Most things that need to be done to ensure data security are relatively simple, according to Derrick Bates, information security officer, North Cumbria University Hospitals NHS Trust.
“The best way to make sense of all the security guidance from various information security bodies is to ask six key questions: who, what, where, when, how and why,” he told the SC Congress in London.
The “who” will identify the various stakeholders, “what” will identify the data that needs to be protected, “where” will identify the location of the data, “when” will identify vulnerable periods such as during upgrades, “how” will identify what needs to be done, and “why” will link data value to the business.
“Answering these six questions will provide 95% of what is required to make a business case for securing your network and provide greater clarity of thought on the topic,” said Bates.
While declaring bring your own device (BYOD) to be the “scariest thing to happen in IT security since the USB stick”, he said mobility is “brilliant” and should not be shied away from.
Instead, Bates said organizations could reap all the benefits offered by mobile data without the risk, as long as the organization ensures the appropriate controls are in place.
“It is always important to ensure basic controls are in place to protect the low-hanging fruit from compromise,” he said.
This approach, however, needs to be backed up and supported by an effective user security awareness training program, said Bates.
“In addition to the traditional chalk and talk approach, I use scenario-based sessions that are not aimed at teaching people, but rather changing the way they think.
“Effective security awareness training should be aimed at triggering automatic responses through understanding why certain behavior is risky,” he said.
Finally, Bates said it is important to ensure that all stakeholders understand risk as it applies to information security and not just the core business.
“Someone in the business may not understand the value of backing up information, but they will understand the concept of insurance for valuable items,” he said.
Bates said while the concept of clinical risk is well understood in the NHS, his security team had to design a completely different risk form for data risk and teach the business what it meant.
“Information security professionals in organizations need to ensure they are expressing themselves in a way the business can really understand,” he said.