Daniel Smith

OpEd_CSFE.qxd 28-Nov-17 1:59 PM Page 2 OPINION CAREFUL SHARING WHEN DATA NEEDS TO BE SHARED IT'S IMPORTANT NOT TO GO TOO FAR. JAMES HOWELL OF THE CYBER SECURITY FEDERATION OF EUROPE EXAMINES THE CHALLENGE OF PREVENTING THE OVERSHARING OF DATA W e share information with customers, suppliers and partners every day, but sometimes we are asked for too much information, or are required to grant access to potentially sensitive data without considering the consequences. With the General Data Protection Regulation (GDPR) looming large, it is time to take a closer look at the data we are sharing and consider the measures that will ensure data compliance. First you must determine whether your organisation is indemnified against data loss when that data is held by third parties. A contract may protect you from the financial liabilities of a security breach but it doesn't protect you from a breach occurring in the first place. Before sharing any data it is recommended that you fully understand how the data will be used, its retention, and the measures taken to protect it. subject to the same or greater levels of security to access your data as employees, and they should only use your tools to do so. With new suppliers it is often a requirement to share data before contractual agreements are established in order to protect the parties. When working with an existing trusted partner this may not be an issue, but if an organisation explores the market and is speaking to three or four vendors regarding a potential purchase, it will be unlikely that they have anything more than a standard NDA in place. A simple policy is to only share the minimum information required for the task in hand. If you are asked for information that you are not comfortable in providing, then you must challenge that request and establish why it is needed. While most companies will be fully compliant, there are considerable potential risks to be considered. It is thought that 39 per cent of employees who either quit or are asked to leave take confidential or sensitive business information with them upon their departure. For example, if you talk to a sales person about cybersecurity you might well need to share information regarding network topology. If that sales person then left their company your data could go with them, ending up outside of your control. When working with a third party it may be necessary for them to access your systems. Their employees should be Anonymising details such as your company name and contact details and only sharing what is really necessary 30 NETWORK computing NOVEMBER/DECEMBER 2017 @NCMagAndAwards should enable the third party to respond to the enquiry and minimise the risk. The arrival of GDPR will bring the data we share into sharp focus, but policies will only be effective if they are observed across the entire organisation. If shadow IT has been allowed in the form of cloud applications such as Dropbox or Slack then your compliance policies may be being breached every day, as staff share files and folders for legitimate business reasons, but with scant regard to security. When engaging with a new company and before sharing information you must make sure that you understand the minimum data required to complete the work, the details of how that data will be used and the specifics of its storage. Also make sure that you have a clear insight of the applying data security policy and, of course, the data retention policy. An organisation's data doesn't just exist within its walls, even if it does physically reside within its infrastructure. It is a clear and essential responsibility to ensure where and when the data is shared and that it remains under your control. This message needs to be enforced throughout the organisation. Maintaining control of shared data is not solely an IT function but the responsibility of each individual in the organisation. NC WWW.NETWORKCOMPUTING.CO.UK