2% of their turnover. The sum is capped at 1m euros for other bodies.

The challenge of managing high volumes of documentation in an organisation is no easy task, and one inflamed by the huge volumes of data that today’s organisations have to manage, where the loss of even one document can have catastrophic consequences. Achieving a working environment where information is captured, stored and shared securely must be a top priority.

Importantly, a confidentiality breach may not always be overt. There are also ‘quieter’ daily risks within a business. For example, sensitive commercial information such as business plans, strategies and financial information may find its way into the hands of competitors, without a business ever being aware.

It is not just the threat of security breaches that keeps European leaders awake at night: 36 per cent of business leaders said errors meant they failed to meet compliance requirements, leaving them vulnerable to heavy financial penalties at a time when the world is experiencing unprecedented financial turbulence. Worse, 30 per cent claimed these errors caused them to lose key employees and a further 25 per cent said it cost them major customers, demonstrating the impact that poor document processes have on organisations and so economies.

Analysts IDC believe that the amount of information that needs to be secured is now growing faster than our ability to secure it. Gartner predict that by 2015, 80% of a projected 650% growth in enterprise data will be unstructured and IDC believe that unstructured data will account for 90% of all data created in the next decade. Unstructured information does not conform to neat data models and spans all forms of content from text to multimedia, making it difficult to manage with traditional business systems and security solutions.
For organisations already saturated with data, the flood of unstructured data arising from the Big Data phenomenon threatens to overwhelm traditional Data Loss Prevention and Archiving solutions and strategies – raising costs and adding risk. IDC’s view is that Big Data will only deliver big value to businesses through the addition of metadata that will tell you which data is needed, when and for what purpose.

Key Challenges

Securing buy-in from senior management

It’s a common IT department complaint that, through lack of investment in Data Protection initiatives, senior management runs the risk of incurring the costs of a potential data breach as opposed to implementing what they view as costly data protection solutions. So how can IT set about convincing the CTO that this is a false economy and that investing strategically in data protection can be the better long-term option? The best way is to show them the potential cost of not doing anything. The most recent reports indicate that the cost (direct and indirect) per data record lost is about €180. Add to that the potential fine of up to €1M and the argument can be compelling.

The Need to classify data held within the organisation

Data classification dates back to the first time someone scrawled “top secret” at the top of a document, and it’s the requisite for all your loss-prevention efforts. If your organization hasn’t identified what information to guard most closely, then how can any technology prevent that information from falling into the wrong hands? The key is to develop a system that has a chance of working.
Information classification is one method of helping users and IT services to understand the context for a piece of information.  Often called categorisation or cataloguing, information classification adds to the content of digital data. This extra information could be the name of the business unit responsible for the document, or the retention period required by policy for this type of email message. In the IT world, information classification data added to documents and email messages is called metadata (“data about data” or “information about information”).

Metadata is used in many diverse situations, from the memo line on cheques to ISBN numbers for books. In everyday conversations, words like “project plan” and “financial data” are used to describe the information that people need to do the business of an organisation. Although there are some terms that are common to many businesses, each organisation has its own way of describing the information that it depends on. In some larger organisations there are even terms that are appropriate for only part of the business. These words and phrases can be thought of as the taxonomy for the information classification.

Using the Right Technologies

Data loss prevention (DLP) is a set of information security tools that is intended to stop users from sending sensitive or critical information outside of the corporate network. Adoption of DLP, variously called data leak prevention, information loss prevention or extrusion prevention is being driven by significant insider threats and by more rigorous state privacy laws, many of which have stringent data protection or access components.

Discover — Find confidential data wherever it is stored, create an inventory of sensitive data, and automatically manage data cleanup.
Monitor — Understand how confidential data is being used whether the user is on or off the corporate network, and gain enterprise visibility.
Protect — Automatically enforce security policies to proactively secure data and prevent confidential data from leaving an organization.
Manage — Define universal policies across the enterprise, remediate and report on incidents, and detect content accurately within one unified platform.

Given that the majority of data leaks are accidental and not malicious, engaging the user in the accurate classification of documents is an appropriate strategy.  Classification engages users in structuring data at its source, enhancing their awareness of information security at the same time as applying the critical metadata. To get users to adopt classification, the challenge is to make it part of the day-to-day routine of every different user community within a business.  This can be accomplished by integrating easy-to-use tools into the office productivity software (MS Office and email) and making classification a mandatory requirement for all new and modified documents.
By adding information classification metadata to documents and email messages, and configuring DLP policy to understand the value of this metadata, an IT organisation can significantly increase the effectiveness of a DLP implementation. Metadata contained in an email message indicating the sensitivity of the content can be recognised by a DLP solution and the correct policy applied based on the user’s intention without guesses based on DLP software algorithms.

One advantage to using an information classification strategy for an organisation’s information assets that might not be obvious is reduced cost during e-discovery procedures. As long as an organisation can credibly state that information has been categorised, the magnitude of an e-discovery process can be limited to the information that is relevant to the issues at hand. Reducing the number of documents and email messages involved directly reduces the cost of an e-discovery exercise.

Training and Awareness for Staff

User awareness is a key to keeping sensitive data safe from online predators. DLP is a process first. The technology is simply an enabler for the automation of the process. The process needs to include education and awareness training and cover human resources, records management and compliance. The objective is to continuously train data owners and data custodians (the employees) on the company policies to reduce instances of non-compliance.

Zinopy is one of Ireland’s leading IT solution and service providers, with an extensive experience in designing, implementing, managing and supporting best-of-breed solutions in the area of Data Security for a wide range of organisations across industries and sectors. In Ireland, Zinopy works in exclusive partnership with Boldon James to address the key task of data classification to enable secure email messaging.

Back