With the accelerated pace of digital transformation over the past few years, organisations collect and store more data than ever before. However, whilst this can have huge benefits – allowing businesses to better serve their customers by personalising their service – this data is at greater risk than ever. Indeed, 39% of businesses experienced some kind of cyber breach or attack in 2021.
With the move to hybrid work and a swift digital transformation changing the way data is collected, stored and processed, it’s vital that organisations ensure that their data is still being kept safe.
An evolving workplace
It’s becoming increasingly clear that remote working is here to stay. With that in mind, organisations must make sure that the solutions and collaboration tools they put in place in haste at the beginning of the pandemic are not putting their data at risk.
“Many of these tools are general-purpose solutions that meet the requirements of employee communication and collaboration well enough. But they may not be appropriate for the top layer of your organisation — the board and executives.” argues Dottie Schindlinger, Executive Director, Diligent Institute.
“Boards and executives deal with information that is often highly sensitive and that consequently has higher costs of exposure. Think of the reputational, legal and financial repercussions if a classified document leaked because it was shared by executives on a general-purpose communication tool. The impact could be catastrophic. Additionally, recent cyberattacks have highlighted — not just for shareholders, but for all stakeholders — the importance of protecting an organisation’s most sensitive data. General-purpose collaboration tools are often unable to offer the level of protection that stakeholders expect.
“Organisations need secure environments and workflows that allow the board and executives to communicate highly sensitive information safely, without worrying that it might accidentally be misrouted, forwarded, leaked or even stolen.”
The last two years have also seen an acceleration of digital transformation, with more and more organisations using cloud storage solutions for their data. Paul Calatayud, Chief Information Security & Privacy Officer at Aqua Security, explains why this has forced organisations to adapt their data protection solutions.
“In the days of on-premises, we could tangibly understand where data lived and so it was easier to protect. Today we are moving at the speed of cloud, which has created new situations that we’ve all had to adapt to. Under threat from all lines of attack – from external cyber adversaries to insider threats, to supply chain security attacks – security must never slip, and data must be kept safe and secure up and down the stack.”
Compliance and consumer trust
Another big talking point surrounding data protection over the past few years has been data regulations. Increasing fines for non-compliance have pushed it to the forefront of mind for most businesses.
“Data protection is a global compliance requirement, it’s not only about GDPR,” argues Gareth Tolerton, Product Innovation Director at Totalmobile. “Organisations working around the world need to be aware of the latest requirements in every country and ensure that their systems and processes meet these needs. To do so, there are a few top tips to follow. Ensure that you have specific policies in place around the handling, storage, access, visibility, and transmission of personal data so that staff know exactly when and how they can interact with this. In the same vein, training is vital. Initial GDPR training would have occurred almost four years ago, so regular refreshers are key to keeping teams secure.”
Steph Charbonneau, Senior Director of Product Strategy, Data Security at HelpSystems, also emphasises the importance of including data compliance within a data policy. “A robust data security policy should cover the specifics of how data will be collected, how it will be kept safe, and what is done with data when it is no longer needed. Organisations need to ensure that data governed by privacy regulations are protected in daily workflows and that the right cybersecurity tools are in place to identify and treat the data accordingly.”
Organisations should also be aware that new storage solutions have different regulations, notes Anurag Kahol, CTO at Bitglass, a Forcepoint company. “Organisations need to have a thorough understanding of data jurisdictions and any security challenges they may present after migrating to the cloud.
“With respect to certain data privacy regulations like CCPA, data may only be stored or transferred where the state has jurisdiction or an agreement is in place. Similarly, under GDPR all personally identifiable information must be secured with policies and processes in place which allow for audit and compliance. To ensure compliance, organisations should look for security solutions that allow them to encrypt cloud data (wherever it resides) while maintaining local control of encryption keys. Additionally, solutions that dynamically allow or deny access based on contextual factors like a user’s location, device type, or job function are highly helpful, along with data loss prevention (DLP) capabilities.”
Hugh Scantlebury, Founder and CEO at Aqilla, echoes this sentiment. “If you’re using cloud-based accounting and financial software — indeed, any cloud-based solution — we’d recommend you check your solution operates from a secure and well-managed data centre. Ask your provider if they store your data in accordance with the National Cyber Security Centre’s 14 Cloud Security Principles.”
Collective responsibility and zero trust
A successful data protection strategy must involve strong cyber security – and this is a collective responsibility.
“Effective training is a crucial tool in building good cyber hygiene within an organisation and this starts by recognising that every single employee has a role to play.” explains Don Mowbray, EMEA Lead, Technology & Development at Skillsoft. “Security is everyone’s responsibility – from the CISO down, there is an awareness level each employee needs to achieve. In the security industry, Zero Trust architectures are gaining steam as an effective route to mitigating the risk of a successful cyber-attack – but Zero Trust is as much of a people concept as it is a technology framework.
“A Zero Trust mindset that can bolster security within the culture of the wider organisation. At its core, Zero Trust is the concept of least privilege – trust nothing and no one until they have proved they are who they say they are. If every single employee – regardless of role or department – can operate on this basis, organisations will improve their security posture overnight.”
Be prepared for the worst to happen
Even with every precaution in place, it is impossible to keep data completely secure. In a world where cyber threats are increasing, there is always the possibility that an attack will overcome an organisation’s defences.
With this in mind, businesses should make sure that they are prepared for this worst case scenario. “No single solution can offer protection from ransomware attacks with 100% certainty, having a disaster recovery and backup solution based on continuous data protection (CDP) offers companies the ability to be resilient in the face of potentially catastrophic circumstances.” explains Avi Raichel, VP, Zerto GTM, a Hewlett Packard Enterprise company. “Companies using CDP can resume operation at scale in minutes and recover to a state a few seconds before an attack. Ultimately, having continuous data protection will put the power back in the hands of the organisations who are prepared.”
However Gregg Mearing, Chief Technology Officer at Node4, notes the importance of also safeguarding those systems. “As a safety net, should a cyberattack occur, the final part of every data protection solution should be disaster recovery and backup. However, it remains important that these systems are also protected and not simply considered the last line of defence – they are increasingly being targeted as cybercriminals grow in sophistication.”
As Steve Cochran, CTO of ConnectWise sumises, “never before has the concept of data privacy been more under threat. It behooves all of us technical professionals to use this day to reflect on the growing threat and our response to that threat over the last year and prepare ourselves for the coming year. Data privacy and the effort that is required to protect it will continue to change at an accelerated rate this coming year and the years to come.”
Pingback: Special: Data Privacy Day - Cyber Protection Magazine