CIO Folder: Data protection is not just about personal stuff
There is a much-quoted saying from Roger Bacon in 1597 that “knowledge is power”.
There are various kinds of knowledge. Some is of value for the advancement of mankind, some is private, some is personal. In today’s world, for ‘knowledge’ read information and its raw digital form, data. Arguably, in IT matters we have only lately come to the full realisation of how true that is. Our preoccupation, at least in the sector itself, have for decades been with the developing technologies. Now we have come full circle to recognising the primacy of data.
“A great part of the blame lies with those offering online services or goods. Not necessarily, it should be stressed, their security people. Marketing, finance and CEOs are focussed on expansion and competition. They are terrified of making anything online a hairs-breadth more difficult for consumers”
All data has value. Some is gold, some is cash, some is essential for the continuity or even survival of an organisation. A lot of data, of course, is largely dross. But even dross (like slag heaps or depleted uranium) has potential value, sometimes much greater than is apparent from the mounds of waste. In many respects, that is Big Data — big heaps of stuff. Often like a colossal city dump, sometimes like a bog formed over centuries of accumulation, more often a collection of tidy container warehouses with minimal human presence.
But whether we take the scavenger approach or the data mining techniques of sieving through everything, there is value to be extracted. It might be a diamond but is much more likely to be a commodity to which value may be added by other material.
We know all of that, in theory. But we are still a long way from actually understanding and appreciating the value of data — our own or publicly shared. Granted, people and states, crooks and spies, have always understood the value of others’ information — especially secrets — and appreciated the fact that it is so much easier to acquire now that it is in digital form.
Let us be clear about all that. The major military nations of the 21st century world are diverting huge proportion of their military budgets from explosives to exploits. It has been easier for some years now to rob a bank with an electronic gremlin than a gun.
But we are talking about the normal progress of development in business and life and government and machines and electronics. The data targets of nation states are, generally speaking, to do with geopolitical strategic advantage rather than money.
We humble people are targeted by criminals simply for monetary gain — money or information that can be sold for money. That is mostly directed at data that can yield access to bank accounts and credit cards, from dates of birth and mothers’ maiden names to addresses or indeed any identity clues.
That has to be the motivation behind the biggest hack in history, disclosed just before Christmas, when Yahoo revealed it has lost over a BILLION user account details in 2013. That followed a September revelation that over 500,000 accounts had been hacked in 2014. Yahoo blames ‘state-sponsored actors’ who had succeeded by stealing Yahoo proprietary source code.
Viewed in a vaguely positive light, it is to be hoped that the sheer volume of compromised user accounts in this exploit might trigger a global consumer consciousness of cybersecurity. A billion is headline making. But a great part of the blame lies with the companies offering the online services or goods. Not necessarily, it should be stressed, their security people. Marketing and finance and chief execs are focussed on expansion and competition. They are terrified of making anything online a hairs-breadth more difficult for consumers because of the notorious impatience of the market.
Funnily enough, financial services and many very successful corporations impose stricter security than their competitors. Passwords must contain caps, numbers and non-alphabetical characters. Difficult to remember and they will have to be written down, but that is much, much less of a risk than QWERTY. As for Mother’s Maiden Name or favourite dog, harvesting Facebook is in the opening module of Hacking 101.
Back to data. Looked at objectively, with no morality involved, personal information is one of the most valuable harvests from massed data. Even sets of age brackets for large groups is more easily monetised than, for example, footfall patterns in a street, shopping centre or individual store. Distasteful though it may be, a list of newly bereaved people (publicly available, often with matching addresses) is one of the oldest techniques in Irish marketing from Mass card printers. Zeroing in a bit more, a list of people with a specific condition or disease is downright valuable. Second only to a list of people who have bought something that they will buy regularly. In other words, a competitor’s customer list.
Back again to data, value always demands security. We have had thousands of years to train ourselves about protecting tangible objects from childhood onwards. Bit and bytes are invisible and there is no natural protective instinct to kick in. Cybersecurity is conceptual. Bluntly, most of society still doesn’t get it—including senior management and politicians—and even digital natives who blithely assume ‘The System’ is taking care of all that. Kids understand broadly that lots of services are free because they become part of a target market and they are comfortable with that.
Virtual friends, real friends—it’s all a mix of augmented reality, digital life and real life. Like real life in most places, certainly Ireland, the risks of negative consequences are actually low. So people don’t take much care because they don’t care much.
And once again back to data. Should there be cybersecurity laws? Should, for example, the Office of the Data Protection Commissioner be legally given a more active role in mandating and overseeing best practice security? That would naturally start with government agencies and state services, although in all fairness our public sector is very responsible in such matters. But it is the place to start to create a base for a national security consciousness.
Financial auditors and certain regulatory authorities, nationally and internationally, look for evidence of good security practices. But that is principally governed by protection of personal data and the fiduciary responsibilities of directors. Conforming to the existing laws, in other words.
In fact, the ‘Data Protection Commissioner’ is a misnomer. It is actually responsible for overseeing the real and digital environment for personal data only and should be titled the Personal Data Protection Commissioner. To be fair (again) we are following the EU model — indeed fronting it up, as some internationally significant legal cases recently have demonstrated.
We need to go further. What about encryption, admittedly and unashamedly a hobbyhorse of this column? Should Ireland have a Data Encryption Act mandating the encryption of specific kinds of data records and transactions? Should we require two-factor authentication for all online services, no matter how small the user base?
State bodies and major companies have become acutely conscious of the geographical factors in where data is stored. Cloud is only a piece of jargon. Where are the data centres? Should there be appropriate legislation applying to even SMEs? Personal data is one thing. What about client data? Should solicitors be allowed to use cloud services? What about accountants and other business advisers — even architects?
Cybersecurity experts and the IT sector are raising questions all the time about protecting systems and data. Socially and politically, all of that is just a whisper in the babble of the crowd and our political masters do not understand or care. It’s all a techy bore.
So, here’s hoping the Yahoo billion stirs things up.