Cyber security and research data – do your protocols amount to postulations?
At the Weightmans’ Big Data event, the panel discussion considered the threat to business from a cyber security breach.
At the Weightmans’ Big Data event (11 November 2015), the panel discussion considered the threat to business from a cyber security breach. As you may expect, there was universal agreement on the critical importance of ‘fit for purpose’ policies and processes. Delegates confidently confirmed their business could mobilise a robust emergency plan in the event of a data breach.
There was however one scenario for which organisations could only deal with after the event. For example, confidential data is stolen by someone with access to your systems by an insider. An effective response will depend on your ability to interrogate system user records and the speed of that response.
The importance of robust risk assessment and scenario planning around data security is obvious. Particularly as the process of developing any plan takes TIME:
- To DEVISE the plan,
- To COLLABORATE with key personnel and
- To IMPLEMENT
Contrast this with the challenge of formulating a response during the white heat of a suspected data security breach. This can prove challenging, particularly if an incident occurs outside the academic term and key personnel are off campus. Of course your IT systems will have built-in security features but how prepared are you to respond in event of an insider data breach?
Consider the following scenario: an anonymous e mail disclosing confidential University research data is sent to your funder’s competitor?
Are your IP and IT protocols sufficiently robust to contain this or do you ‘cross your fingers’ and hope for a good outcome?
The e mail is anonymous and sent from an untraceable e mail account so you are unable to identify the source. The security services have the ability to obtain the identifiable information from Internet Service Providers. As you may expect, this power is only used in defined exceptional circumstances, for example, a threat to national security.
The reality, your reputation with the funder is at risk and recovery will take significant investment in time and effort by your team. Damage limitation may be the best you can achieve. The prospect of this being successful depends on your ability to present a clear and swiftly executed response on behalf of the Institution.
To ensure your protocols are as effective as possible, prepare an emergency plan ahead of any incident or test your current plan. Consider the following:
Before the event – current protection – is it fit for purpose? Do the Protocols meet the risk?
Research contract clauses bind the University – does the University have the ability to meet the legal obligations. This all turns on what the University can do in the event of a breach.
Employment contracts contain confidentiality clauses – are these adequate for the role or are the terms ineffectual in practice?
Do your procurement processes and Outsourcing arrangements have robust clauses to protect the University – have you considered who is acting as the ‘data processor’ and who is the ‘data controller’ because there are important implications?
After the event – current protection – is it fit for purpose? Do Protocols meet the risk?
Are your senior team clear on who does what and when to contain the damage?
Some Action Points to consider:
- Check your IT User Guide – does it cover acceptable use and clear consequences for data breaches?
- Review your preparedness to conduct an IT audit (quickly) in the event of a breach and find out how long it will take.
- Test your institution’s response protocol in the event of a potential incident
- Is it clear who is responsible for the process?
- Who does what in the event of a suspected breach?
- Review your IP Policy for ownership rights
- Research Quality Assurance – check it covers data security and responses to breaches
- Review the Risk Register in light of your conclusions.