Technology alone is not enough

Published: 29 May 2024

In this blog first published in Business Brief magazine's May 2024 edition,  Deputy Bailiwick Data Protection Commissioner Rachel Masterton explains how human oversight still needs to be at the heart of technological advances.

A bold title for an article in a publication dedicated to all things tech? Let me explain.

No organisation wants to experience a breach and whilst it is more a case of ‘when’ you have a breach rather than ‘if’, there are things that can be done to lessen the likelihood, and contain the impact when that day comes.

Critical is a proper understanding of the personal data that powers your organisation, what you use, why and how. ‘That’s the way it’s always been’ is not an appropriate answer to any of those questions. If you don’t know what you are doing and why, how can you do it well?

Once you know what, why and how, you can think about risks and the necessary safeguards. Whilst you may look to external information security professionals to help, it is essential that you are involved in this process as you know your organisation best.

Any solution needs to be tailored to your circumstances in order to get the best out of it and you should be involved in that. There are no ‘one size fits all’ solutions and certainly no one thing that will remove risk entirely. It’s also not ‘one and done’. Breach preparedness is dynamic, as the threats are ever-changing.

A layered approach to breach prevention and preparedness is necessary to encompass all risks. Some of these layers will be technical: security patches, intrusion detection systems, multi-factor authentication for example.

But, to reflect on the title of this piece, technology alone is not enough.

Multi-factor authentication is great until a staff member, in a moment of distraction or confusion, clicks to say they are logging in when they are not.

An intrusion detection system is only as good as what happens when suspicious activity is flagged. If no one picks up the alert, it is rendered useless. And patching is only useful if the patches are applied in a timely manner.

So why do things go wrong? Bear with me while I talk about bees. 🐝

Bees are apparently excellent at keeping intruders out of their hives, fighting to the death to protect the valuable assets inside. However, if something gets into the hive, they assume it is supposed to be there and let it run amok.

And so with people. An over-reliance on tech alone to keep threats out can result in people not being on their guard when they get through. ‘Of course it’s ok to click on the link in the email. If it wasn’t, the systems would have stopped it, wouldn’t they!’

It is therefore imperative that organisations make sure those using their systems know the part they play in breach prevention, that they can spot threats and know what to do about them.

And that if something does go wrong they know who to tell so ongoing breaches can be stopped and appropriate action taken to safeguard the data and the people it is about.

Never believe it can’t happen to you. If your IT support says something is wrong, heed the warning. It may be the most important call you take.

Waiting till the worst happens, in the hope it never does, leaves your organisation open and unprepared. Supplement technology with good, well thought out processes and users that are alert to threats and skilled in appropriate responses.

IBM determined that where threats circumvent technological safeguards it takes on average 197 days to identify the breach and 69 days to contain it.

Making sure your teams spot problems early, or better yet, can avoid them altogether, puts your organisation in a great place to protect one of your most valuable assists – the data of your clients and staff – and to build the trust and confidence that can give your organisation a competitive advantage by embracing data protection.

Technology alone is not enough…