Data protection needs good physical security

Data protection needs good physical security

Data protection is frequently in the news as organisations more become aware of just how important it is to their business. Unfortunately all too often data protection measures focus on the technical aspects, overlooking the basic need for good physical security controls.

Technical controls, such as encryption & access management are important for data protection but they need to build on good physical security.

Security is all about providing layers of protection. If you ignore or weaken one layer, you weaken everything. If you don’t protect your physical assets, you are’t providing proper data protection measures.

The multinational Coca-Cola recently discovered the importance of asset protection when it reported the compromise of 74,000 people’s data (as reported by Techworld):

Coca-Cola has admitted falling prey to bizarre slow-motion data breach in which an employee apparently stole dozens of laptops over several years containing the sensitive data of 74,000 people without anyone noticing.

According to the reporting, over a six year period, a former employee removed 55 laptops containing a mix of employee records. The data put at risk included information such as social security numbers and may have had significant market value.

An interesting twist here is: (from the same article)

The mystery of how the laptops disappeared is almost as strange as the fact that they later reappeared, allowing the breach to be characterised as temporary.

It seems the laptops were not being stolen for their resale value. This does raise the question about what the previous employee was looking to do with them.

Data protection – asset control

When we talk about temporary breaches on network assets, we normally mean that there hasn’t been time or evidence that a hacker got in and stole data. This gives some reassurance to the data subjects and helps narrow down process and policy failures.

In this example it may not be so reassuring.

The “missing” laptops were not encrypted. This means the whole time they were out of Coca-Cola’s control anyone could have extracted any of the personal data on them. It only takes a few minutes to copy thousands of files to USB so it would have been possible for every record here to have been copied thousands of times.

Importantly, the apparent total lack of any form of asset control here means it isn’t really possible for Coca-Cola to know how long they were missing. The available reporting indicates that if they hadn’t returned, no one would have even realised the breach took place.

Asset control is a pretty fundamental aspect of both good service management and good security. It is not just a “Physical Security” issue that IT teams can pass off to the site security teams, it is a fundamental requirement. If you don’t manage all your assets properly, all your other controls suffer.

ISO27002:2013 spells out the requirement for asset control in 8.1:

Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained.

It seems in this instance, the inventory either did not exist or it was not maintained. Without a well maintained asset list you can never be sure that other controls are working. In this case, if Coca-Cola had kept an inventory, it could have identified the lack of encryption.

Remember, data protection needs good security. Don’t miss out on vital steps. Asset control really is vital.