Home » Business » Biz Commentary
Shield private data from prying eyes
By Samuel Sinn |
February 4, 2013, Monday
|
Print Edition
Print Edition
THE global nature of business has made companies more vulnerable to data and identity theft, since the sharing of information with business partners and third parties has increased opportunities for loss, misuse or compromise.
Furthermore, many people want to access work files from the same mobile device they use to update their status on Facebook or Weibo, and WeChat or Whatsapp their families and friends.
The portability and accessibility of information are crucial components of a collaborative, interconnected business world. However, the problem with sharing information is that it can get shared with the wrong people.
Whenever highly sensitive or regulated information is lost, misused or compromised, it falls under the banner of data and identity theft. Intellectual property, trade secrets, employee and customer data, payment card data and personally identifiable information such as birth dates, identification card numbers and addresses are all examples of sensitive or regulated information.
Data losses can be devastating. Besides potential fines and lawsuits, security breaches can have a long-term impact on a company's brand and reputation. Having strong data safeguards in place can help secure a company's reputation, competitiveness and financial well-being.
Portable data
The traditional view is that information is confined within a company and that securing your firewall and perimeter can provide all the necessary protection. That has changed.
Data are portable and can be easily transferred and replicated. Though data centers and servers can provide a higher level of information protection, the preponderance of mobile devices - such as laptops, tablet computers, smart phones, and plug-in drives - is less secure and increases the risk of theft.
Once data are distributed, all devices that access the data are potential breach points. Also, business partners who do not have adequate information-protection standards in place make data more vulnerable because your data often become their data.
According to PwC's 2013 Global State of Information Security Study - a worldwide survey of more than 9,300 IT and information security professionals conducted with CIO and CSO magazines - 76 percent of respondents stated that their organizations do not maintain an accurate inventory of where high-value data are stored. Only about 60 percent said that their company security policies address the protection, disclosure and destruction of data.
While survey results suggest that the majority of companies worldwide encrypt data in transmission, far fewer appear to encrypt data at rest in databases, laptops, file shares and removable and mobile media.
The nature of the crime makes it difficult to prosecute.
The anonymity in committing data and identity theft makes it attractive to thieves because it can be committed miles, even countries, away. All a criminal needs is access to a computer.
Many countries have enacted laws to protect personal data privacy. China is currently making significant progress in protecting personal data.
National standards
In 2012, the Ministry of Industry and Information Technology issued a set of draft national standards called "Information Security Technology - A Guide to Personal Data Protection."
The guideline sets out the requirements in the collection, processing, transmission and disposal of personal information. It is expected to be officially issued in early 2013.
On December 28, the Standing Committee of the National People's Congress passed the decision of draft rules to protect online personal information and is now awaiting top legislative approval. These rules cover the duties and obligations of Internet service providers to protect user data, the consequences for data privacy breaches and the prohibition of email and text message spam. The objective of all these initiatives is to protect the public interest.
The following are the possible actions that companies should consider in order to mitigate data and identity theft risks:
Identify and classify data according to sensitivity and risk. Know where it resides and flows;
Understand the threats that are specific to the company's data and the company itself;
Implement protection capabilities to safeguard the company's sensitive data end-to-end;
Test the company's protection capabilities. Monitor them continually and update them as necessary;
Plan for a controlled and coordinated response to incidents when they occur.
Having the right information-protection strategy can create advantages over competitors and minimize the financial, legal and reputational risks a company faces. More importantly, having confidence in information protection allows the company greater freedom in pushing the envelope of its business.
Furthermore, many people want to access work files from the same mobile device they use to update their status on Facebook or Weibo, and WeChat or Whatsapp their families and friends.
The portability and accessibility of information are crucial components of a collaborative, interconnected business world. However, the problem with sharing information is that it can get shared with the wrong people.
Whenever highly sensitive or regulated information is lost, misused or compromised, it falls under the banner of data and identity theft. Intellectual property, trade secrets, employee and customer data, payment card data and personally identifiable information such as birth dates, identification card numbers and addresses are all examples of sensitive or regulated information.
Data losses can be devastating. Besides potential fines and lawsuits, security breaches can have a long-term impact on a company's brand and reputation. Having strong data safeguards in place can help secure a company's reputation, competitiveness and financial well-being.
Portable data
The traditional view is that information is confined within a company and that securing your firewall and perimeter can provide all the necessary protection. That has changed.
Data are portable and can be easily transferred and replicated. Though data centers and servers can provide a higher level of information protection, the preponderance of mobile devices - such as laptops, tablet computers, smart phones, and plug-in drives - is less secure and increases the risk of theft.
Once data are distributed, all devices that access the data are potential breach points. Also, business partners who do not have adequate information-protection standards in place make data more vulnerable because your data often become their data.
According to PwC's 2013 Global State of Information Security Study - a worldwide survey of more than 9,300 IT and information security professionals conducted with CIO and CSO magazines - 76 percent of respondents stated that their organizations do not maintain an accurate inventory of where high-value data are stored. Only about 60 percent said that their company security policies address the protection, disclosure and destruction of data.
While survey results suggest that the majority of companies worldwide encrypt data in transmission, far fewer appear to encrypt data at rest in databases, laptops, file shares and removable and mobile media.
The nature of the crime makes it difficult to prosecute.
The anonymity in committing data and identity theft makes it attractive to thieves because it can be committed miles, even countries, away. All a criminal needs is access to a computer.
Many countries have enacted laws to protect personal data privacy. China is currently making significant progress in protecting personal data.
National standards
In 2012, the Ministry of Industry and Information Technology issued a set of draft national standards called "Information Security Technology - A Guide to Personal Data Protection."
The guideline sets out the requirements in the collection, processing, transmission and disposal of personal information. It is expected to be officially issued in early 2013.
On December 28, the Standing Committee of the National People's Congress passed the decision of draft rules to protect online personal information and is now awaiting top legislative approval. These rules cover the duties and obligations of Internet service providers to protect user data, the consequences for data privacy breaches and the prohibition of email and text message spam. The objective of all these initiatives is to protect the public interest.
The following are the possible actions that companies should consider in order to mitigate data and identity theft risks:
Identify and classify data according to sensitivity and risk. Know where it resides and flows;
Understand the threats that are specific to the company's data and the company itself;
Implement protection capabilities to safeguard the company's sensitive data end-to-end;
Test the company's protection capabilities. Monitor them continually and update them as necessary;
Plan for a controlled and coordinated response to incidents when they occur.
Having the right information-protection strategy can create advantages over competitors and minimize the financial, legal and reputational risks a company faces. More importantly, having confidence in information protection allows the company greater freedom in pushing the envelope of its business.
- About Us
- |
- Terms of Use
- |
-
RSS - |
- Privacy Policy
- |
- Contact Us
- |
- Shanghai Call Center: 962288
- |
- Tip-off hotline: 52920043
- 沪ICP证:沪ICP备05050403号-1
- |
- 互联网新闻信息服务许可证:31120180004
- |
- 网络视听许可证:0909346
- |
- 广播电视节目制作许可证:沪字第354号
- |
- 增值电信业务经营许可证:沪B2-20120012
Copyright © 1999- Shanghai Daily. All rights reserved.Preferably viewed with Internet Explorer 8 or newer browsers.
