Happy International Data Protection Day!
Held annually every 28th January, Data Protection Day began in Europe in 2007. Two years after, the US and Canada followed suit and launched the Data Privacy Day. With the aim of raising awareness and promoting privacy and data protection best practices, the event is now being observed by individual and organisations across 50 countries worldwide.
We spoke to security experts who shared top tips and advice for Data Protection Day, here’s what they have to say:
Brian Chappell, director of Product Management, BeyondTrust
Success in data protection projects is predicated on a solid cybersecurity foundation and a structured approach to what is being protected — without a solid foundation, data controls will be open to abuse.
Not all data are equal, and some data will require more protection than other data. Try to keep the classification of data as high-level as possible with only a handful of labels — Highly Sensitive, Confidential, General, and Open. Having only a few ‘buckets’ makes it easier to achieve the actual task of protecting the data and enables organisations to avoid getting paralysed with the task of classifying data. Bringing data together into their respective classifications can also make initial protection much easier. Appropriate protection for each classification will go a long way in avoiding impacts to productivity. Highly Sensitive data should and will be harder to access than Confidential data and that will be harder than General data (this is data where release has very low impact or actually due for public release in the mid to near term). Ensuring the protection is appropriate will reduce friction for day-to-day activities ― there will be fewer users reporting that the controls impact their ability to do their jobs, but sensitive data will be fully protected.
In parallel, closing the obvious gaps in areas like vulnerability management, privileged account and sessions management, privilege elevation and delegation management, and identity and access management will ensure that the common routes for malicious users to steal data are addressed before you look to control access for legitimate users. Of course, making sure that stakeholders are addressed and engaged throughout the process will help in delivering an efficient and effective data protection mechanism that meets, or hopefully, exceeds their needs and expectations.
Garreth Scott, managing director, Credence Security
Companies must be able to identify, combine and manage multiple sources of data. More importantly, business leaders must possess the muscle to transform the organisation so that the data and models yield better decisions.
It’s essential for organisations to have protection for wherever the data is located and integrated. Data travels across many platforms and devices from computers to mobile phones and from social media to the cloud. So, it’s important to provide protection on the endpoint, network, cloud, and for Windows, Mac, and Linux.
Enterprises are taking advantage of Big Data analytics to advance their businesses. But this also creates opportunities for cybercriminals. That’s why companies are increasingly securing their business and customer data with data-centric audit and protection (DCAP). Data-centric audit and protection is designed to protect business data without getting in the way of harnessing the analytical use of it. A good data-centric security model can enable businesses to safely use IT services and vendors; mitigate the risk of data breaches; comply with regulatory mandates; manage data including where it’s stored, when it’s shared and how it’s protected; and assess risks to data and prioritize investment in data protection.
Having a data-centric audit and protection is vital for modern enterprises that leverage Big Data to support business processes. By finding the right balance between adequately protecting the organisation’s data and supporting the use of data within the organisation, IT teams can create a more robust security posture without hindering productivity.
Alain Penel, regional vice president – Middle East, Fortinet
The challenge is that with today’s highly distributed network, data can be copied multiple times and distributed virtually anywhere. To meet data privacy and protection requirements in such environments, organisations need to implement security solutions that span the entire distributed network in order to centralise visibility and control.
To achieve this, organisations need to consider three essential factors. Firstly, security needs to span multi-cloud environments. IT and security leaders need to implement mechanisms that will allow them to keep track of every instance of data, especially as it moves into and across multiple applications and workflows. Furthermore, security tools need to natively integrate into cloud platforms in order to consistently segment the multi-cloud environment, and policies need to be translated on the fly to accommodate differences in cloud platforms as data moves.
The second factor they need to keep in mind is the important of data poss prevention (DLP) tools. Tracking and managing PII requires the implementation of Data Loss Protection (DLP) technologies that can be applied inline as well as at the cloud API level.
Finally, they also need to keep in mind that compliance reporting requires centralised management. Compliance reporting needs to span the entire distributed infrastructure. As with other requirements, this also demands consistent integration throughout the cloud and with the on-premise security infrastructure.
Dr Aleksandar Valjarevic, Head of Solutions Architecture, Help AG
Organisations need to first understand their data to succeed in their data protection initiatives. They need to be aware of the different internal and external policies and regulations that apply to those data. Subsequently, data protection strategies should cover the three key components of the digital business, which are people, process and technology.
There needs to be a balance between implementing data protection measures and productivity. To achieve this, organisations should have a proper understanding of their risk exposure. They can do this by running security awareness campaigns, which can give them an idea on how adept people in the workplace are when it comes to data protection and privacy. They can also utilise technologies that offer adaptive response and analyse user behaviour to get a better gage of the risk profile of different individuals within the organisation. In doing so, security leaders will get a better view of the level of protection that they need for their data and systems.
Rajesh Ganesan, vice president, ManageEngine
Data protection works completely only when every component in the infrastructure including people are prepared to handle it with every activity that happens in the business infrastructure. To make this efficient while being compliant to an important regulatory requirement, data protection must be built right from the design stages of all services and operations. It should be present as a strong but invisible layer, not hampering the regular operations nor requiring big changes or specialised training.
The other aspect is imparting awareness about the importance of data protection. Business leaders need to educate people on the Dos and Don’ts in a way that is contextually integrated into their work, instead of doing periodic training sessions. This can be done by implementing the right hooks in the system that pops up and informs users about any violations to data protection policies their actions are causing. People learn well contextually this way, carry the lessons and make less mistakes making them more productive. This is a strategy that data protection leaders must make sure to implement.
Brian Pinnock, cyber resilience expert, Mimecast
The first misstep that IT and business leaders commit when it comes to protecting data is having inappropriate or lack of backups. Many organisations believe that their data is safely backed up on either cloud drives or internal archives but if these are not adequately secured these can be accidentally or maliciously erased for example during a ransomware attack or simple accidental deletion.
A key misstep is not doing a full audit. This leads to not knowing about all the data you actually have and where it is located. Another is trusting implicitly in the security of a cloud vendor without augmenting it with additional layers of security. This is known as a defence in depth approach and is a critical component of security and data governance best practice.
Another common error is assuming that encryption is all the protection you need. Encryption can help to ensure unauthorised access to information is eliminated but it does nothing to ensure the integrity or availability of the data. An example of this is organisations believing that encrypted data is secure from ransomware whereas in reality criminals can simply encrypt your encrypted data rendering it unusable.
Adenike Cosgrove, cybersecurity strategist, international, Proofpoint
Data Privacy Day provides an important opportunity for organisations to take a step back and consider whether they really are doing enough to keep their customers’ data secure in the face of today’s threats. While data protection regulations such as the EU GDPR have helped start conversations and forced organisations to think differently about how keep data secure, this is just the starting point. Just because a business complies with a regulation, that does not necessarily mean it is doing everything it can to protect its customers’ personal data.
Regulatory compliance is often viewed as a check-box exercise and can be open to interpretation, so becoming compliant with regulations such as the GDPR should not be a primary driver of security. Compliance is an important step in the process as it can help an organisation discover critical gaps in its current security, but it should only be viewed as a starting point on the journey to true data protection and information security. Beyond the compliance check box, organisations need to implement industry best practices, understand their individual risk profile, and implement people-centric security strategies.
Ryan Trost, co-founder and CTO, ThreatQuotient
When it comes to ensuring the success of data protection strategies the best advice that I can give to organisations is periodically test your protection processes. Data protection typically comprises several layers and each one needs to be periodically tested to ensure the workflows are documented, the technology is sound, and the protections continue to align with the original intent.
Furthermore, it is always a balancing act to find the right data protections without sacrificing productivity, and more importantly, within the allocated budget constraints. Data protection, like any other security approach, requires a solid foundation to build upon, a roadmap to incrementally stride towards and a list of milestones for the team to achieve. In most organisations, the security team is not directly tied to a revenue stream, and therefore, are scrutinised and have a ceiling compared to other departments. This requires the security team to constantly evaluate their objectives and measure themselves against quantitative milestones.
Matt Walmsley, EMEA Director, Vectra
Put people first and create and maintain a security-aware culture. Your employees are on the frontline of the guardianship of your data. Help educate and engage them about how to responsibly use and protect your data. Define policies and technical controls that underpin the way of working.
Data security and risk need to be considered throughout business planning and operational rolls out, rather than as an afterthought.
Finally, recognise that you are never truly 100 percent secure. Adopt a healthy paranoia, have a practiced and documented plan of action for if you do have a data breach, and put in place capabilities or contract service to help you spot insider threats and cyber-attacks before they have time to develop into damaging breaches.
Jasmit Sagoo, senior director, Head of Technology UK&I, Veritas
Data Protection Day serves as an important reminder that businesses are being increasingly held more accountable by regulators and consumers for protecting data. It is a good opportunity for CIOs and Data Protection Officers to highlight the issue of data privacy to the board, or implement internal activities such as employee training or phishing tests to ensure employees are continually educated about the vital role they play in protecting data.
IT leaders should also use the day as an opportunity to review their current data protection strategies. Software that can automate the protection and recovery of data everywhere it lives within an organisation, while ensuring 24/7 availability of business-critical applications, should be considered. Data Protection Day may be a one-day event, but it’s imperative to maintain good privacy practices year-round.