Secure your bases to lower the risk of mistakes, misuse and malicious activity

24 October 2014


 View Richard Mardling’s profile on LinkedIn

‘So, what keeps you awake at night?’ was the innocent question to a CEO recently.

Without seeming to think about this for very long ‘Cyber security!’ was the answer.

This is a broad subject, so the next question was ‘What do you mean by Cyber Security?’

‘Oh, that’s easy, how do I protect my data. It’s the core of our business and to lose it would damage our reputation, hurt the bottom line and affect the lives of our customers’.

Organisations have spent a lot of time and energy securing their applications without truly considering the protective measures that need to be in place to protect the actual data. There have been a number of recent examples where attackers have gone straight for the data rather than go via the application. One of the key failings here was that the Personally Identifiable Information was stolen due it being stored and presented in the clear. The cost though of defeating the most determined attacker may be prohibitive. An alternative is to negate the value of the data to the attacker and therefore the impact upon the victims.

It’s not only PII data that can leak out of an organisation. If we considKuppinger Coleer data as a whole then it can potentially be divulged through any one of the 3 Ms;

Mistakes – accidental and unauthorised disclosures,

Misuse – privilege abuse and curiosity,

Malicious – social engineering and data theft

And of course one can lead to another. A common mistake is to use a copy of live data in a test environment without sufficiently anonymising the personally identifiable information. The controls in the test environment aren’t as strict as live ones and more people have access to the data. Curiosity concerning some elements of the data becomes too much for one person... At the same time the organisation has an Internet facing business that generates significant revenues. Theft of this data would harm them in a number of ways.

With the new EU Data Protection Regulation on the horizon, compromise through any of the 3Ms will be awarded less toleration. Minimising the risk associated with the 3Ms is about determining and implementing the right blend of policy, controls and technology. Easy to say, but it needs to be well thought through and appropriate for you. We can help you assess where you are, where you want to be and how you can get there. Introducing a wealth of expertise from legal, to cultural, through to policy and controls definition and finally to technology, here at PwC we’re here to help you sleep at night.


The diagram has been adapted from a Kuppinger Cole presentation of 2013.