Data Protection Day is acknowledged in the US, Canada, and 47 European countries, and has been upheld since it was launched 13 years ago by the Council of Europe. Its main purpose is to raise awareness and promote privacy and data protection – particularly among businesses.
As technology continues to advance, and businesses become more reliant on leveraging customer data, its protection has never been more critical. Last year, organisations were concerned with being able to effectively implement GDPR. But twelve months on and, while regulations to protect data are in place, cyber-attacks still frequently occur. It has never been more imperative for businesses to have a comprehensive security strategy in place.
This year Information Security Buzz caught up with six data specialists to get their thoughts on what businesses must continue to do to protect their customers’ data. Here is what they said:
Understanding the value of the data is key to protecting it
“The rate at which businesses are generating data is only going to continue to grow and IT security professionals need to be able to quickly identify which items are the highest priority for protection,” Jan van Vliet, VP and GM EMEA at Digital Guardian commented. “Not all types of data are as sensitive or vulnerable as others and it’s for this very reason that data discovery and classification techniques are crucial parts of any organisation’s data security strategies. The first step in keeping customer information protected is to understand what value the data has, where it is being used, whether it needs to be encrypted, and how employees or third parties are interacting with it. This information is central to helping organisations make informed decisions about how to manage and secure data appropriately. It’s not a one-size-fits-all approach, but done correctly, it can greatly assist companies in meeting governance and compliance regulations, as well protecting intellectual property.”
In the world of BYOD – trusted device security models are the answer
Mike Schuricht, VP Product Management at Bitglass, told us, “in recent years, the use of mobile devices in the workplace has soared as organisations have become more aware of the benefits that flexible working practices can have on productivity, and in turn, on the bottom line. However, those same organisations can be less keen to acknowledge the security risks associated with having so many vulnerable endpoints connecting to the cloud and corporate network.
“For most, the answer lies in a ‘trusted device’ security model where the devices have some basic protections and the organisation has some kind of control. Employees with trusted devices often have access to some of the most secure data in an enterprise. However, all endpoints remain vulnerable to loss, theft, and cyber-attacks that target data rather than the device. The fact of the matter is no matter how locked down a device is, the risk of data leakage can never be eliminated. Device security cannot be the cornerstone of an effective security solution.
“The solution is to focus on the data, rather than device. This approach will help to sidestep the major privacy and logistical issues associated with more invasive, device-based security tools, like Mobile Device Management (MDM) or Mobile Application Management (MAM) and lead to a win-win for organisations and employees.”
The prescription is encryption
Garry McCracken, VP Technology at WinMagic, said, “encryption is the foundation of any data security solution. With a comprehensive encryption and key management solution in place, whether your customer data is stored in the enterprise or in the cloud, if a hacker ever got their hands on that data, it would be unreadable and therefore useless to them. Don’t rely solely on the encryption solutions provided by the device manufacturer or operating system.
“While native encryption toolkits are the best at encrypting their own devices, the operating system can really benefit from the encryption management solutions provided by Independent Software Vendors (ISVs) to manage and unify encryption efforts across the enterprise. Trying to manage too many solutions independently creates more work, and more potential points of failure in your data security plan. This Data Protection Day, help ensure your business is not the latest to experience the negative impact of data loss or theft, and consider implementing these tips.”
First signs of government control
Stephen Gailey, Solutions Architect at Exabeam, gave us his prediction. He said, “data privacy was a hot topic in 2018, and that trend is expected to continue in the coming months. Over the next year, I believe we will see the first sign of government control over large internet service companies. Organisations such as Google and Facebook still don’t seem to understand what privacy means. I think we will actually see some form of legislative control being put forward or even break-ups considered.”
Keep staff educated and trained on data protection
Agata Nowakowska, AVP at Skillsoft, commented that “mobile platforms, Big Data and cloud-based architectures are creating significant challenges for data protection, but no challenge is higher up the corporate agenda than IT security. Even the most careful organisation is vulnerable. A smartphone or laptop inadvertently left on a train, or a well-intentioned lending of access privileges to an unauthorised user can have far-reaching consequences.
“Security is the number one IT priority in nearly every business sector today, but the scarcity of security-savvy IT experts means many companies can no longer rely on hiring their way to a robust solution. Fortunately, there are a wealth of sophisticated education and training strategies now available that allow organisations to reward and retain employees whilst simultaneously improving corporate security from within. From expert-led instruction to continuous hands-on experiential learning, organisations are putting in place complete frameworks for training and certification that can tighten corporate IT security, making them less vulnerable to both external attacks and insider threats.”
Resilience in the face of threat
Steve Blow, Tech Evangelist at Zerto, said, “all businesses know by now that they need to prioritise data protection – there’s certainly enough headline scare stories of data leaks, outages and ransomware attacks that should have persuaded them over the past year. Adding to this is the modern consumer perspective of ‘there’s no excuse for downtime, or the loss of data’. Businesses need to be focusing on ensuring they are resilient against the many threats facing data today, to prove to their customers they are taking data protection seriously.
The adoption of the latest technology, with innovative new approaches, has led to this number of both planned and unplanned disruptions in a business rising. Combating this means companies need to start looking outside of traditional backup capabilities to keep the business online; they need to choose a modern, resilience approach that can utilise continuous data protection.
This, paired with the ability to orchestrate and automate the mobility of applications to the ideal infrastructure, will enable businesses to have more than just their customers’ data protected. Organisations will become completely IT resilient, protecting data, infrastructure and reputation – without the downtime.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.