Data Protection Day comments from Imperva, Veritas, KCOM and Tanium.
The comments include:
- Spencer Young, RVP EMEA at Impervaexplaining where companies are going wrong in getting data protection right, including data that is difficult to find, using the wrong technology and failing to govern data access
- Jasmit Sagoo, senior director, Northern Europe atVeritas describing the data power shift we have seen between businesses and consumers post-GDPR, where businesses are going wrong in the cloud, and the need for a culture of compliance
- David Francis, Information Security Consultant at KCOM, explaining the road to success on Data Protection Day, and the two key questions businesses should ask themselves: do you know when you’ve been attacked, and have you been paying attention to the news around GDPR?
Spencer Young, RVP EMEA at Imperva:
Today marks the 13th annual Data Protection Day, a day aimed at raising awareness and promoting good data privacy practices around the world.
The past year saw vast changes impacting the UK’s data protection landscape, not the least of which is due to the EU’s General Data Protection Regulation (GDPR) officially coming into play. The regulation means that regardless of the industry or location, any business that holds and processes personal data must prioritise data protection.
The fines associated with non-compliance are hefty, to say the least, and the potential damage to the brand’s reputation can be even costlier. Yet, we have seen big brands including the likes of Google tripping up on their data protection journey. Where are companies going wrong in getting data protection right?
1/ Finding the data is not easy
Data protection is complex and involves multiple teams, technologies and systems to work together.
One of the first hurdles IT teams face is in conducting a Data Assessment Report, which requires organisations to locate any personal data they are holding and document how the data is collected and processed. This detailed assessment must be kept current and ready for regulatory inspection or compliance audits.
However, many businesses find it challenging to locate that data. When you are a large enterprise, this can take more than just a call to your IT department and can take weeks – even months – of investment.
2/ Not having the right technologies in place
Perhaps most significantly, regulations require any company that experiences a data breach to publicly acknowledge the breach and notify the local Data Protection Authorities (DPA) in the member states where the people affected by that breach reside. Businesses must notify the DPA’s within 72 hours of identification or confirmation of the breach. They must be able to tell them what data was breached, how many records were taken and provide a member-state specific report around the infringement.
This requirement means all businesses need to be able to understand who accessed the data, what activity they performed and when they performed it. Any organisation without strong technology solutions in place will struggle to provide the requested information within the 72-hour window.
3/ Failure to govern data access
Limiting access to certain information and making sure that access is authorised and reflects any changes within the business is a critical step in data protection that many companies tend to neglect.
It’s important to analyse policies on data collection, handling, test data usage, data retention, and data destruction. At each point, access must be on a need-to-know basis. Users should not be allowed to accumulate access rights as they are promoted or move laterally within an organization. Privileged accounts, including DBAs, Admins and Service accounts should be carefully monitored to ensure they are not used to bypass policies.
Not doing so will inevitably lead to disastrous consequences.
There may be many reasons why an organisation’s data protection strategy is not up to par, but they will reside somewhere within having inadequate or ineffective processes, people, and technology. It is critical to be aware of potential pitfalls and actively work towards more robust data protection practices.
GDPR or not, Data Protection Day should be every day in our data-driven business landscape.
Jasmit Sagoo, Senior Director, Northern Europe at Veritas:
The data power shift
2018 marked a pivotal change for data privacy and protection across the globe. For a long time, personal data has been leaked, shared, tracked and analysed without consumers’ prior knowledge or consent. But the introduction of the General Data Protection Regulation (GDPR) has offered individuals in the EU an olive branch: more control over their data.
For years, organisations have failed to understand the real value of their data, or the repercussions of mishandling it. Our Truth in Cloud research found that most UK businesses (75%) export full responsibility for data protection to their cloud providers, with over half (52%) wrongly assuming their cloud providers are responsible for complying with data privacy regulations.
We also found that 42% of companies’ total data environments are either stale (i.e. have not been modified in the last three years) or ancient (i.e. have not been modified in the last seven years).
However, the change in data privacy regulations has served as a much needed wake-up call for organisations. Beyond the hefty fines for regulatory non-compliance, companies have begun taking notice of the real reputational damage that could result in a lack of responsibility for protecting and managing their data. Our research revealed UK consumers would punish organisations that don’t protect their data by shopping elsewhere or by attacking their brand reputations.
Meanwhile, the potential benefits of investing in effective data protection and management are vast, such as the ability to personalise and improve customer service and create information-centric business models that give way to new revenue streams. In addition, nearly half (46 per cent) of UK consumers say they would spend more money with organisations they trust to look after their data, with over a fifth (21%) willing to spend up to 25% more with businesses that take data protection seriously.
Today, more and more companies are beginning to realise the importance of not only protecting their data, but also understanding exactly what data they hold, where it sits, who has access to it and how quickly they can retrieve it. Businesses must now be able to automatically classify large volumes of digital data, scanning and tagging it in a granular, intelligent manner to ensure that information is managed effectively and can be accessed efficiently and on-demand.
Technology aside, businesses must also instil a culture of digital compliance and responsibility among their employees. And there’s no question about whether this is needed: an overwhelming majority (91%) of organisations admit that they lack a culture of good data governance. With a three-fold approach to managing data which includes technology, processes and people, organisations will be in strong position to reap the rewards associated with protecting and managing data and building customer confidence in today’s digital economy.
David Francis, Information Security Consultant at KCOM:
Data Protection Day falls on Monday 28th January this year. In previous years, this day has been overlooked. However, in 2019, we’re finally starting to see people and businesses give it the recognition it deserves.
So why is data protection so important in 2019? Last year we saw some immense upsets, from the BA data breach to the Cambridge Analytica scandal. The range of consumer-facing breaches in 2018 have truly proved that cyber security is the last line of defence for personal security. In addition, since the last Data Protection Day, we have seen the introduction of the GDPR.
The first question you should ask yourself today is: Do you know when you’ve been attacked?
It takes companies an average of 206 days to discover a breach, so the answer is ‘probably not.’ And the threat doesn’t just have to be external: you could have sleeper agents placing time bombs in advance. They don’t necessarily need to be onsite at the crucial moment.
It could be a developer with a grudge placing a time bomb in the system to erase crucial intellectual property, or even an outgoing executive quietly deleting things in the background. If done quietly over a period of time, you could lose your backups as well, with no way of tracing the culprit. This is in addition to the huge GDPR fines you would face. Companies need to have measures in place to track data movement to prevent this kind of insider threat.
The next question to ask yourself today is whether you have been paying attention to the news around GDPR.
If 2018 was the year of compliance, 2019 will be the year of retribution for everyone’s favourite data privacy regulation. The period of grace is drawing to a close, and we’re already seeing the ICO taking its first high-profile scalp over treatment of personally identifiable information, with Google being the first to fall in France.
This has set the precedent by which all further cases are judged – letting companies know along the way just how strictly enforced the rules are going to be, and how heavy the fines. Now is the time to check your compliance levels.
If 2019 is anything like 2018, consumers are in the firing line. With these scenarios in mind, on Data Protection Day, it’s time to re-evaluate your security plans and consider: Does this plan put the customer first? Is your security system tracking insider threats? Are you aware of which employees have access to what data? Are you GDPR compliant?
If your organisation can safely answer yes to all these questions, congratulations, you have had a successful Data Protection Day. However, that doesn’t mean it’s time to stop evaluating your systems, in today’s security landscape, you can never be too safe.
Chris Hodson, EMEA CISO at Tanium:
“As we approach the first data privacy day since GDPR has been in force, there is no doubt that analysing the effectiveness of the regulation will dominate. For me, as a CISO, there are many common misconceptions of GDPR. Firstly, we must remember that approximately 80% of GDPR isn’t directly within the CISO’s purview. The whole business, most notably the DPO, must be responsible for driving data privacy across the enterprise. The security function can certainly help with the “how” of data protection and must be responsible for putting the processes in place to ensure that data is safeguarded. However, we are often very little use in ascertaining the “why” of data collection. For a security team or CISO, it’s about ensuring that controllers (and processors) carry out data processing in a transparent fashion. It’s about making sure that information is not left lying around in servers ad infinitum.
“That’s why the best defence is a model for qualification and assurance. That means having real-time visibility of the data stored across your network and where threats and vulnerabilities exist. But it also means taking a role in educating our boards, executives, and fellow employees on their role in protecting data: choosing systems and practices that support GDPR principles and maintaining practices that safeguard customer data in the long-term.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.