Information Age: How can you best protect your organisation’s data?

information-age-logo-text-onlyThe number of successful data breaches continues to surge, as hackers get smarter and security solutions struggle.

What is the most effective method of data protection for the enterprise?

This is a question that must plague those in charge of an organisation’s data and security. There are so many solutions out there, and there is certainly no ‘silver bullet’ for cyber security. What is a CTO, CISO or CSO to do?

There isn’t one solution

There isn’t one solution or method to cyber security, explained Jason Hart, CTO of Data Protection for Gemalto.

To read the full article click here.

Computer Business Review – How to keep data safe on Data Protection Day: From cyber insurance and GDPR, to cloud and encryption

cbr-logoProcrastinating in the cloud? Relying on cyber insurance? On Data Protection Day you should look into your data security processes and reevaluate how you are protecting the hot commodity that is data.

With Great Data, Comes Great Responsibility

Jason Hart, CTO, Data Protection, Gemalto

In an age of convenience, consumers are more than happy to share personal data with businesses and organisations, as long as it enhances their online and offline experiences. Whilst this provides considerable benefits to the business receiving the data, it also comes with a huge responsibility – consumers expect that their data will only be accessed by internally authorised individuals, and be completely secure from external threats.

Businesses must implement encryption to ensure that the data they hold is secure, and can only be accessed by select individuals. Additionally, two factor authentication is crucial in helping mitigate any outside threats. By encrypting the data, and managing the encryption keys properly, the data is useless to the hacker, as well as any unauthorised personnel within the organisation. This means that, even if a breach takes place, consumer data remains private.

To read the full article click here.

ITPro – Data Protection Day: why it’s time to speak up for privacy

itproWith the looming Investigatory Powers Act and threats from across the pond that the US may not consider privacy all that important to those who aren’t American, this year’s Data Protection Day is as timely as ever.

Also known as Data Privacy Day, the awareness-raising effort commemorates the signing of Convention 108 — the first international treaty dealing with data protection.

To celebrate, we heard from tech and security experts about what they’d like to see companies and indivduals do to improve data privacy in 2017.

You can’t keep customers’ data private if your company isn’t properly secured – take that responsibility seriously, said Jason Hart, CTO for data protection at Gemalto.

“Consumers expect that their data will only be accessed by internally authorised individuals, and be completely secure from external threats,” he said.

Because of that, companies should implement encryption as well as two-factor authentication, he advised. “By encrypting the data, and managing the encryption keys properly, the data is useless to the hacker, as well as any unauthorised personnel within the organisation,” Hart added. “This means that, even if a breach takes place, consumer data remains private.”

To read the full article click here.

SC Media – Only 31% of UK consumers say protecting data is their responsibility

scmediaThe majority of UK consumers (69 percent) believe that the responsibility for protecting their personal data lies in the hands of the businesses holding that information, while the remaining 31 percent believe they are responsible for protecting their own information.

“In 2016, we saw a number of high profile data breaches, notably TalkTalk and Yahoo, affect UK consumers, helping raise public awareness around the very real threats to personal data. Despite this, it appears that UK consumers are less concerned about becoming a victim of a breach than their counterparts worldwide, with more than half being confident when banking online or via mobile. What is clear, is that UK consumers believe the responsibility for protecting personal data lies with the business and not the individual, leading to a feeling that it is not their own fault should a data breach occur,” said Jason Hart, CTO of data protection at Gemalto.

To read the full article click here.

EU business leaders must act now before new security law takes effect


The recent announcement by a European parliamentary committee to back a proposal that will require critical infrastructure operators and digital service providers, such as Amazon and Google, to maintain appropriate security measures, and more importantly report major data breaches, is a defining moment for businesses in the EU.

Business leaders should think of it as an early warning to evaluate their security practices before the proposal is approved by the EU Parliament and European Council. So, what is the current status in the EU at the moment and what steps do business leaders need to take to avoid falling foul when the law comes into effect?

The traditional form of security at the moment is dominated by a singular focus on preventing a breach through firewalls, antivirus, content filtering, and threat detection. However, if we are to learn anything from history, it’s that breaches are inevitable and attackers will get past that perimeter wall eventually.

Once this happens customer data or even a company’s IP could be compromised. Consumers entrust their vital information to companies that gather this data and must be confident that it is being kept safe and secure. Once that trust is broken, it can be very difficult for companies to get that back.

Why has there been this sudden change?

Security has always been a hot topic, but with hacks of companies likeTalkTalk generating headlines and companies collecting more and more data about us online, the issue of protecting data and securing consumer trust has never been higher.

Currently in the EU, companies are not obliged to report data breaches that have occurred and, as such, many don’t. With this new law due to be implemented soon, companies will be forced to reveal these breaches and must now consider a change in strategy.

But this isn’t a new policy; the US has been adhering to this practice for a long time now and is the main reason we hear more about breaches there than we do in the EU.

Now is the time to review what has already taken effect in the US and analyse what lessons can be learned.

Instead of focusing purely on protecting the perimeter wall, businesses should instead turn to a layered approach that protects the data at every level should criminals get past that first defence. This also means focusing on the data itself and ensuring it can’t be accessed or used by anyone that is not authorised to do so.

Surrounding the data with end-to-end encryption, authentication and access controls provides that additional layer of security which is vital to protecting customer and corporate information. With encryption tools in place, this means that any data that is taken is rendered useless in value to anyone that is not authorised to access it.

Authorization can be secured using keys to only allow those who are allowed to access the data the ability to do so. All this means, should the worst happen and a breach occurs, the customer data should still be secure.

Telling customers

Once these security measures are in place it’s important to tell customers. In order to build that trust, customers will want to know the processes have been put in place to protect their data. If businesses can show them they are going the extra mile, this will establish them as a credible innovator and trusted company.

Security must be a two-way street though, just as customers should be informed of what is being doing to protect them, they should also be told how they can protect themselves. A better-educated consumer will help to create a safe consumer service all-round.

With this announcement being made public, companies have the opportunity to get ahead of the game and show their customers they are taking protecting their data seriously. No longer can companies simply look at security as a compliance mandate, but rather as a responsibility that is crucial to their success.

Consumers are becoming far more educated and aware of the sensitive data they are releasing to organisations, and the responsibility that entails.

As this education increases, consumer demand will rise on what is expected of the security credentials of the companies that house their data. Failure to take this seriously could result in not only a big impact should a data breach occur, but also on the trust of the consumer. Lose this and face watching customers go to more trustworthy competitors.

Google, Zero Trust and Securing the Breach

Google HeadquartersIt may have taken five years, but as far as the company is concerned, the effort has paid off: last week, Google announced the completion of its deployment of BeyondCorp, a zero trust IT and security architecture based on protecting identity and data, rather than looking to protect the perimeter of the organization’s IT hardware.

We can only applaud this move. As we wrote in our Secure the Breach Manifesto, “Whether internal or external, breaches are inevitable. In today’s environment, the core of any security strategy needs to shift from ‘breach prevention’ to ‘breach acceptance.’ And, when one approaches security from a breach-acceptance viewpoint, the world becomes a relatively simple place: securing data, not the perimeter, is the top priority.”

BeyondCorp equates to a complete overhaul of Google’s IT and security architecture. It focuses on user/device repudiation through authentication, user behavior and identity analytics, device reputation and intelligence statistics, all of which feeds into a completely new ‘Access Intelligence’ framework to protect company resources.

At the same time, the new approach removes any network controls or protections. The assumption is that the network is breachable, internally or externally, one way or another, so there is no point in trying to protect it. Rather that trusting the network to any extent, this zero-trust model puts all of its effort behind protecting applications, and the data they access.

In this model there is no room for BYOD: only company-issue devices are managed in the central asset register, and only these are given any kind of access to corporate applications and services via a centralised Mobile Device Management facility. For companies that follow the zero trust model they should also encrypt all of their sensitive data and communications.

At the same time as increasing security however, the BeyondCorp zero trust approach makes lives easier for Google employees, who can now work wherever they like without the need for tools such as VPNs. “We are removing the requirement for a privileged intranet and moving our corporate applications to the Internet,” explained an initial brief on the topic.

The deployment has not been straightforward: indeed, it has taken the company five years with many lessons learned along the way — not least how to deal with edge cases caused, for example, by hardware reconfigurations such as moving a hard drive from one computer to another.

Overall, the company has found itself better off. By moving to a zero trust model it is not only better protected, but it also provides greater flexibility to deal with future attacks.

This move, from a company as large and as sensitive (from a vulnerability standpoint) as Google, could well be a game-changer in the industry, and we expect many other organizations to follow its lead. Quite clearly it should not be undertaken without a great deal of planning, but if Google is already experiencing the benefits, then other organizations can, too.