Achieving compliance across a wealth of new international data privacy laws and regulations is a growing challenge, with many organizations struggling to keep pace. A significant number still have not yet invested in data discovery and classification in their efforts to help fulfil compliance obligations. Add to this the open systems that employees have in place to communicate through the supply chain, especially in the new remote working dimension established by Covid-19, and business is at risk of significant data breaches.
Landscape of regulatory change
Serious data breaches and incidents of cyber-intrusion have resulted in a myriad of regulations coming into force across the globe, including GDPR, CCPA, the Australian Privacy Act, DPTM and the Japanese Privacy Law, and these will only grow as businesses scramble to make sure they are compliant.
The extent to which businesses are concerned about meeting new regulations was evident by recent calls to delay the start of enforcement of the CCPA – scheduled for July 1, 2020 - because of disruption caused by the Covid-19 pandemic. There is no doubt that businesses are facing a heavier burden than ever before when it comes to proving they are meeting data protection and cybersecurity obligations, yet higher authentication should not be thought of as a burden, it is a must for businesses if they wish to remain secure.
Covid-19 creates an escalating threat environment
You only have to look at recent attacks like the those faced by Honda to see that the threat landscape is intensifying. The Covid-19 Pandemic has created additional security threats, as organizations face increasing risks from threat actors looking to take advantage of the increased proportion of employees working from home. Being away from the office in an unfamiliar working environment, with the domestic distractions that come along with it, means the frequency of breaches is likely to increase as security is not in the forefront of people’s minds.
Some of the biggest threats associated with the pandemic include phishing emails, spear phishing attachments, cybercriminals masquerading fake VPNs, remote meeting software and mobile apps and a new family of ransomware known as Coronavirus that has recently been reported. However, not all threats are external. A high percentage are caused by simple employee errors like inadvertently sending a file to the wrong person by email. In fact, according to a recent Forrester report by analyst Heidi Shey entitled: “The State of Data Security and Privacy, 2020”, among breaches in the past 12 months, 46 per cent involved insiders like employees and third-party partners. This can actually be more damaging as businesses should appear to have a strong hold on their own internal data and who can access it.
Meanwhile, the tone from regulators remains unchanged, with the ICO stating “A crisis situation is no excuse for failing to meet data security obligations”. So, if compliance penalties are not frozen whilst we are in a pandemic, businesses need to make sure they are covered more than ever whilst the risk of data breaches is greater.
What can be done?
Investment decisions have to focus on protecting data, and by incorporating technology that directly touches data, businesses can start to establish a compliance position in a regulated environment. But in order to do this, businesses need to first know where all their data is located, establish what is sensitive and what is not, determine appropriate access rights and in so doing control its movement. The better the visibility, the more compliant an organization will be, which can then be used to drive competitive advantage.
In basic terms, they need to adopt a ‘Privacy by Design’ approach. This takes privacy into account throughout the whole process and starts with Data Classification.
Classification by design
Data protection by design and default needs to be planned within the whole system, depending on the type of data and how much data a business has. Data classification is the categorization of data according to its level of sensitivity or value, using labels. These are attached as visual markings and metadata within the file. When classification is applied the metadata ensures that the data can only be accessed or used in accordance with the rules that correspond with its label.
Businesses need to mitigate attacks and employee mistakes by starting with policy - assessing who has access. Then they should select a tool that fits the policy, not the other way round; you should never be faced with selecting a tool and then having to rewrite your policy to fit it. This will then support users with automation and labelling which will enhance the downstream technology.
Once data is appropriately classified, security tools such as Data Loss Prevention (DLP), policy-based email encryption, access control and data governance tools are exponentially more effective, as they can access the information provided by the classification label and metadata that tells them how data should be managed and protected.
Compliance can be a challenging task, however businesses should see it as a positive, as customers who know their data will be secure, will trust businesses with their most important data. Here are a few pointers to keep top of mind when looking at data classification and your compliance strategy:
- IT security and operations do not own business data – so do not look to the CISO for all the answers.
- Data stewardship will correctly align to regulations only when the data owners are identified and engaged.
- Identify and engage stakeholders right across the business, including risk, legal, and compliance. This is critical to the success of your compliance program.
- Organizations must educate users as a whole about the sensitivity of data and ensure the appropriate controls are in place around confidential and sensitive information.
- Alert users when data is leaving the organization to warn them before sending messages that contain sensitive information.
- The first step is the need to classify or label data with visual labels to highlight any specific handling requirements.
- Then, secondly, ensure metadata labels enforce security controls to stop unauthorized distribution of data.
- Link data classification tools to solutions such as DLP, encryption and rights management to enhance overall data protection.
- Make sure you provide critical audit information on classification events to enable remediation activity and prove your compliance position to the regulatory authorities.
With this methodology in place, it will provide a firm foundation towards onward compliance and long-term competitive differentiation and efficiencies to businesses.
Adam Strange, Global Marketing Director, Boldon James