Can users do a good job of classifying unstructured data? Tim Upton, president of Titus told the attendees at NISC in St Andrews Scotland that he believes they can. He cited figures that indicate most data breaches are due to mistakes rather than deliberate misuse or theft.
It should be noted that Titus provides software that allows users to do just that when they create an e-mail, document, presentation or other similar kinds of files. When they create the object the software will prompt them to classify it according to a predefined set of categories. These categories can match a multi-level security approach (unclassified, classified, secret, top secret) beloved by the military or a more informal classification like “Do not e-mail, blog or tweet”.
This software has been very popular with the public sector in the UK. This sector has become very sensitive to losing personal following a widely publicized data loss by the UK tax authority HMRC. In 2007 the HMRC suffered what was then the largest single data loss, when the personal data of 25 million people was lost in the post. This has now been overtaken by Sony who is reported to have had the personal data of around 100 million users compromised.
Would the Titus product have prevented these losses? Based on how these losses occurred it doesn’t seem very likely – but this doesn't mean that it is a bad idea. The first step on the road to protecting data is to classify it; you can’t protect what you don’t know you have. Unstructured data is a real problem; while organizations will often take trouble to classify application data, vast volumes of unstructured data circulate around the organization and some of that inevitably leaks out.
So – classification is the first step, but it is not the end of the road. Once you have classified data you need to put controls in place to prevent the data from being processed or shared inappropriately. Without these controls the classification is worthless. The Titus product adds the user’s classification into the metadata associated with the file and this can be used by other software such as DLP and network appliances to control movement of the file.
At another presentation Stewart Room, a partner with the legal firm Field Fisher Waterhouse, told the attendees about how the legal framework around information security in the UK is changing. This change is being driven by public interest in the tide of data breaches that are being reported in the press. This new framework will make an organization obliged to deliver reasonable security wherever it holds information, and reasonable will be defined against accepted standards. There will be a preference for transparency, i.e. if there is a data breach you should come clean. There will be more severe legal sanctions and penalties for legal breaches. Worryingly Room predicts that in the future we could expect there to be lawyers setting specifically up to litigate on behalf of people who have had their data breached to extract damages from the organization responsible using the personal injuries claim practice model (no win no fee).
So what is reasonable security? Room explained that normally government and the courts look to the professions to define reasonable practice. Most professions are represented by a small number of bodies; however in the UK there are over one hundred bodies involved with IT security. This will make it difficult to set the definition of reasonable and the risk is that a definition will be imposed on IT security practitioners.