Data Protection Day acts as a reminder to all about the importance of doing everything possible to secure and protect an individual’s data. It’s an issue that shouldn’t really need more awareness, as everyone knows how important data protection is, especially in this modern age where everything that happens online leaves a digital footprint. However, we see are consistently seeing weekly examples of both shocking and costly data breaches, meaning that this is a subject that needs constant vigilance.
It’s important that businesses know how and why they should protect their data, especially with new regulations in place. With this in mind, ten IT experts give their advice on how businesses can ensure that data is fully protected.
The impact of regulation
This is something that Jon Lucas, Director at Hyve Managed Hosting agrees with. He comments, “Almost a year post-GDPR and quite rightly, data protection remains in firmly the spotlight. Though the reminders might seem tedious, being confident in your data security is more crucial now than ever before. Hosting and cloud providers in particular need to prioritise security measures that can help prevent cybercriminals from taking advantage, thereby ensuring that their customers’ data is kept safe. It is now commonly accepted that it is a matter of if, not when, attacks occur – in the event of a breach, businesses need to be able to trust that their provider has suitable security and recovery measures in place, giving them peace of mind that no harm will come to the data placed in their hands.”
2019 could be a big year for regulators, who now have greater powers than ever to act against data protection breaches. We’ve already seen a large GDPR fine levied against Google, but that could be just the shape of things to come. “I believe we will see the first sign of government control over large internet service companies,” says Stephen Gailey, Solutions Architect at Exabeam. “Organisations such as Google and Facebook still don’t seem to understand what privacy means. I think we will actually see some form of legislative control being put forward or even break-ups considered.”
Nigel Tozer, Solutions Marketing Director, EMEA at Commvault also believes that legislation has a huge impact on businesses. “Data Protection might be a right in the EU, but many businesses still see your rights as an inconvenience at best, or something to just ignore at worst,” Tozer comments. “For this reason, I urge you all to exercise your GDPR muscles when it comes to data about YOU. From a personal perspective, I’m aware of my data being used and abused just as much as before the act came into effect, the visible elements surfacing as spam, of course.
“I’ve been saying it for years now,” Tozer continues, “but businesses should focus on profiling the data they have, where it’s stored and what it’s being used for – if they haven’t already done so. Not only will it help businesses get compliant and reduce their risk exposure, it could also reduce their costs, too.
Some will cite the absence of big fines or visible enforcement in 2018, so don’t let your inaction mean that we say the same about 2019. That said, I’m sure there are a good number of cyber-criminals that will be on hand to help you out...”
How organisations can raise their data protection game
All businesses know by now that they need to prioritise data protection – there’s certainly enough headline scare stories of data leaks, outages and ransomware attacks that should have persuaded them over the past year. Steve Blow, Tech Evangelist at Zerto, believes that adding to this is, “the modern consumer perspective of ‘there’s no excuse for downtime, or the loss of data’. Businesses need to be focusing on ensuring they are resilient against the many threats facing data today, to prove to their customers they are taking data protection seriously.
“The adoption of the latest technology, with innovative new approaches, has led to this number of both planned and unplanned disruptions in a business rising,” he continues. “Combating this means companies need to start looking outside of traditional backup capabilities to keep the business online; they need to choose a modern, resilience approach that can utilise continuous data protection.
This, paired with the ability to orchestrate and automate the mobility of applications to the ideal infrastructure, will enable businesses to have more than just their customers’ data protected. Organisations will become completely IT resilient, protecting data, infrastructure and reputation – without the downtime.”
Alan Conboy, CTO at Scale Computing agrees with Blow’s thoughts on backup evolving, stating, “As more organisations are moving their workloads to edge and hyperconverged environments, companies are looking to protect and recover these workloads. Backup and disaster recovery used to simply be good business practices. Now, for many industries, they are a big part of regulatory compliance. Data is more valuable than ever before and how data is managed and protected is increasingly being regulated by law. Platforms that include a variety of backup and disaster recovery features including snapshots, replication, failover, failback and cloud Disaster Recovery-as-a-Service are key.”
John Williams, Product Manager at Node4 also agrees that businesses need to take action when it comes to data protection. “There is no silver bullet to the challenges of data protection, but there are a number of key areas that every organisation can employ to significantly raise their game,” Williams says. “Success is less about cost and more about making an active, long-term commitment.
“Firstly, treat your staff as your human firewall, educate them in the threats they may be exposed to and get them active and aware of those threats – they are your intelligent line of defence. Added to this, regular vulnerability scanning and penetration testing provides vital intelligence that your security is matched to the threats. Do it again and again as the threat landscape is a moving feast. And, should serious problems occur, disaster recovery and backups are vital as a solution to threats like ransomware, but as these systems also become the targets of cybercriminals they need to be protected – not just seen as a siloed last line of defence.”
The notion of data protection might be starting to sound repetitive, but it is still top of the business agenda. Gary Watson, CTO at StorCentric and Founder of Nexsan reminds businesses that IT security threats come in all different shapes and sizes – “just as quickly as we put up barriers, cyber criminals find new ways to break through. Businesses need to have confidence in their recovery strategy; relying alone on the traditional ways of backing up data is not sufficient. Organisations need to ensure everything is protected including the data, finances and the organisation’s reputation. Threat detection software is only half the battle, keep in mind ‘what if any attack succeeds?’ and ensure there is a second line of defence in place that can offer a comprehensive range of security features, from encryption through to backup, hardened archiving, and recovery. Alongside product investment, take the time to educate employees on the latest threats, which in turn will build confidence.”
Similarly, Shannon Simpson, Cyber Security and Compliance Director at Six Degrees comments, “Effectively protecting data means employing a holistic strategy, looking at people, processes, systems and technology from the ground up. Understanding how every fragment of data is collected, where it is held, and how it is accessed and used can be the difference between having a profitable, secure business and succumbing to damaging breaches. Staying abreast of this is a tall order, which is why cyber security specialists like us have developed methodologies to understand the permutations. The key is employing Cyber Security Maturity (CSM) modelling, which allows organisations to understand their security posture with granularity, providing a roadmap to robustness.”
The rate at which businesses are generating data is only going to continue to grow and IT security professionals need to be able to quickly identify which items are the highest priority for protection. As Jan van Vliet, VP and GM EMEA at Digital Guardian remarks, “Not all types of data are as sensitive or vulnerable as others and it's for this very reason that data discovery and classification techniques are crucial parts of any organisation’s data security strategies.
“The first step in keeping customer information protected is to understand what value the data has, where it is being used, whether it needs to be encrypted, and how employees or third parties are interacting with it,” he continues. “This information is central to helping organisations make informed decisions about how to manage and secure data appropriately. It’s not a one-size-fits-all approach, but done correctly, it can greatly assist companies in meeting governance and compliance regulations, as well protecting intellectual property."
Pros and cons of mobility
Additionally, in recent years, the use of mobile devices in the workplace has soared as organisations have become more aware of the benefits that flexible working practices can have on productivity, and in turn, on the bottom line. “However,” comments Mike Schuricht, VP Product Management at Bitglass, “those same organisations can be less keen to acknowledge the security risks associated with having so many vulnerable endpoints connecting to the cloud and corporate network.
“For most, the answer lies in a ‘trusted device’ security model where the devices have some basic protections and the organisation has some kind of control. Employees with trusted devices often have access to some of the most secure data in an enterprise. However, all endpoints remain vulnerable to loss, theft, and cyber-attacks that target data rather than the device. The fact of the matter is no matter how locked down a device is, the risk of data leakage can never be eliminated. Device security cannot be the cornerstone of an effective security solution.
“The solution is to focus on the data, rather than device. This approach will help to sidestep the major privacy and logistical issues associated with more invasive, device-based security tools, like Mobile Device Management (MDM) or Mobile Application Management (MAM) and lead to a win-win for organisations and employees.”
Taking all of this into consideration, it’s imperative that organisations keep data protection top of mind. There is no fine line to tread when it comes to data protection, no doubting its importance, and no lack of best practice and technology to minimise the risk. Perhaps the only missing piece of the jigsaw is the determination of data owners to work harder than the criminals.
Image Credit: Flickr / janneke staaks