FutureSec: Inside track on the hidden risks faced by companies
Companies of all sizes need to be increasingly aware of the need to safeguard their online presence and protect sensitive information, warns technology expert Mark Brosnan.
“Understanding where your most sensitive data resides is key to your security,” explains Brosnan, who heads up the award-winning Xanadu Consultancy an innovative technology company which develops best-in-class software and provides operational support and services for clients.
“Employees may, for example, store data on their local devices, upload to shadow IT like a personal Dropbox account or email data out outside of the organisation - and that’s just for starters.
“As the amount of data stored by a company grows daily, it becomes harder to keep up-to-date with your data governance posture.”
The demand for the services provided by Xanadu and companies like it is growing - in just eight years, the Blackpool-based consultancy and software development company which won the Cork SME Company of the Year Cork award in the Cork Chamber of Commerce Awards in 2015 has expanded to a global business with 150 staff based in Cork, London, Italy and Vancouver.
In essence, explains the Xanadu CEO, his firm builds what he describes as “hugely transactional complex software solutions” for the gaming industry and has a large group of international clients for which it develops end-to-end technical solutions.
“We design, implement and manage a company’s online presence,” he says, adding that this role involves designing and safeguarding a company’s security posture and data governance.
As part of my role with Xanadu, I advise companies on safeguarding their online presence.
Companies should be in no doubt about the extent of the online threat facing them on a daily basis, he warns:
“There is a very clear and present threat of people attempting to break into company networks.”
Company cyber-security protocols can be fundamentally unfit for purpose, Brosnan observes, because so many firms find it difficult to understand what data they actually hold - and what risks they are facing.
There are essentially two kinds of data which need to be considered, he explains:
“There is structured data which is information contained in databases with a very defined security protocol.
“Take, for example, a bank which has databases with customers name and account details transactions. The bank has designed a defined method for storing that data.
"Traditionally, cyber-security is based around protecting access to that structural data - it’s like an online version of a traditional bank vault," he explains.
On the other hand, unstructured data is data contained within a company’s system which is not necessarily structured or controlled: “Take, for example, an email from a bank manager to a client containing details and information in relation to that client’s account.
“In reply, the customer may scan a document of information and send it to the bank.
“None of that data is structured, so the person who runs the bank’s IT security may not be aware of what is contained in the emails relating to personal information.
“None of that information is in a database - it is in an attachment to an email stored, for example, on someone’s laptop or phone.
“The IT security personnel in the bank are not aware of the sensitive information floating around outside their database.
“This is a hidden risk. For example, if an employee’s laptop goes missing, for example, IT security personnel will have an idea of what is on the laptop in terms of the number of files or word documents or email attachments - but they will not know if the documents contain sensitive information.”
It’s becoming increasingly difficult for IT security staff to have a view of what that unstructured information is, observes Brosnan: “Every time someone send an email or text or sends an image, the information is propagated and multiplied on a daily basis and at a rapid rate.
It’s unstructured. There’s no way that the people in charge of security at the firm can know exactly what is contained in the text, email or image - and whether the information is sensitive or not.
It can also be extremely difficult to know, he warns, which members of staff may have access to different sensitive information in a company and to be aware, therefore of who could potentially send it out of the organisation.
“We call this an insider threat - how do you stop it if you don’t know it exists?”
Although there are mechanism and tools to help companies with this problem - Data Loss Prevention tools - which stop data leaving a firm, Brosnan believes the real answer is to have a strong understanding of what the data is before it is sent out.
Companies should make that decision before engaging with Data Loss Prevention Tools, he says: “Education and the promotion of awareness amongst about how to submit and transfer information safely is absolutely paramount.
“This is about a culture of governance in the organisation. This requires training and a high level of staff awareness in terms of the sensitivity of the data they are handling and transferring.
“It’s also very much around engaging and investing in the right type of tools to effectively and appropriately classify and rank your company’s data.
“You need to use tools to classify data as sensitive or non-sensitive and to avoid storing or create any unnecessary data.
“It’s a good idea to put a programme in place for deleting any redundant or non-useful information and data.
“In other words, clean your data estate on a regular basis. Your data estate is your data held across a variety of devices - your information footprint; for example information in your database or on emails in laptops etc.
"Have a programme in place to essentially clear out unnecessary data he advises, and have a policy of not sharing sensitive or risky information that your organisation does not need.”
He points to another award-winning Cork firm, GetVisibility - in which Brosnan is an investor - which has developed an AI intelligence tool that scans a company’s data estate and classifies files as sensitive, non-sensitive, financial documents, regulatory document etc.
GetVisibility is a cyber-security product company which develops, sells and supports a ground-breaking AI-driven software platform, that discovers and protects unstructured data such as documents for large enterprise customers, allowing them to protect against data loss and data breaches.
Earlier this year the company won the Tech Start-Up of the Year at the it@Cork Leaders Awards.
“You can of course, read every file yourself and identify if there is sensitive information contained in it but that is a very laborious process,” Brosnan explains.
Instead, however, a company can use AI to determine what the data is and classify it, informing the firewall or DLP tools as to whether or not it should be allowed to leave the network.
“This applies to everybody, because with GDPR in place, every organisation in Europe now has a legal responsibility to ensure that any information that is around people is protected.
“Companies have a responsibility to know where all the information on any individual is held in the organisations. This is very difficult without structured data.
“An understanding of cyber security and the risks posed to businesses by a lack of strong data governance, needs to be a strong priority for any board meeting.
“There have been many examples of companies who have taken staff to court over the leaking of sensitive information, including Intellectual Property.
“The propagation of unstructured data is a hidden threat. Every time you unnecessarily create more data or information in an organisation you’re increasing the overhead by not managing it.
“Employees, for example, can send on an email with an attachment to another employee - and that employee may unthinkingly forward it to someone who should not get the attachment at all.”
