Terry Pudwell, Chairman of Assuria, says that the legal requirement to become “forensically ready” willhelp Government Departments realise that the threat to data-security often comes from inside their own walls
The backlash against Coalition plans to give MI6 and MI5 unprecedented “email snooping” powers, starkly illustrates the fact that people simply do not trust the Government with their personal data. The old cliche “nothing to hide, nothing to fear” rings increasingly hollow, when we see how frequently Government Departments, lose, misuse and abuse sensitive information.
In 2011, over 300 police officers were caught illegally snooping on members of the public, Meanwhile, 132 Councils lost vital public information, with errors ranging from unlawfully accessing databases, to sending emails over unsecured networks.
But these figures could be the tip of the iceberg; monitoring of internal systems is so poor that some organisations take months, and even years, to discover data breaches. One police officer was found to have made 658 illegal checks on family members before finally being caught.
It is clear that the failure of many Government bodies to properly monitor employee activity on internal systems, means that our data is no longer safe in their hands.
Forensic Readiness: The New Legal Imperative
Stringent rules now make the collection, storage and analysis of employee activity a legal imperative for Government Departments. The ICO can impose £500,000 fines on organisations that fail to prevent data breaches.
And the Cabinet Office’s Cross Government Actions; Minimum Mandatory Measures places stringent requirements on public-sector organisations to institute a “Forensic Readiness Policy” to capture, preserve and analyse audit logs for legal and security purposes.
But, as CTO’s know only too well, there is a difference between having a policy in place, and ensuring that it is actually being followed.
The popular misconception about data security
The failure to enforce data-privacy policies and protect confidential data from irresponsible employees, is rooted in popular misconceptions about data security.
Many organisations regard audit logs as useful only for FOI requests or court cases and take a reactive approach to forensic readiness; a recent survey found that 47% of respondents only analyse internal audit logs after a breach has already occurred.
Thanks to sensational stories about cyber-terrorists and “hacktivists” many organisations wrongly believe that most data-security threats come from outside the organisation, so they focus on “perimeter defences” instead of internal data analysis. Yet a recent Ponemon Institute survey found that 78% of data breaches are caused by employees.
The CESG Good Practice Guide on Forensic Readiness (Good Practice Guide No. 18) details principles that organisations must observe as part of their adoption of forensic readiness, key to this is a responsibility to “maintain the quality and effectiveness of their records management systems in order that specific business records can be produced as evidence in court or to address any legal or regulatory requirement”.
Failures in commonly-used log-management systems are shockingly common where integrity and forensic readiness are concerned. Some of the most common SIEM (Security Information and Event Management) solutions only collect specific risk “events”, instead of complete records of user activity, and do not store the information its original format.
This means that many organisations have extremely limited visibility over their internal infrastructure and do not keep complete, verifiable records of user activity as required by law.
An opportunity for a new approach
The latest legal requirements for “forensic readiness” provide an unprecedented opportunity for the UK Government to restore public trust in their handling of confidential data.
Many IT Departments fail to realise that audit logs are not just useful for court cases; they are a potential goldmine of information that can be used to pre-empt security threats. If organisations can capture and analyse log data in real-time, they can instantly identify dodgy employees and spot suspicious patterns of user behaviour or rule breaches, before they spiral out of control.
New forensic log-management and “protective monitoring” technology can securely gather complete, original logs from inside almost any system, server, network or device. Organisations can then automatically screen the information for anomalies, and then alert the relevant Departments in real-time, giving a live, 24-hour overview of their entire IT infrastructure.
Critically, new technology can distinguish between “data access events” (which have the potential to cause privacy breaches) and actual “security events”, allowing organisations to see when there has been a genuine security breach, as opposed to the mere risk that one may occur. This empowers Government Departments to spot rogue employees and stamp out bad practices at an early stage, and to respond to FOI requests and legal challenges with accurate and up-to-date information.
With the latest IT innovations, Government Departments can finally begin to end their reliance on employees to safeguard our right to privacy.