Research from the Information Commissioner’s Office (ICO) advises that businesses are waking up to their data protection responsibilities, so IT security professionals need to be aware of the dangers that their data – and in particular, unstructured data – now pose their organisations.
The ICO’s research shows that, while three quarters of businesses know that the (Data Protection Act) DPA requires them to keep their data secure, less than half believe that organisations process their data in a fair and proper manner.
This tells us that there is a significant gulf between what firms say they believe, and the reality. The reality, of course, is that few businesses have the access control processes or audit capabilities to prove that they are in complete control of their data, and are therefore risking a breach of the DPA.
The problem facing IT professionals is a potentially major one, as research has shown that 80 per cent of data in major organisations is unstructured, making the task of knowing who is doing what, when and where with that data all the more difficult.
And perhaps more importantly from the ICO’s perspective, proving that you know what is happening to your company’s unstructured data is also a lot more difficult—if there are few preventive or detective controls in place there is very little evidence to present.
As an example, evidence that a file share is controlled might include a record of the last time access was reviewed on that share, who reviewed it, what decisions they made, and who has accessed which files in the share since the review. Very few organisations have these controls in place today.
That’s not to say that the task of auditing and securing unstructured data is impossible, he adds, noting that unstructured data is information that either does not have a pre-defined data model and/or does not fit well into relational tables.
Unstructured information, like spreadsheets, presentations, and word processing documents are typically text heavy and often contain personal information. Unstructured data is less predictable that structured data stores (databases), where personal information is likely to be in a designated field. Databases also often have controls and auditing built-in, whereas the native controls on unstructured repositories are usually unavailable or consume too many resources to enable.
While I welcome the media exposure that the ICO’s latest research into data protection creates, I think it still raises more questions than it answers. People should also note that the ICO also has a vested interest in all of this, as it is still the gatekeeper for everyone’s data.
Companies and their IT staff need to wake up and smell the coffee. All data now has a value to someone, and some data has a much higher value than the rest. The real question for most organisations is what systems they have in place to audit their data accesses – and how these systems will be assessed and interpreted by the ICO in the event that a data breach does occur.