Data Governance - more Sun Tzu than MMA
For the last 31 years, I have practiced Judo. It’s a wonderful martial art, that has taught me a lot about myself, and about how to protect myself. For a number of those years, I ran a Judo club, and taught children and adults. At the end of each term, we used to have a 'fun' lesson, of focussing on things other than the Gokyo and fighting techniques, like self-defence and other martial arts. Whilst the weapon sessions were always a favourite of the students (I mean, who doesn’t like playing with sword substitutes and learning the way of the samurai!), for the main, we focussed on self-defence.
When running those session, I’d regularly be asked questions like 'what’s the best way to protect myself? Should I be punching and kicking? Where should I aim for when I kick, nuts or head? Should I be grappling like in MMA?', and I'd always get a groan when I answered 'None of the above - your best way to stay safe, is to avoid the situation in the first place'.
At this point, I'd always then try and sound wise and knowledgeable (something that’s quite a feat if you know me), by busting some quotes from Sun Tzu's 'Art of War' or Kano's 'Mind over Muscle' to try and explain my viewpoint. My favourites were always (excuse the paraphrasing):
"The greatest victory is that which requires no battle."
"The supreme art of war is to subdue the enemy without fighting."
"Knowing the enemy enables you to take the offensive, knowing yourself enables you to stand on the defensive."
"Carefully observe oneself and one's situation, carefully observe others, and carefully observe one's environment."
"Seize the initiative in whatever you undertake."
So, as with all of my blogs, some of you are probably wondering 'why have I just had to read all of the above?'.
I believe these principles for self-defence are the same be it as you walk down the road, or you are trying to maintain a strong level of security around your data and digital assets.
As our MD said in his previous blog, these things aren't the most sexy at times (taking the example of the end of term lessons, everyone would rather be learning to try and cut someone in half like a samurai, rather than how to understand how to run in order to avoid confrontation), but they are the most successful ways to keep oneself safe!
So how does this apply to data protection in the era of GDPR? As David outlined, there are generally 4 ways in which a hack can occur:
A malicious external hack of internal, or “owned” code infrastructure (in other words, a criminal hack into an organisation’s systems, through firewalls and so forth, and steals data or inserts malicious code)
A malicious hack of external, 3rd party or cloud software infrastructure (someone hacks into a third party system which the organisation uses to gather or host data, and steals or inserts that way)
Hack of a legitimate login of one of the 3rd party systems (someone gains access to a legitimate user password, and data is downloaded, redirected or stolen in that way)
A disgruntled, or perhaps naïve, employee either deliberately or accidentally inserts malicious code
To overcome these, we typically recommend a mixture of activities to combat these.
The first, and definitely one which is 'Knowing yourself enables you to stand defensive' is to apply a either a strong Content Security Policy (CSP) or MarSec tool to your site. These tools prevent any script which is not from either a whitelisted location (and sometimes prevent particular scripts which are not whitelisted within a location) from running on your site, therefore providing a layer of security across all four points. 'Knowing yourself' is important, as it means knowing what scripts should and should not occur at any time.
A CSP is a very strong, but rigid, method of doing this. Typically, these can be very effective, but labour intensive from a Dev standpoint to maintain the ever-changing landscape of marketing tracking scripts and activities. This is where a MarSec tool, like the one provided by Ensighten, can be very useful as it can move the maintenance to a more distributed model (similar to the impact tag management solutions have had on the delivery of tracking tags).
The supreme art of war is to subdue the enemy without fighting
In the space of 'subduing without fighting', we point at strong and integrated governance processes being a key for data security. I know that some people have labelled this 'unsexy', but there is an amazing beauty to be seen with an effective governance model providing processes which prevent malicious code from ever making it onto a website.
You should have governance to cover;
Log in management
3rd party data processing
Ensuring 'basis for legal processing' of new/amended data types
And a few others to ensure you are safe from an internal standpoint.
Carefully observe oneself and one's situation, carefully observe others, and carefully observe one's environment
The final step in keeping yourself safe covers regular holistic audits of the tags and cookies that are being fired across your website. Due to the snapshot nature of an audit, with it being out of date as soon as it has finished, regular audits are needed to ensure you know when things have changed as quickly as possible, reducing the period of time in which you are potentially non-compliant, and giving you the ability to monitor the effectiveness of your internal governance and CSP/MarSec tools at managing your safety.
Seize the initiative in whatever you undertake
The key with all of these is to be proactive with any and all of the activities above (which is, obviously, something we can help with if needed) to maintain your ‘self-defence’ in the world of digital data. If you wait for you to be hacked, or a gap to occur which invites an ‘attack’, you are, already, too late.