In this SearchCompliance.com Q&A, data privacy and security expert Ali Pabrai, CEO of ecfirst, offers pointers to CIOs, chief compliance and security officers on how to maintain a secure data environment, now that BYOD, big data and cloud computing have become standard operating procedure at many companies. One big heads-up? Think of 2014 as the year of encryption controls.
What best practices or policies can a CIO or compliance officer put in place to protect against possible regulatory violations related to bring your own device (BYOD), applications and services?
Ali Pabrai: First, CIOs must develop strong mobile device security frameworks and ensure that employee training is delivered to all members of the workforce. This includes training on scenarios related to the risk presented by BYOD devices accessing enterprise applications, servers and confidential client information.
Second, the organization must implement targeted and robust security controls to ensure data encryption capabilities are intact for the secure usage of such devices. Encryption is one of the most critical controls on which to focus as we head into 2014. Technology executives must implement encryption controls consistently across data at rest and data in motion (emails, texting, backup media, laptops, portable devices, etc.)
There also must be a focus on credible Mobile Device Management (MDM) solutions for the active and vibrant management and tracking of mobile devices.
In addition to encryption and MDM solutions, regularly scheduled risk assessments, with emphasis on mobile, BYOD and cloud computing components, are more vital than ever. Consistency and comprehensive execution are both crucial as well.
How about customer privacy? What are some of the best practices you've seen that allow a corporation to safeguard their customers' privacy?
Ali PabraiCEO Ecfirst
Pabrai: The most effective practices for maintaining data privacy happen when the corporation takes deliberate, definitive steps to ensure all personally identifiable information (PII) associated with customer data is protected in accordance with industry security standards. This personal health information is then openly communicated to enterprise clients and is required to be protected by all business associates.
Encryption is one of the most critical controls on which to focus as we head into 2014. Technology executives must implement encryption controls consistently across data at rest and data in motion (emails, texting, backup media, laptops, portable devices, etc.)
Big data offers companies the promise of making money by opening up new business models and answering new questions. What regulatory problems do you see arising as corporations collect and analyze big data?
Pabrai: One of the most critical issues in maintaining the security of all PII and ensuring data security -- specifically, if the data is being stored in a data warehouse or is being managed through a cloud service provider -- is that organizations develop and execute thorough business associate agreements with all vendor partners that comply with industry specific security regulations and standards.
I was talking to a CIO who said he believes the biggest threat to his organization is advanced persistent threats from countries such as China. What is the first step to take to defend against this threat?
Pabrai: The threat from China has been serious for quite some time. The security knowledge of thousands of persistent and patient hackers and information seekers is a significant worry for senior executives. One specific example can be found in documented information related to cyberattacks from Unit 61398 from Shanghai. One key question that every business must ask: Is it prepared for these types of attacks from Shanghai or elsewhere? From my experience, most are ill-prepared.
What's the rate-limiter with the China threat? Is the technology keeping up, or do CIOs have to take another route to protect against it?
Pabrai: Technology is keeping up. What is not keeping up is the understanding of the options that senior executives have. There is a serious deficiency to track and monitor proactively. Audit control implementation for a growing diversity of technologies and applications is more important than ever before. It is not lack of technology. It is the lack of application in managing the security technologies consistently that is a matter of concern.
Any other pointers for safeguarding company IP and data?
Pabrai: Companies need to ensure that a formal, thorough risk assessment is conducted at least once per year. Ensuring that a vulnerability assessment is conducted to assess firewalls/DMZ, internal servers/systems, wireless and external channels at least twice a year is crucial -- possibly quarterly if impacted by standards such as PCI DSS. Policies must then be actively managed and understood by all members of the workforce in addition to all business associates.
I have often heard that the rewards of the cloud, such as cost savings, or that the rewards of BYOD in terms of productivity outweigh the risks of using such services and devices, and the potential for data exposure, regulatory violations and security threats in general. What is your view on 'the rewards outweigh the risks' issue?
Pabrai: In my opinion, the force of this tsunami cannot be stopped. It is not a question of 'reward versus risk.' Enterprises will have to accept BYOD devices at one end of computing, and cloud computing at the other.
It is crucial that CIOs ensure vendor partners and cloud service providers are complying with specific regulatory mandates that pose a risk to their organization, and develop concrete business associate agreements [BAAs] to clearly show these are continually being met.
Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), Security+, is a highly sought-after information security and regulatory compliance expert and recognized industry speaker who has successfully delivered compliance and information security solutions expertise to organizations worldwide. For more information, please visit ecfirst.com.