The prolific rise of the data economy has been met with a surge in reported data breaches, from both opportunistic cyber criminals exploiting vulnerable systems, and from cyber security researchers aiming to detect and expose these vulnerabilities so that they can be closed before they are exploited.
Security researchers recently reported a major data breach involving a potential leak of more than a million fingerprints, and other sensitive data, from thousands of companies worldwide. The techniques they used to uncover the vulnerabilities demonstrate that a best practice approach to information security management and a robust set of security procedures is crucial to help prevent similar incidents.
There are certain things to look in effective data security management. The avoidance of an ad-hoc approach to database security is essential. For example, we use the Centre for Internet Security’s hardened security benchmarks to ensure our systems are configured to a strong baseline. We also operate our databases entirely within our own infrastructure, allowing us to apply defence-in-depth principles (such as firewall configuration) to ensure that our databases are not accessible from outside the organisation.
Effective encryption of data is also critical. Raw, unhashed passwords should never be stored – proper methods to store and secure information should always be used. For example, at Biosite, we encrypt personal data at the application level, meaning that even if the database itself is accessed the personal data still cannot be read. This adds another layer to our “defence in depth” of the database.
Additional things to look out for include:
- Segregation of duties, with different teams responsible for development and deployment of operational systems
- A secure protocol for transmitting data between an online system and customer sites
- Use of auxiliary systems to monitor for suspicious activity
- A ‘single tenant’ philosophy for biometric data, meaning that each customer’s data is segregated. In the event of a breach, this means the impact is limited to the affected customer
- The avoidance of storing raw biometric data – instead data should be processed into ‘biometric templates’ and the raw data discarded
ISO27001 accreditation is also an important marker when it comes to information security management. As is establishing a culture of understanding and best practice internally, including providing every employee with access to annual training on personal data and information security best practices.
Ultimately, data management companies need to clearly understand their responsibilities when it comes to capturing and managing large volumes of valuable and sensitive information for customers. This is a completely valid expectation and only by creating a strong culture of good security practice can the ever-looming threat of data breaches be addressed.
Adam Bowen
Head of Software
