Jon Andrews VP, EMEA , Gurucul | Toolbox.com »
Operations took priority over security, with many of these migrations being likely rushed and, therefore, more prone to human errors and oversights.
In January this year, minister Theodore Agnew dramatically quit his job, citing the government’s lamentable track record in tackling fraud in the multi-billion pound Covid loan scheme as to why he was leaving his post. Jon Andrews, VP, EMEA at Gurucul, shares his take on the lessons organizations can learn about cross-organizational data-sharing from the situation that ensued.
In his resignation letter to the prime minister, the minister for efficiency at the Treasury and Cabinet Office also condemned the “desperately inadequate” efforts to claw back some of the enormous sums lost to fraud, amounting to £4.3bn of taxpayer’s money, which Agnew says Rishi Sunak has essentially written off. He added that “schoolboy errors” were made over the bounce back loan scheme (BBLS) and that the Treasury “appears to have no knowledge or interest in the consequences of fraud to our economy or society.”
But while it’s likely that mistakes were made in such a time of crisis, there is something to be said about what allowed fraud of this scale to happen in the first place. The difficulties in the data flow between the organizations and initiatives involved that made it impossible to properly validate the requests received by the BBLS aren’t all that uncommon and highlight the need for better data sharing practices across organizations. Perhaps, this story could be an inspiration for organizations – public and private – operating in industries such as finance, healthcare, and cybersecurity to improve their data-sharing practices, which will ultimately benefit productivity, create savings, add revenue and avoid risky blind spots.
A report published by the World Economic Forum identified seven barriers to a more effective flow of cyber data that will need to be addressed to create a sustainable intelligence-sharing practice between organizations and, ultimately, build collective security. These challenges include complying with complex data-sharing regulations and having the right tools, capabilities, and skills in place.
What Created the Data Security Problem?
Data used to be stored in on-premise servers and applications, protected by firewalls and infrastructures designed to keep intruders out. Products such as the first security information and event management (SIEM) tools were created in this environment, but they failed to do what they initially promised.
The pandemic somewhat exacerbated a problem by scaling up organizations’ needs to share data efficiently. Remote working accelerated cloud adoption as companies had to modernize to allow their employees to access systems and data from home. Naturally, operations took priority over security, with many of these migrations being likely rushed and, therefore, more prone to human errors and oversights. These common mistakes could not only open up organizations to cyberattacks but could also lead to the loss of important information if the data sharing practices and policies aren’t set up correctly.
Brexit and International Data Sharing Policies
The stance of the UK on data protection law has primarily aligned with the EU, and even after Brexit, the fundamental principles, rights and obligations have remained unchanged. However, the responsibilities previously covered by the European Commission and the European Data Protection Board have now moved internally and fall under the jurisdiction of the UK government and the Information Commissioner’s Office (ICO).
The UK and the European Economic Area (EEA) recognize each other’s data protection legislation as ‘adequate,’ meaning that data can freely be transferred between the two without particular friction.
What changed, however, is that the UK is now on its own when it comes to setting the standards necessary to transfer data outside the country. Under the recently approved International Data Transfer Agreement (IDTA), since the 22nd of March 2022, the UK’s Information Commissioner’s Office (ICO) outlines what organizations should do when transferring data outside the country. In light of these new guidelines, organizations should consider and understand what transfers are being carried out and prepare to carry out Transfer Risk Assessments to determine which umbrella of regulations their data falls under.
The fragmented, ever-changing nature of data privacy and data sharing regulations, made worse by the changes in the geopolitical situation in recent years, contributes to the confusion of organizations when it comes to complying with different countries’ standards.
Starting from the Basics: Data Tracking
The root of the data-sharing problem is a visibility one. If organizations don’t know what data they have, not only can they end up spending an excessive amount of money on cloud storage, but they can also make the mistake of not leveraging helpful information.
To develop a successful data-storing and data-sharing practice, organizations need to know where it’s located, who has access to it, how it is handled, and who it is shared with. Data security policies are essential, but it’s impossible to check that these are being followed without visibility.
The Next Step: Privacy Enhancing Technologies (PET)
Privacy-enhancing technologies (PET) have emerged in response to the need to share information and increase cyber resilience between organizations securely.
One of the key features of PET technologies is enabling secure and federated data analysis. Companies can now enable AI data analysis without revealing the content of the data being analyzed.
Furthermore, with secure data linkage, PET technologies allow multiple organizations to collaborate on joint, decentralized data analyses and investigations that bring together data stored in various locations. Finally, with secure search functions, organizations can send queries to one another’s databases without revealing the details of the query itself.
These functionalities can assure that the benefits of data sharing aren’t coming with a component of the added risk and that data protection laws and regulations are adhered to.
Security solutions are catching up with the need to make data as inaccessible as possible to an intruder, with some tools enabling the default obfuscation of data, which remains unusable to an attacker and can only be accessed by an authorized manager based on a security violation or alert. User data may be unmasked at the case or analyst level, providing access to sensitive data on a need-to-know basis. Workflow combined with data masking and role-based access control (RBAC) ensures privacy for sensitive information.
Guard Your Data with Behaviour Analytics
In light of the new UK regulations on data sharing, organizations need to be able to prove that once the data reaches their servers, it will be stored and handled according to the highest data protection standards. This includes implementing a zero-trust architecture that guarantees that only those who need to access the data are granted the privilege to do so. To go one step further, organizations can consider a Behaviour Analytics (UEBA) solution that can alert security and SOC analysts to any outlier access. These tools can catch unauthorized access to a specific server and flag suspicious log-ins that might indicate an account has been hijacked. Based on behavioral indicators such as time, location, type, and scope of activity or access, UEBA can help companies monitor that their data security policies are complied with while protecting sensitive information from attackers.
Regulation Compliance with In-country Data Hosting
One of the issues for large enterprises and global organizations is how fragmented data sharing and data storing policies are. These laws vary from country to country, making it challenging to have a unified data policy that works for all the international branches. A solution to this is in-country cloud data hosting, wherein companies can specify geographic locations for cloud data storage. Global companies can enact strict data sharing policies for each country and still share the same underlying technology. It’s essential to decouple security operations from data storage and management.
The news cycle might have moved on from £4.3 bn lost to fraudsters through the Covid loan scheme, but the inter-organizational problems that allowed this to happen in the first place remain to be solved.
The only way forward for organizations looking to close the loopholes created by inadequate or non-existent data sharing practices is to take the matter into their own hands and start a private framework to share intelligence securely.