Confidentiality
One of the three principles of data security, this refers to how information should only be accessed by individuals with authorisation.
Availability
One of the three principles of data security, this refers to how information is available only to those who need to use it.
Integrity
One of the three principles of data security, this refers to how information should be maintained so it is correct, can be fit for purpose and updated.
CIA Triad
Confidentiality, Availability Integrity
Unauthorised access to data
Data that is seen by someone that does not have authorisation to access it.
They may want to access this information for a number of reasons:
- Espionage
- Gaining advantage over the data owner
- Accidental access (member of the public finds a discarded document with customers senstive details on them)
Impacts of unauthorised or unintended access to data
- Data Protection Act is often broken. One of the princples is that data is kept safe and protected.
- If the data is sensitive it may give a competitor an advantage
- Loss of customers as it may put customers off from using your company again.
Intentional tampering with data
Changing data in some way. There can be many reason for this:
- Student changing their grade on a teachers computer
- A company changing figures on a rival company’s research
Intentional Tampering with data - Impacts
- Any decisions that were made on that tampered data will be affected.
- Negative effect on the reputation of the organisation as they may be seen as having poor data security.
Intentional destruction of data
Motivated by desire to harm the organisation that holds the data. Examples could be:
- Installing malware onto a computer system to destroy data
- Deleting data on purpose
- Encrypting data so it is no longer accessable without the decryption key
Intentional Destruction of data - Impacts
When data is lost it may have many imapcts, as data will then need to be replaced causing:
- Loss of reputation and trust
- Costing Money
- Ignoring the lost data (future impacts may occur)
- Potential to be penalised for not complying with the data protection act.
Intellectual property
Anything that an organisation or individual has designed, developed or created themselves.
Losing Intellectual Property
This depends on the property itself and how easy it would be for the victim to recreate or recollect the data. Competitors that stole intellectual property could use it at their advantage. Also, the effect of an upcoming announcement to the public would decrease if it was leaked ahead of time.
Accidental loss of data
Loss of data itself, rather than a loss of a copy or version of the data.
Human Error:
- Someone deleting the file
- Someone throwing away paperwork
Technical Error:
- The equipment fails
- No backup of file
This would also mean that the Data protection act would be broken also
Loss of Service and Access
If usernames and passwords are stolen then individuals may be unable to access services that they have paid for, an example being if WiFi details were stolen so that a hacker can access the internet using someone else’s account. If a hacker is permitted access to a system they can change the account settings such as the password to lock out the original owners of that account, leaving them without access.
It may cause a delay in services being provided
Breach of Confidential Information
Confidential information is of a highly sensitive nature and could lead to other negative impacts if it got into the hands of unauthorised people.
This may in turn result in loss of customer faith, prosecution for not abiding by data protection laws.
Loss of Third Party Data
Many organisations will store data not only for their own purposes but for other individuals and businesses too; a key example being cloud storage providers. This means lots of businesses and individuals will be affected if data was put at risk.
Loss of Reputation
Organisations spend years to build up a reputation where customers trust them and want to use their products or services. Data loss can immediately destroy that reputation and cause once-loyal customers to look elsewhere and choose their competitors.
Failing to keep data safe means that an organisation has been unable to follow their legal and moral duty of keeping information secure and could lead to a loss of trade, resulting in reduced earnings and sales.
Identity Theft
If an individual’s personal information is stolen by attackers then one impact is identity theft - when the attacker uses the victim’s data for fraud or impersonation. Identity theft can lead to financial loss to the victim
if loans, products or services are purchased in their name. The victim may have to contact their bank and other organizations to cancel transactions and there is no guarantee their money will be returned. Credit checks may be affected, leading to future financial difficulty for the victim.
Threat to National Security
If data of a classified nature (such as military arrangements, security weak-points or upcoming government plans) is lost and falls into the hands (most probably by hacking) of those who intend to bring harm to the country then the consequences can be disastrous.
Risks:
- Unautherised Access to data
- Accidental loss of data
- Intentional Destruction of data
- Intentional tampering of data
Impacts
- Threat to National Security
- Identity Theft
- Loss of reputation
- Loss of third party data
- Breach of confidential information
- Loss of service and access
- Loss of intellectual property
Protection Measures
- Staff Responsibilities
- Disaster & Recovery Planning
- Assessment and Effectiveness
- Risk assessments
- Software/Hardware risk assessments
- Staff Training
- Security (Employing staff to protect data server rooms)
Physical Protection
- RFID & Tokens (ID Keycard)
- Shredding
- Locks
- Backup
- Biometrics
- Security Measures
Logical Protection
- Tiered Levels of Access
- Obfuscation
- Firewall
- Encryption
- Anti-Malware
- Username and Passwords
