Whose responsibility is it?
These days, when it comes to knowing what data is valuable and therefore the most important to protect, it can be tricky to differentiate. After all, isn’t all data important? As Sascha Giese, Head Geek at SolarWinds comments, when it comes to data being exploited, “What’s interesting is how there’s been a change in value in credit card information, for example, which is lower, compared to personal information and identities, which has become more valuable to cybercriminals. U.K. government IT professionals are entrusted with keeping citizens’ personal data secure, so organisations must implement, and then adhere to, strict security policies. The key point organisations should take into 2020 is it’s everyone’s responsibility to keep data safe.”
So, Giese’s advice is: “While technology is of course the most solid defence against security threats, senior public sector IT professionals should also consider how leading by example, training their teams, and ensuring policies are updated regularly can make a huge impact on how well their organisation prevents any security headaches.”
This idea of data protection being the whole company’s responsibility is something that Agata Nowakowska, AVP at Skillsoft agrees with. Nowakowska says, "Mobile platforms, Big Data and cloud-based architectures are creating significant challenges for data protection, but no challenge is higher up the corporate agenda than IT security. Even the most careful organisation is vulnerable. A smartphone or laptop inadvertently left on a train, or a well-intentioned lending of access privileges to an unauthorised user can have far-reaching consequences.
“Security is the number one IT priority in nearly every business sector today, but the scarcity of security-savvy IT experts means many companies can no longer rely on hiring their way to a robust solution. Fortunately, there are a wealth of sophisticated education and training strategies now available that allow organisations to reward and retain employees whilst simultaneously improving corporate security from within. From expert-led instruction to continuous hands-on experiential learning, organisations are putting in place complete frameworks for training and certification that can tighten corporate IT security, making them less vulnerable to both external attacks and insider threats."
Is backing up effective?
As well as ensuring all staff are educated in knowing how data is protected, it’s important that businesses have stringent backups in place. Afterall, it’s not always going to be a cyber attack that puts data at risk - risks can come from anywhere, and so businesses always need a backup plan. As Alan Conboy, Office of the CTO at Scale Computing, states: “Data [Protection] Day serves as a reminder to the technology industry that protecting your data is of utmost importance. This has been increasingly true with the recent implementation of the California Consumer Privacy Act (CCPA), which is shining a light on the rising regulation of data protection and privacy. With more organisations moving their workloads to edge computing and hyperconverged environments, businesses are looking to protect and recover these workloads, in addition to complying with data privacy regulations like CCPA. With this in mind, it is essential that these platforms include a variety of backup and disaster recovery features such as snapshots, replication, ransomware protection, failover and failback, so that organisations can help safeguard their digital assets today and in the future."
This is something that Andy Swift, Head of Offensive Security, Six Degrees agrees wholeheartedly with. Swift comments, “Two areas I’d like to highlight this Data Protection Day are your users and your backups.”
He explains, “Security ends with your users – when all other technical controls have failed, they are the final control you should have in place to filter out malicious content. Investing in training to help users spot common phishing, smishing and other human-facing attack vectors is highly valuable, and helps promote buy-in from all users when your organisation introduces tighter technical controls.
“You should also consider the architecture of your file share and backup environments. Far too often we see backup servers configured without any segregation from the regular network, resulting in ransomware attacks infecting backups and rendering them useless. Ransomware is constantly getting smarter – if an attack can access your backups it has the potential to seriously damage your data integrity.
“By carrying out a cyber security maturity assessment, you can establish your organisation’s risk posture and create an action plan to address any weaknesses that are uncovered. In this way you can ensure your data’s confidentiality, integrity and availability is protected, enabling you to maintain your clients’ trust and preventing you from becoming a terrible lesson for other organisations to learn from.”
What about your customer’s data?
It’s not just about ensuring your business’ data is safe and secure - your customer’s data is also critically important. Gary Cheetham, CISO at Content Guru advises, “The General Data Protection Regulation (GDPR) is approaching its two year anniversary and beyond the ubiquitous ‘privacy notice’ pop ups and the need to give consent we now face online, we have seen some real changes in the way businesses are approaching data protection. With this, consumer expectations have also risen - trustworthiness and transparency are becoming priority considerations for consumers, who increasingly want to form long term relationships with brands they trust. With customer experience now the key differentiator for many businesses, demonstrating the proper handling of customer data and information has to be front of mind.”
Additionally, as Nigel Tozer, Solutions Marketing Director EMEA at Commvault reminds us, it’s important to take a step back and think about your own data. Tozer comments, “Privacy may have been given the status of a ‘human right’ in the EU, but many organisations still struggle with the Data Protection laws that protect it. In some cases you can put it down to ignorance, for many it’s due to the complexity of modern data processing and sadly, still too much wilful avoidance for commercial gain.
“As individuals, this means we have to be aware of our own rights with regard to privacy and data protection, and take steps to protect our data from misuse or abuse. Simply reading privacy policies (I know!) is a good start – what you find might surprise you enough that you think twice about ticking those consent boxes.
“For business, ignorance and complexity are not excuses. While data at scale, built up over years, is too much for any kind of manual compliance effort. That said, getting visibility of all of your data – on-premises, in the cloud and on laptops – and automating the actions needed clean up your act isn’t anything like as difficult as you think.”
Tozer rounds things off by advising that this coming Data Protection Day, “make a note in your diary to investigate doing just that. You never know, it might save you money as well giving your data governance program the shot in the arm that it needs.”