Self-Service BI Governance and Security Risks

Although self-service BI solutions have come a long way and add tremendous value in daily decision making, many offerings still have significant governance, data security, and privacy gaps. Organizations do need to be aware of what to look for when selecting or implementing self-service analytics solutions. Vendors usually skim over those topics and likely won’t proactively identify issues for you during the sales cycle.

Minimally you should include your information security officer or enterprise architect in self-service reporting solution reviews. If your chosen platform does not have adequate controls, you will want to cover those holes with people, processes, or related technologies.

Self-Service BI Governance

To help you understand governance basics for self-service BI, I recently wrote a brief white paper for Pyramid Analytics that includes the following topics.

  • Key Self-Service BI Governance Capabilities
  • Top 10 Success Factor Features
  • Self-Service Governance Framework
  • Self-Service BI Technical Implementation Checklist

You can freely download that white paper and use it as a starting point for approaching self-service BI governance in your organization. Governance will be customized based on your environment, solutions and culture. Effective governance requires structuring appropriate processes, version control and approval workflows.

Notably governance is not a one-time project. It is ongoing. It also requires collaboration between IT and the business. Eventually governance should evolve to become transparent within the shift to a data-driven culture over time.

For data and privacy guidelines, I highly encourage you to gather that information from cloud or database vendors that usually provide detailed literature on those security topics.

Trust but Verify Self-Service BI Security

At one of the industry conferences that I recently attended, a director of analytics from a global 2000 retailer shared how his security team identified deal breaker data exposure holes while testing one of the less mature, top self-service BI offerings in the market today. His security team findings surprised me at first but after more thought I do understand how easily they can be overlooked when buying these solutions.

Security is a deeper level technical topic. Most business users would not understand the security protocol terminology or what to look for in a solution review. Security is not a “sizzle” feature that will get a lot of votes to prioritize. I suspect solid security is usually assumed and/or expected by users that buy self-service BI today with the swipe of a credit card.

Don’t assume your self-service BI solution has sufficient governance or data security controls…verify it.

 

Data Security is Serious Business

When enabling and managing self-empowered reporting, sound security is no accident. Companies that consider security from the start assess options and make reasonable choices based on the nature of their business and the sensitivity of information. Threats to data may transform over time but the fundamentals remain constant.

Data security should be a high priority for everyone, before and after self-service BI implementations, to ensure these powerful tools are being used properly. Data security refers to protective digital privacy measures that are applied to prevent unauthorized access. Data security also protects data from corruption or leaks.

For organizations in highly regulated industries—financial services, pharmaceutical or biotechnology, and energy—effective data management solutions for supporting legal and regulatory compliance, mitigating risk, and improving efficiency as well as cost control are simply not negotiable.

Most Common Incidents

Verizon’s 2016 Data Breach Investigations Report reveals the top incident areas by industry each year. This year over 100,000 incidents, 3,141 confirmed data breaches, were reviewed.

Data Breach Incidents
Source: Verizon 2016 Data Breach Report

Privilege misuse and human error are frequent causes of security incidents.

Internal privilege misuse and human errors are top data security incident causes that often happen due to convenience rather than intent.

most common incidents
Source: Verizon 2016 Data Breach Report

Many misuse breaches are not done with malicious intent, but rather for a convenience factor. One of the biggest risks to an organization’s information security is often not a weakness in the technology control environment. Rather it is the action or inaction by employees and other personnel that can lead to security incidents.

insider threat
Source: Verizon 2016 Data Breach Report

Actions of insiders are among the most difficult and longest to detect. The discovery timeline illustrates this point. The majority of incidents take months or longer to discover. Make sure that you are aware of exactly where your data is located and be careful with privileges.

time to detect
Source: Verizon 2016 Data Breach Report

Misdelivery, publishing and disposal of data or reports are common data breach human errors.

When errors lead to data spills, commonly external parties or customers affected by the mistake find out. One or several recipients of incorrectly sent private information reaches out to the organization to notify them.

who found issue
Source: Verizon 2016 Data Breach Report

Periodic random audits might be a good idea to start doing if you don’t do them today. I suspect most self-service BI solutions are rolled out and then left to the non-technical users to manage themselves. Sometimes you can’t immediately fix a vulnerability via a business process, patch, or application incompatibilities. At that point you may have to live with residual vulnerabilities. It’s important to realize that mitigation is often just as useful as remediation. Sometimes mitigation is your only option.

Key Data Security Principles

If you are responsible for self-service BI administration, I highly recommend learning more about self-service BI governance controls, data security, and data privacy. The little white paper that I wrote merely scratches the surface on the self-service BI governance topic. It does not detail data security or data privacy.

If you don’t know much about these topics and don’t have an internal data security expert, consider getting outside help for from a security consultant. I am not an expert in security…I would look for guidance on security if it were my project.

Security is simply one of those areas not to ignore.

According to the FTC, a sound data security plan is built on five key principles:

  1. TAKE STOCK. Know what data you have and where it resides.
  2. SCALE DOWN. Keep only what you need for your business.
  3. LOCK IT. Protect the information that you keep.
  4. PITCH IT. Properly dispose of what you no longer need.
  5. PLAN AHEAD. Create a plan to respond to security incidents.

Top 10 Vulnerability Lessons and Practical Guidelines

The FTC has also shared 10 vulnerability lessons that could affect your company, along with practical guidance on how to reduce related risks.

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities.
  10. Secure paper, physical media, and devices.

Additional Resources

If you want to learn more about the top data security breaches, check out the complete Verizon’s 2016 Data Breach Investigations Report or the online, interactive VERIS Community Database.

incidents db online
Source: VERIS Community Database Online

To jump start your data security and data privacy knowledge, review the FTC Start with Security: A Guide for Business, PCI Security Standards and HIPAA Compliance Checklist. If you know of other resources, please send them my way.

Also check with your information security team and database administrators. Usually organizations already have data security and privacy policies, guidelines and rules hidden away and forgotten about in digital employee handbooks or company intranets.