Freely subscribe to our NEWSLETTER

© Diego Cervo

“Management need an independent way to audit what their IT departments are doing and if issues are being dealt with. Previous data breaches have been found to be persistent attacks and that indicates that the IT department has not responded to the threat.

According to Tankard there are three critical areas that need control. These are:

1. Users who need access to data in order to do their job. This group should be controlled by the auditing of what they do, limiting the number of records they can access and watching, and stopping, for any unusual activity such as the copying large numbers of records.

2. Those employees who should have no access at all to data. Such groups should be controlled by encrypting the data and never giving access to the keys.

3. Administrators, who are often in the ‘rouge’ group. Data administrators often have ‘God like’ access to everything and are able to hide their movements. Control of their data access is a solution but, more importantly, limiting what they can actually read is key. Often administrators need to manage data, for example doing back-ups, but there is no reason for them to read it. By linking encryption with access rights movement of data is enabled but no one is able to read it. If the Barclays data had been robustly encrypted, even though it had been downloaded to a USB stick, the data would be useless, as it could not be read.

Adds Tankard, “senior management must take independent control of who is allowed to access data. It cannot be left solely to the IT Department. For too long now data security has been pushed to the bottom of the agenda. High profile losses like this at Barclays will, hopefully, serve to ensure it is moved to the top where it belongs.’