Data Protection in Conversation: Covertix and Koolspan Leaders Discuss Information Security
Big data isn’t just an issue with data analysis. How do we protect the volume of data we create in documents every day? SMS? Voice?
Yoran Sirkis: The only way to cope with the immense volumes of data we create – individually, within applications, internally, externally – is to implement mechanisms that work in synch to control, classify, and protect our information – be it by using crawlers, automatic classification systems, etc., within applications, business flow, the network, cloud, mobile – everywhere our data may be.
Nigel Jones: Threats are always changing and growing: organized cybercrime, corporate espionage, hacktivists and foreign governments. The proliferation of attack surfaces and vectors pose significant risk to mobile communications and other data. I recommend securing sensitive mobile communications, including voice and text – ensuring intercepted communications cannot be accessed.
How critical is the role of classification in data protection?
YS: You must understand what data needs protection and what doesn’t, but managing the classification is where it gets hard. Just plain content analysis might reveal false positives, false negatives, and many errors. Here are some classification methods that complement some businesses.
- Basic classification of the usual suspects: Files with credit card numbers and social security numbers, etc., that can automatically be classified.
- Manual classification by end-users – When you come across files that don’t fall under obvious classifications, let the end users classify them, either by having them select from predefined categories or build their own. Crowd-sourcing is going to become increasingly more important when it comes to data classification.
NJ: It’s nearly impossible to protect all your data. Therefore, it’s critical to classify data to ensure resources are properly allocated for protection. For example, many U.S. organizations don’t necessarily classify sensitive communications as high priority, and resources are invested elsewhere. However, when those same companies send their executives overseas, their communications become extremely sensitive and a very high priority because they are vulnerable to foreign governments. Many U.S. organizations invest in secure mobile communications exclusively for executives travelling overseas.
What data do you think should get the highest priority for protection – and why?
YS: It depends on the company. High-priority data means different things to different organizations. For some, it will be protecting clients’ personal and financial information, for others, intellectual property. Protection has two meanings – understanding the threat and actual encryption/control/protection. Both need to work in tandem: If you want/have information that could hurt the organization or pose a threat to customers you need to address this ASAP. Track it. Understand where it is. Be in control. Data on the cloud is more critical and accounts for more risks, as it goes out of your organization and travels all over the place. At the end of the day, it’s damages we have to protect against.
The quest for privacy – achievable? Or mission impossible?
YS: People should be aware of the information they have and are putting on the cloud. Data on cloud applications is exposed to the vendor at the very least. Sharing data with your board, employees, or customers provides them with better service, but make sure you’re sharing this information securely. For example, data shared via email or fax is not encrypted nor protected. Also, banks sending financial statements should go the extra mile – securely delivering them to the customers’ premises and continuing to protect them at the customers’ location.
NJ: Today, the quest for privacy is elusive. Achieving complete privacy means 1) not using mobile apps such as navigation or travel apps 2) not going into social media, and 3) remaining cognizant of the way Internet searches are performed and how clients use email. Therefore, it’s critical to audit and classify your data and focus on the sensitive data to ensure it remains private.
How expensive is it to protect “everything”?
YS: At the end of the day, it is a matter of value – what’s cost effective? Start with this: What is the value of information? What are you willing to pay to protect this value? Data security changes to some degree based on how we consume our sensitive information. You don’t want everything wrapped into the price of buying software, the price each person needs to pay for usability/ease of use if everything is totally encrypted.
You don’t need to protect everything – just the sensitive information that enables you to retain control of your life or business. Vendors need to work together to provide a way of sharing sensitive info – one that will allow different vendors to provide high levels of security while reducing the costs of ownership for all customers. If vendors can communicate with each other with protected data, then everyone will pay less.
The other factor that you have to consider in terms of what’s cost effective are the doomsday scenarios – if your critical data is accessed, the damage to your reputation, loss of customers, plus the fines that corporations could incur suddenly make even the most expensive protection seem cost effective.
NJ: It’s less a matter of cost and more a matter of inconvenience. In the digital world we live in today, securing everything means “living off the grid.” From my perspective, it is critical to determine the data and communications that are sensitive and focus on those, ensuring they are completely protected.