Looming mandatory breach notification laws have given Australian CISOs an opportunity to raise their organisational visibility by actively engaging users to build a culture in which data is classified and managed by default.
Data classification technologies – which allow management of various types of data based on business rules preventing, for example, copying of files off the company network – have been around for a while. However, the technology has gained new currency as businesses increasingly focus on protecting their data in the era of cloud and mobile, Tim Upton, founder and CEO of security and compliance provider TITUS, told CSO Australia.
Introducing data classification across an entire organisation has been difficult in the past because it required explicit participation from employees. But as breach notification laws threaten increased visibility of data loss and impose new consequences, Upton said, executives will be empowering CISOs with top-down mandates to increase data-protection compliance across the board.
“If you can get that fundamental buy-in from the business units and they start identifying and tagging their data, they will feel responsible about the business outcome,” he explained. “Once you give your data an identity, you have enabled all of your downstream technologies to do their magic.”
“This is something that will touch everyone in the enterprise,” he continued. “And that’s the benefit for CISOs: it shows that they are doing something. Many other things they do are invisible, but this is a way for them to get a quick win.”
Despite the perceived urgency of the breach-notification deadline, CISOs must still take a softly-softly “very simple approach” to build a culture of data protection that is seen by employees to be inclusive rather than arbitrary.
“We’ve seen cases where people get a little too complicated at first and that creates delays and friction,” said Upton, who recommends starting with just 3 to 5 “general” classifications for data. Classification systems can also draw on a range of ancillary information – such as the job role of the data’s creator – to make informed guesses about what kind of data they are producing and how it should be protected.
Machine learning offered the promise of helping enforce data classification regimes, Upton added – but even the best algorithms can only go so far. An algorithm might be able to discern that an emailed image file contains a photo of a red car, for example, but without classification by humans that algorithm would have no way to know whether it was a generic picture or an image of the company’s latest top-secret prototype.
People, therefore, remain fundamental to classification and protection regimes – and this, Upton said, remains the same no matter how employees’ interactions with technology change. Classification technologies now accommodate the movement of data to and from cloud and mobile devices, each of which has its own usage and security profiles.
Preserving data classifications across those channels is essential for the proper functioning of any data-protection regime – the effectiveness of which is quickly watered down if classification is only enforced on some channels.
The technology has progressed far enough, said Upton, that classification is now robust enough for CISOs to make it a part of employees’ everyday activities. “The fact that you can address data no matter where it is because of policy, means we’re at the tipping point,” he said.
The timing couldn’t be better: with breach notification legislation increasing the onus on businesses to do their best to avoid breaches, Upton warned, security executives “are going to be shocked at what they have to do” to comply. “A lot of people are going to be in for a very rude awakening.”
That’s why CISOs should start now working with business agents to drive cultural change through their organisations. “Beginning a culture change of accountability would have all your employees thinking for a split second before they hit ‘send’,” he said. “Instead of educating them for 30 minutes each year, we will educate them every day whenever they save information. It’s a great opportunity to have a teaching moment.”
Such teaching moments will be frequent and, in many cases, embarrassing as the true state of Australian organisations’ data security – as opposed to the very limited picture painted by the 107 organisations that voluntarily reported breaches to the Office of the Australian Information Commissioner (OAIC) last year – becomes clear for all to see.
The legislation will offer great exposure through a growing body of case studies and expert analyses – but with DDoS and multi-vector attacks anticipated to grow dramatically this year, businesses will have to bring their data-protection A-game.