Protecting Information: a cascading approach to information security Reply

There is no easy way to protect corporate information.  Protecting government information is easy because they have their own networks.  Life in commercial society is somewhat more different but if businesses follow these 6 steps they will be better off:

  1. DEFINE. Don’t protect everything.  It costs too much and it’s a waste of time.  Define what is intellectual property (patents, trademarks etc).  This is the stuff that (a) is legally protectable, and (b) it is what the market will pay for (i.e. it isn’t an intangible asset – it has dollar value).  Intangible assets which are collectively seen as valuable are classed as intellectual capital.  Everything else is either supporting information or junk.  
  2. DETERMINE.  Determine what goes where as part of your internal processes and workflows.  Remember, it gets used if it’s part of the workflow.  Proper IP should reside on closed systems with certain roles acting as guardians, e.g. in-house counsel, financial comptroller etc).  Intellectual capital, things such as frameworks, processes, analytical methods should sit on systems with role based access privileges  so that repeated access (e.g. for screenshots) is noted. Printing and downloading should be limited and part of a defined process.  Thin client technology helps but the most important means of guarding this stuff is to make it compartmentalised (i.e. various levels of decomposition etc) so that it’s hard to gather it all together it once yet easy enough to use as a reference tool for team use.
  3. DEVELOP.  Keep developing your intellectual capital.  It’s less worthwhile stealing information which is outdated.  Moreover, make sure that development is cross-functional and multi-disciplinary.  This is akin to holding the encryption key to your intellectual capital.  If only a few central people know how the framework all works together then even if it is taken by former employees they will, at least, be unable to build on it.
  4. IDENTIFY.  Identify the people who are going to access this sort of information.  Now build these roles and enforce them with internal business processes and physical security measures to make this work.
  5. INSPECT.  Tag your information and gain access to employee hard drives.  There is no way around it.  Be subtle about how you approach knowledge workers and develop socially enforceable norms around the use of corporate proprietary information.
  6. INVEST.  For intellectual capital works invest in a great means of display.  If you’re afraid of other firms ripping of your frameworks or processes then get a graphic artist to create excellent visual representations.  Then you can protect that image through contracts with employees and clients.  Any use outside of your parameters can be met with a solicitor’s letter.

Most importantly, invest in your people and invest in the development of new knowledge.  If they want to take it, they will but nothing secures information like happy employees and few will want to steal outdated information which they can’t build on.

Managing data risk: APRA issues draft practice guide – Lexology Reply

Managing data risk: APRA issues draft practice guide – Lexology.

In their article on data security protection Helen Clarke and Melissa Burrill (Corrs Chambers Westgarth) set out an admirable approach to legal protections for data security.  However, their advice breaks the first rule of data security – if you don’t control it, you can’t secure it.  Fundamentally, businesses need to hold their secure information close, or have active measures to secure it, if they are to avoid data security breaches.  In the end, the threat of legal sanction will not stop criminal action by third parties.

The chart below shows the most high-profile data security breaches for 2012.  Clearly, the breaches do not reflect the strength of potential legal action or the drafting of data protection clauses.  No amount of due diligence would have assisted these companies’ clients as the breaches were not due to lax security procedures.

Contracts and legal sanction are only useful to deliver damages and enforce restitution to cover immediate financial losses.  They will not cover loss to brand equity or market share.

The only way to truly secure information is to manage it in-house.  If businesses wish to manage secret or confidential data in a cloud then they should store it encrypted and hold the keys themselves.  Alternatively, they can link databases and hold unencrypted information in the cloud but the actual names of clients can be held locally.

If businesses wish to remain wilfully blind (or take calculated risks) and outsource the storage of secret information then they should think about building in operational sanctions such as the moving, encrypting or the realignment of data against accounts to ensure their is no monetary loss for clients.

  • security breaches. 2012