Today, on Data Protection Day 2021, we hear from a number of experts in IT and cybersecurity, who offer their commentary on the best ways to maintain data protection and privacy, IT team training and education around protecting customer data, and the impact the rapid shift to remote work operations has had on keeping sensitive data secure.
With the masses of personal data we entrust in companies, organisations in every industry must make sure they have the right security practices in place to ensure employee, partner and customer data is safe, secure and difficult to be hacked and sold on. Data Protection Day holds even more importance this year with the widespread transition to remote working, presenting new challenges around data protection.
According to Martin Taylor, Deputy CEO and co-founder at Content Guru, remote working and the use of video has presented new data protection challenges: “In a recent report, research firm MarketsandMarkets estimates that the enterprise video market will grow from $16.4bn in 2020 to $25.6bn by 2025, but points to limited interoperability of different enterprise video solutions as a key challenge facing organisations. This is particularly poignant for organisations in heavily regulated industries, such as financial services, where firms are now faced with the data protection implications of collaboration application sprawl. Disjointed, ‘swivel chair’ compliance is becoming increasingly impractical, given the diversity of tools now in use.”
Martin highlights, “Unified solutions may allow firms to develop cost-effective, enterprise-wide compliance and data management policies that eliminate the problems associated with old-style disjointed methodologies. Not only does universal search give compliance officers complete visibility, but it also helps maintain effective standards across all stakeholders. Whatever the year ahead brings, we can be sure these core technologies will play a foundational role.”
Gareth Tolerton, Chief Product Officer at Totalmobile emphasises, “Data protection is a global compliance requirement, it’s not only about GDPR.
“Organisations working around the world need to be aware of the latest requirements in every country and ensure that their systems and processes meet these needs. To do so, there are a few top tips to follow. Ensure that you have specific policies in place around the handling, storage, access, visibility and transmission of personal data so that staff know exactly when and how they can interact with this. In the same vein, training is vital. Initial GDPR training would have occurred almost three years ago, so regular refreshers are key to keeping teams secure. And finally, organisations that can appoint a dedicated Data Protection Officer will be able to give their full attention to internal compliance strategies and processes, adding that extra layer of protection.”
“We’re currently waiting for a big post-Brexit announcement concerning data protection from the EU to grant the UK Adequacy, allowing data flow across the EU to continue,” says Vicky Withey, Head of Compliance at Node4. “While we have no crystal ball to help us predict the future decision making of the EU, we can certainly prepare for the possible outcome.
“Supplier Due Diligence ensures that data providers can secure the data they are being trusted with is a current theme we see at Node4. Compliance standards such as ISO 27001 and PCI are a must for those who want to ensure a level of control for processing, storing and transferring data securely.
“Future changes to GDPR I foresee will be a greater awareness from consumers to know and understand their rights concerning their personal information. Organisations will be forced to make ethical decisions on how personal data is collected, processed, stored and shared to ensure that they are not in breach abusing an individual’s rights. Consequently, boardrooms will be expected to report and monitor privacy breaches and support compliance to embed data protection within the organisation.”
“Selecting a technology partner that can help make this as easy as possible – likely by keeping customer data securely in the cloud – is crucial.”Animesh Chowdhury, founder and CTO at GoodTill
Learning to protect the masses of data
Animesh Chowdhury, founder and CTO at GoodTill explains how organisations in the hospitality sector, such as restaurants, have had to turn to new technologies to allow online purchasing to stay afloat during the pandemic.
“Managing this data can be a tough job for organisations not already familiar with protecting this kind of information, so selecting a technology partner that can help make this as easy as possible – likely by keeping customer data securely in the cloud – is crucial. Data Protection Day should act as a reminder to businesses that while keeping operational throughout the pandemic is important, customers are trusting you to protect their information with every transaction.
“Data protection and compliance is a key part of long term customer loyalty. It can be complicated, but by leveraging the right technology, business owners can rest assured their data is safe and instead focus on offering the very best experience for their customers during this trying time and beyond.”
With many organisations carrying out full or hybrid remote working for its employees, organisations have an increased reliance on the cloud and a distributed enterprise. Surya Varanasi, CTO at Nexsan, a StorCentric company discusses how this increases new challenges for the company, to protect data from cybercriminals:
“To fight the mounting threats and protect their data, organisations must combine known best practices with modern technology. Once those are in place, incorporating unbreakable backup solutions will serve as a last line of defence, allowing organisations the ability to recover, maintain uninterrupted operations and avoid paying ransoms should they be attacked. This way, sensitive information is kept safe and business continuity remains intact.”
Putting the right security practices in place
“There are few organisations that don’t understand the importance of data protection – but when it comes to fighting the tsunami of security alerts thrown at them every day, many security and IT departments are simply overwhelmed. In 2020 alone there were some 18,000 new vulnerabilities published. For overstretched and often under-resourced teams, it’s often a case of too much, too fast, no time,” explains Stephen Roostan, VP EMEA at Kenna Security.
“However, all is not lost. What’s needed is context. For example, of the 18,000 vulnerabilities published last year, less than 500 had exploits out in the wild. And not all vulnerabilities carry the same risk. A vulnerability that carries risk to one organisation could be harmless for another. The impact for every company is akin to a person’s DNA. It’s totally unique.
“The answer is to determine what risk tolerance your organisation is prepared to accept and empower IT teams to prioritise fixing the vulnerabilities that pose the most serious risk to their IT environment. It’s impossible to fix every vulnerability – that’d be similar to boiling the ocean. The trick is to use data science and predictive modelling to understand where to focus your efforts. Accuracy and speed are paramount. Pinpointing the highest priority vulnerabilities and tackling those first will minimise the risk of cybercriminals compromising sensitive and confidential data.”
“When it comes to the methods cybercriminals employ, phishing emails – malicious emails containing links or documents laden with malware – continue to be a prominent threat,” identifies Thomas Cartlidge, Head of Threat Intelligence at Six Degrees. “Cybercriminals design them to evade both technical and human defences, and organisations should expect phishing to remain one of the main threat vectors that hackers use to deliver both ransomware and business email compromise (BEC) attacks in 2021.
“In order to protect their data, all organisations need to know how to best defend against phishing emails. But how can you adapt? Well, point solutions are all well and good but ‘defence in depth’ can only be achieved by understanding your security posture, aligning it to your risk appetite, continually assessing it for suitability, and equipping your staff with the latest information on threats to create a phishing-savvy workforce. Get it right, and you will significantly reduce the financial, operational and reputational risks you face.”
To conclude, Agata Nowakowska, AVP EMEA at Skillsoft explains that with many employees working remotely, cybersecurity awareness training is essential to protect critical and sensitive data.
“According to Cisco’s Benchmark Report 2020, more than half (52%) of organisations are finding it very or extremely difficult to defend mobile devices. With IT security teams already stretched thin, it’s crucial that organisations prioritise education, training and awareness around the specific security risks related to remote working. Online or virtual-led training is an extremely effective method of training employees who are working remotely and will continue to be a key tool in the new world of work we are now in. Data Protection Day holds more weight now than ever before – learning & development teams should draw on this as they drive awareness within their organisations.”
Data Protection Day serves as an important reminder to companies to ensure security is a top priority!