Security is a big issue when it comes to big data. "Since big data pools all your data in one place, hackers only need to hack one place to get the data they need," said Chew. As exemplified by the NSA-Snowden case, internal threats can inflict the same degree of damage to an organisation as external threats. To prevent data leaks by insiders, enterprises should implement access control and least privilege to provide a clear indication of what type of information can be accessed by different employees, he said.
As big data may deal with sensitive and personal information, enterprises need to ensure that they do not infringe any laws and regulations when storing or using those information. "For example, businesses in Singapore that collect personal data of private individuals without their explicit consent may be fined up to S$1 million (US$800,000), as per the republic's Personal Data Protection Act," said Chew. As certain countries might also have laws that specify the duration that enterprises can retain their customers' personal information, organisations need to be able to purge the unwanted data from their big data system.
Chew ended his presentation with some words of advice: "When working on a big data project, think of the entire lifecycle. Think about the type of data you need to collect, if you can anonymise the data, how you will store, process and protect the data, as well as if you are violating any laws."
Panel Discussion: How NOT to be the Next Target
Just before the end of the summit, Gerry Chng from Ernst & Young Advisory (Singapore) and Lee Han Ther from the British American Tobacco were invited back to the stage for a panel discussion.
The importance of having policies driven by senior leaders to ensure the security of an enterprise was one of topics discussed in the session. With reference to the recent Mt. Gox incident, which saw hackers stealing an estimated US$490 million worth of Bitcoins, Chng opined that the incident was the result of both technical and policy issues. He came to this conclusion based on news reports that stated that even though a fundamental flaw in the Bitcoin software had been made known to the Bitcoin developers since 2011, there seemed to be no effort from Mt. Gox to fix the flaw. Hence, if Mt. Gox had a security policy that is supported and driven by its top management, the Bitcoin developers might have fixed the flaw before hackers exploited it, therefore preventing the incident.
Besides having policies driven by top management, larger organisations should have a risk management committee, said Lee. Consisting of senior leaders from respective business functions such as legal, human resource and IT, this committee should meet on a regular basis to discuss the risks that their departments are exposed to. "By combining these inputs with policies from top management, the compliance security audit should then derive the next course of actions which will be targeted towards maintaining the organisation's risks," said Lee.