As the Mobile Access North Yorkshire project heads to a live date, Safenetics – one of MANY’s project partners whose focus is on the Mission Critical use case – explains their wider work supporting all use cases keep security at their heart.
Cybersecurity means a lot of different things to a lot of different people but in its basic terms it is about protecting data – information security. Protecting information means we can protect people and that is why security is important and why information should not be overlooked.
Information should be secret from anyone who has no business looking at it, it should be correct and it should be easy to access for anyone whose business relies on looking at it. This is what is known as the CIA triad: confidentiality, integrity and availability.
Within the MANY project, we use this model to ensure that our use cases are secure. Traditionally, we do this via risk assessments because it reduces your attack surface. Simply put, identify what you want to keep safe, make a reasonable guestimate about what could go wrong, decide where your priorities lie and put safeguards in place.
For example, Safenetics works on the Mission Critical use case, which means we work with voluntary emergency responders. The team have limited budget so they cannot afford security specialists to ensure that every laptop is hacker-proof. Sometimes it feels as though security can ‘get in the way’; this usually happens when security does not take into account user needs. This is why the engagement MANY has done is integral.
Spending time seeing how teams operate ensures we have a much better idea of how to make their workflow more secure without it getting in the way. Deciding what is important helps the end users to think about what they spend their money and effort on protecting. For example, within the Mission Critical use case the team may have a volunteer list, which includes personal data. This is important so the team might choose to protect it in a few different ways. The way Safenetics do this is in terms of people, process and technology (PPT):
- The “people” security solution might be to make someone responsible for looking after the list (preferably a couple of people, to avoid what we in the business like to call the “hit by a bus” conundrum).
- The “process” security solution might be to have a short “how to” guide showing how to update details. If members have to log into a web portal, this leaves a record of who accessed the list, when, and what for.
- A “technology” security solution might be to disable the “download spreadsheet” function.
Usually, the answer to ‘what kind of security should I use’ is ‘it depends’. The use cases in MANY are all different and each has their own unique restrictions and requirements. Taking a PPT approach broadens the security horizon – and while each idea has its own strengths and limitations, the best security strategies combine all three.
At SafeNetics we focus on solutions for secure and trustworthy information exchange, which means we think about how information is stored, shared and used in different places. Data doesn’t care about how it gets somewhere – only that it gets there. Thinking in terms of “data flows” is helpful – information on the internet will travel through several different machines before it arrives on your screen. We work with other MANY partners, asking questions like “what information do we have?”, “where it is going?”, “who gets to look at it?”, and “what do we want to do with it?”. These can (and should) be revisited on a regular basis!
If we forget to think about where information is going, we put ourselves at higher risk of accidents (or, “non-malicious security events”) happening. These are often overlooked when security solutions are being built because thinking about hackers is more exciting (albeit far less likely). So, here are your takeaways – data is important, you can use CIA to think about securing it, and don’t forget your PPT (people, process and technology).
Security is complex, it can be subjective… but it’s pretty fun too!