Exclusive: What is your vital data?

Philip Ingram MBE explores how organisations can better protect their data from cyber attackers.

“Personal data has become “the new oil” and as such has become as important to us as any of our treasured possessions,” says Dean Armstrong QC, the Joint Head of Chambers with the 36 Group and global legal expert on all matters data.

On 1 November 2021 in a Private Industry Notification, the FBI warned that: “The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections. Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material non-public information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.”

Data in the UK is covered by the Data Protection Act 2018 that enshrines the General Data Protection Regulation (GDPR) requiring data processing to follow strict guidelines called ‘data protection principles’. It makes sure the information is:

• Used fairly, lawfully and transparently

• Used for specified, explicit purposes

• Used in a way that is adequate, relevant and limited to only what is necessary

• Accurate and, where necessary, kept up to date

• Kept for no longer than is necessary

• Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage.

The value of data

Examining the global regulation of data is the responsibility of UNCTAD and its analysis of Data Protection and Privacy Legislation worldwide says: “As more and more social and economic activities take place online, the importance of privacy and data protection is increasingly recognised. Of equal concern is the collection, use and sharing of personal information to third parties without notice or consent of consumers. 128 out of 194 countries had put in place legislation to secure the protection of data and privacy.  Africa and Asia show a similar level of adoption with 55% of countries having adopted such legislations from which 23 are least developed countries.”

However, what is clear from the FBI warning and what Dean Armstrong QC said is that criminals and bad actors recognise the value there is in data, whether it is for criminal enterprise or for states to try and gain economic advantage, the issue is the same, data is a target and no matter what regulations are in place for its handling, it is being stolen and manipulated.

That therefore means that protecting data is becoming ever more important. A rhetorical question all senior people in an organisation should be able to answer, but few can, is, in data terms what is your vital ground? i.e. data that is of such importance that it must be retained or controlled for the success of the business? In essence, your ‘Vital Data’.

At the moment the approach to securing data is to ensure the security of the networks and storage is all to the same standards and in that, secure all data, no matter what it is, to the same level. In the physical world, everything isn’t protected to the same level of security, so why is it done in the data world?

As the threats increase more rapidly and from a greater diversity of threat landscape, it is going to become essential for businesses and organisations to work out and enhance the protection for their data ‘vital ground’ and prioritise that to ensure higher standards of protection.

The basic levels of protection recommended by the FBI include:

·  Back-up critical data offline.

·  Ensure copies of critical data are in the cloud or on an external hard drive or storage device.

·  Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the original data resides.

·  Install and regularly update anti-virus or anti-malware software on all hosts.

·  Only use secure networks and avoid using public Wi-Fi networks.

·  Use two-factor authentication for user login credentials, use authenticator apps rather than email as actors may be in control of victim email accounts and do not click on unsolicited attachments or links in emails.

·  Implement least privilege for file, directory and network share permissions.

Enhanced protection

Hidden in those recommendations are the need to understand critical data and new methods of providing enhanced protection are emerging. Veeam, an industry leader for backup and data protection, in its 2021 Data Protection Report, said: “Economic uncertainty is undoubtedly topping the list of anticipated challenges in 2021 as reported by 40% of organisations worldwide. This is putting more pressure on data protection, as in times of business stress, business continuity becomes hyper-important and that rests on having a strong data protection solution.”

It goes on to conclude: “With the rapid change of IT strategy and faster adoption of modern services, data protection is more than ever under pressure to support and help business grow. No longer can backup be enough; organisations are looking for more from their data protection systems — lower costs, higher automation and intelligence and data reuse, to name just a few.”

One area that the industry needs to start to improve is its awareness from a data protection perspective regarding distributed ledger technology or blockchain. It can give a backbone to lower costs, facilitate better and offer critical authenticated automation. Capabilities are being developed rapidly to enable data to be kept on a blockchain in a way it can’t be tampered with, accessed unless via an authenticated pathway and all changes to access the data can be audited as blockchain technologies produce immutable records by dint of the way they work.

As data increases in importance and therefore value, the technologies to handle, process and store that data are developing equally rapidly. Given the successes many hacking organisations seem to have, the bad actors are ahead but there is hope that blockchain solutions may wrestle the initiative back the other way. What is clear is that with the exponential growth in the volumes of data circulating, new ways of protecting the vital elements will become essential. The starting point for businesses and organisations is to identify and properly understand that Vital Data.

For more information, visit; www.gov.uk/data-protection

This article was originally published in the December 2021 edition of International Security Journal. Pick up your FREE digital edition here