(BR studio Debate) Big data age, each company holding confidential customer data should duty of care

By David Emm, Senior Security Researcher, Global Research and Analysis, Kaspersky Lab
- Never underestimate the value of your organisations data to a hacker; implement regular audits of your data and systems
- Conduct risk assessments to identify potential security gaps and put effective policies in place to minimise these threats
- Create a “defence in-depth” strategy; security is no longer just about protecting the virtual perimeter of your business
Big data has been a big buzzword for the last five years as banks, marketers and insurers have harnessed the opportunity to use data to provide a relevant and accurate customer experience. However analysing data to inform decision making is not new in the business world as traditional mainframe technology provided big businesses with the ability to crunch large amounts of data. The proliferation of IT has meant big data has simply got bigger and businesses now realise the commercial value of storing and analysing data; insurance agencies are buying credit card records, marketers are watching online shopping behaviours, Google is even using big data to fight malaria in Africa.
As big data has taken flight it has demonstrated some of the risks indicating that cyber-resilience is extremely important. A large-scale leak may lead to tremendous reputational damages as customers’ personal data is disclosed and, in turn, financial loss is sustained. Hardly a week goes by without a story of an organisation that has had its data security compromised. Recent examples include Carphone Warehouse, British Airways and The Hacking Team. Each of these situations has demonstrated the differing motivations behind such incidents, from a desire to uncover commercial information and IP, to inflicting financial loss, to simply demonstrating that a company’s security infrastructure could be stronger.
Every company holding confidential customer data should have a duty of care and should secure that data appropriately. This means hashing and salting the passwords of customers who have an online account with the company, and encrypting other customer data that they hold. Other data held on the customer should be stored securely, i.e. encrypted. This way, if the provider’s site is breached, the attackers don’t get access to customer data.
For businesses in the big data age, here are some important considerations:
1. First, an organisation should do a data audit to assess what valuable information they have that might be hacked, and how and where that is stored in the organisation. One of the easiest traps organisations fall into is believing they have no data of value to anyone.
2. Secondly, businesses should assess how an attacker might get hold of this data, and then implement the appropriate solution to mitigate these risks.
3. Thirdly, businesses should create a “defence in-depth” strategy as security is no longer just about protecting the virtual perimeter of your business, it is just as important that staff understand the risks and have a security mind-set.
Scuderia Ferrari use Kaspersky Lab to secure their big data and has noted that secure data collection, storage and analysis is relevant for off track for IT purposes, but more increasingly for on track ensure extreme confidentiality of live race data.