10 questions about: Data Protection (2012)
1. Data protection is a broad subject. In particular, companies must keep up-to-date in this regard. What is the current state of play? What different areas fall under the topic of data protection and which are particularly important?
Basically all those processes fall under data protection where personal data, like for example employee, customer and payment details, are processed. This data must be protected against attack from third parties by the user company. At present, it can be noted that electronic data processing is continuing to expand and it is being applied to more and more new devices. Thus, for instance, data processing on mobile devices continues to grow. Another example is data processing and transmission of personal data via intelligent energy meter, the so-called Smart Meter.
2. In 2011, there were numerous data protection scandals. Will this happen again in 2012?
This is entirely possible. Companies have gradually realised that the subject of data protection and information security is increasingly gaining importance; however this is still not the case all the time in day-to-day working life. An example of this is that the majority of hacker attacks are caused by the company’s own workforce. This shows that when it comes to raising awareness, there is still a significant need to catch up. This is compounded by the fact that the methods of fraud are constantly changing and adapting to new circumstances.
3. In what way? What direction are current methods of fraud taking?
The methods of fraud are constantly changing. One particular dynamic is notable in the field of social engineering. This includes systematic spying on the selected individuals in order to access the desired data by exploiting the human virtues of curiosity, anxiety or authoritativeness. A classic example of such an approach is a call by an alleged service technician in a company who requires internal passwords in order to be able to maintain the system. An alarmingly great number of employees carelessly reveal these and thus pave the way for the hacker to obtain sensitive data. Whilst over the last few years social engineering activities were frequently transacted via email or telephone, today these have, for the most part, shifted towards social networks as the likelihood of obtaining personal data there is very high.
4. What has caused the number and extent of the data protection attacks to have risen so sharply in recent years?
The motives of hackers and identity thieves have changed considerably over the last few years. Initially, the Internet was considered the place to make one’s mark due to technical know-how. Today, however, monetary benefits are the goal of most attacks: ranging from the selling of mailing lists to classic fraud. Loss of reputation, personal consequences and direct financial losses are some of the consequences that victims suffer. In view of the fact that Internet traffic is constantly increasing (according to the most recent ARD/ZDF Online study 2011, 73.3% of the German population are online), an attractive business model is emerging for hackers.
At the same time, so-called hacktivists are on the increase. They hack into computer systems in order to point out data protection defects to authorities and companies. Then, they publish their strategy or the data captured during the attack. These groups do not normally pursue monetary goals.
5. Social media is omnipresent today for many companies in terms of their marketing strategy. Which trends and threats stand out for employees and employers in this regard?
Not only are companies increasingly using social networks, private users, in particular, have also extended their use considerably over the last few years. This is particularly true for young people for whom Facebook and co. have long since been an integral part of their daily lives. The greatest risk is that too much information is being revealed both privately and in the workplace. Thus, in the main, social engineering (see question 3) is being fuelled. If an employee thoughtlessly publishes information on projects, clients etc. then the hacker can simply collect all this information and by falsely using the employee's identity can interact with clients or members of the public and cause serious damage.
6. The Apps market for smartphones and tablet PCs is continuously growing. What will happen in the area of mobile information security in 2012?
Data protection on mobile devices has clearly emerged as a trend-topic in 2011. On the one hand, this is due to the fact that the number of users has continuously grown. In contrast, however, the dissemination of anti-virus programmes and security software is lagging behind. Thus, it is particularly attractive for hackers to target mobile devices and access sensitive data.
7. In connection with smartphones and tablets, the “Bring your own device” (BYOD) idea is now an important business topic – employees use their own private mobile device for working (and vice versa). How should companies protect themselves in this regard?
Bring your own device is both a blessing and a curse. On the one hand, there is an increased potential for greater productivity which comes from the use of private devices, but on the other hand, it can also rapidly bring with it conflicts of interest. This is particularly true if business-critical data needs to be protected. From a company perspective, it might be necessary to deactivate critical functions or applications on the devices, however, at the same time this can lead to personal limitations which the employee won’t put up with on his own private device.
8. “Smart Life” – the all-encompassing digital life – from "Smart Metering” to “Smart Cities” – is being applied more and more. What will we have to watch out for in the future?
There is a great deal going on in this area. From electronic ID cards to intelligent energy meters or fridges which log the user’s precise behaviour, there are numerous developments in progress. Data protection must therefore play a central role, however, to a certain degree, it stands in the way of the principle of the greatest possible networking. It remains to be seen how much data protection is necessary in the end and how much is actually desired by the user. In general, the individual should endeavour to keep control of where and to what extent he or she reveals personal data and how this is processed.
9. Cloud computing is gradually coming of age. Are companies safe in the cloud?
Security in the cloud is a particularly important subject. Here, there are some critical issues which need to be borne in mind when choosing a supplier. Thus, it is important, for instance, where the server on which the data is stored is physically located. In terms of data protection, the legal regulations of the country apply where the server is located.
The choice should be made by a reliable partner who adheres to high security standards. Thus, together with the world’s leading cloud computing provider, IMC now offers SaaS solutions via the Microsoft Azure platform and therefore work in such a way as to not compromise data security.
10. How does IMC support companies to optimally set themselves up when it comes to data protection?
We specialise in the area of employee awareness. On our e-learning course on “data protection and information security”, we cover 14 different topics from the data protection field, such as social engineering or responsible handling of mobile devices or social networks. The topics are divided into separate modules, each lasting approximately 15 minutes, which can be learnt and purchased independently from each other. The course is aimed at private individuals and companies from any industry of any size and can be integrated directly into a learning platform or into the company's internal Intranet. This course is also a component of our Blended Learning Concepts which represents a combination of e-learning and classroom learning.
Find out more about this web-based training: Data Protection and Information Security