Legislation and regulations regarding privacy protection and data integrity are increasing, while control decreases. Some facts: Over 6 million LinkedIn passwords were published by Russian hackers. The New York Times and Wall Street Journal reported infiltration of Chinese hackers ‘with the apparent objective of monitoring reporting about China’. Her Majesty’s Revenue and Customs in England lost the bank details of 25 million child support recipients. Iranian hackers targeted Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, BB&T, HSBC and Fifth Third Bank. Sony saw its intellectual property in games leak out the company in an attack affecting 77 million users of the Playstation Network. There are many more examples. While the data flow through your organization is growing year-on-year, the options of protecting your intellectual property are more limited all the time. Cyber criminals continue to find new ways to gain access to your valuable Big Data.
Not blind but not seeing…
Your organization is having to comply with an increasing number of legal requirements, for example the provisions of the Data Protection Directives, the Private Data Protection Council and Solvency II. You must be compliant. Even more importantly, you will probably want to close the digital gap for other reasons. You could incur extreme damage to your reputation, lose sales or suddenly be confronted with your organization’s last phase in its life cycle. Don’t think that this is not realistic. At the same time, we detect extensive unawareness regarding intellectual property security. We are not blind but not seeing. From research, it is clear that 22 percent of financial companies ‘does not know’ whether a data leak has occurred in the past three years. In spite of managing the sensitive, personal details of millions of customer, 41 percent of financial institutions indicate that they have no verification program to measure the effectiveness of their information risk management strategy. And a very worrying 42 percent does not in any way measure the performance of persons responsible for information risk management, data protection or data recovery.
Can it actually be controlled at all?
You monitor your network 24 hours per day, 7 days per week. You comply with legal requirements. You think you are just fine. But does all this help to actually close the gap? No. It doesn’t. Data integrity is more than ICT and compliance alone, and the rule does not prevent the incident. Being able to demonstrate your data integrity system is primarily a control framework with prevention as the number one priority. This framework, the infrastructure, is logically created by a multidisciplinary team of legal, internal audit, compliance, ICT, security and data user representatives.
Incident management is a continuous process, with ‘damage control’ as its ultimate conclusion. It is designed to limit losses if an incident should happen in spite of all measures. Swift action is crucial in this respect. The best chance of controlling cyber crime risks, and therefore compliance with legal requirements in this context, is to embed it in your organization’s genes, both for prevention, detection and damage control. Involving a multidisciplinary team of legal, compliance, ICT, security and data user representatives is indispensable.
This is how you could transform yourself from a sitting duck to an armed tiger.
We will dedicate Dialogue Sessions in English on this topic as from April 25th 2013 .