In 2020, we saw a number of huge corporations held to account for their mishandling of data and the breaching of the General Data Protection Regulation (GDPR). So far, there have been more than 281,000 data breach notifications submitted to regulators, with GDPR fines accumulating roughly €272.5m ($332m, £45m) since 2018.
While regulators have shown a degree of leniency reducing fines for a number of high-profile cases due to the financial hardship caused by the pandemic, GDPR compliance is not one to scrimp on. GDPR will continue to impose tough penalties for those who violate its privacy and security standards, and for that reason companies must be responsible for their collection, storage, and processing of personal data. Otherwise, they face the wrath of the ICO.
ITProPortal spoke with eight industry experts to understand today’s most challenging data protection concerns, and what organizations can do to keep data security at the top of the business agenda.
It’s just good business sense
“Consumers are constantly discovering the information that is collected about them, how that data is used, and how daily breaches put that information at risk,” says Anurag Kahol, CTO and co-founder at Bitglass. “Consequently, to maintain consumer trust (and remain compliant with regulations), it is imperative that companies make security a top priority.
“This past year marked a pivotal change in how companies conduct business, with most being forced to rapidly shift to a remote work style of operations due to the global Covid-19 pandemic. We are going to see a permanent blend of remote and in-office work, as well as mobile employees whose workspaces are constantly changing. Organizations must be prepared to continue to operate in this manner while ensuring that data is secure no matter where or how it is accessed.”
The importance of knowing where your customer data is stored, how it is used and who can access it, is often overlooked. However, “organizations must have an accurate inventory of data,” Anurag continues. “This is critical for adhering to data privacy regulations including GDPR and CCPA, because if companies don’t know the information they have or where it is going, then they cannot properly protect it.”
For Tim Bandos, CISO, VP Managed Security Services at Digital Guardian, organizations managing their data securely and efficiently is more vital than ever. Losing it, or losing control over it, can have a detrimental impact. “Data is the lifeblood of most modern companies and the long-term negative impact on those who suffer breaches demonstrates just how serious the issue of data loss has become today.
“For those of us who are now working from home, the threat level posed by the blurred lines of using personal devices to respond to work emails, or using our work laptop to buy something online, has increased exponentially.
“With such a high volume of data flowing in and out of businesses every day, effective data protection strategies must embrace the following: 1) visibility to all data, all the time; 2) analytics to understand and manage risk; 3) controls to enforce data protection policies and 4) a consolidated view into all threats targeting sensitive data. Taking a comprehensive approach while implementing cybersecurity controls is imperative for protection, especially when it comes to sensitive and valuable customer or financial information. Fundamentally, what we’re talking about here is no-compromise data protection for your no-compromise organization.”
It’s a human resources and IT issue
When a business poorly manages its data and it becomes compromised, people are the collateral. Since GDPR, there is growing recognition and concern in how individuals share their personal data and the information they allow companies to store.
This is as much an internal HR issue as it is a consumer one, says Samantha Humphries, senior security strategist at Exabeam. “HR and IT teams should collaborate to understand what data their company is monitoring, and why. Transparency is key where data monitoring is concerned, and companies should aim to craft policies that are easily accessible.
“Clear, concise and jargon-free communication will be valued by employees, especially if they are provided with an appropriate point of contact for questions. This best practice will pay dividends, as everyone wishes to work with organizations that respect the privacy and security of their customers and employees. It is good practice for organizations to question: Is data monitoring lawful and fair? Will it be used for a specific purpose? Are reasonable steps being taken to erase or rectify data? Is data deleted once it is no longer necessary? And is data being appropriately secured?
“To maintain effective privacy, organizations should also make sure they continually educate themselves on new policies, practices and laws. Only by keeping privacy at the top of the agenda can companies confidently reassure employees their data is secure and protected.”
Gareth Tolerton, Chief Product Officer at Totalmobile, emphasizes the importance of protecting data being generated and accessed by employees, particularly with the shift to remote work. “For organizations with mobile workers, the challenge is even greater – mobility extends your company’s digital footprint, and therefore the perimeter of what you need to manage.
“Data protection is a global compliance requirement, it’s not only about GDPR. Organizations working around the world need to be aware of the latest requirements in every country, and ensure that their systems and processes meet these needs. To do so, there are a few top tips to follow. Ensure that you have specific policies in place around the handling, storage, access, visibility and transmission of personal data, so that staff know exactly when and how they can interact with this. In the same vein, training is vital. Initial GDPR training would have occurred almost three years ago, so regular refreshers are key to keeping teams secure. And finally, organizations that can appoint a dedicated Data Protection Officer will be able to give their full attention to internal compliance strategies and processes, adding that extra layer of protection.”
Guidelines on video surveillance
We often think of data as numerical or written personal information stored about us on a spreadsheet. Names, addresses, usernames, passwords. But, what’s more personal than video? CCTV footage, video and pictures, is also subject to the GDPR and companies need to be equally as vigilant in complying with the regulation.
For Martin Taylor, Deputy CEO and co-founder at Content Guru, unified solutions is the answer in maintaining compliance: “In a recent report, research firm MarketsandMarkets estimates that the enterprise video market will grow from $16.4bn in 2020 to $25.6bn by 2025, but points to limited interoperability of different enterprise video solutions as a key challenge facing organizations. This is particularly poignant for organizations in heavily regulated industries, such as financial services, where firms are now faced with the data protection implications of collaboration application sprawl.
“Technical complexity requires an effective technology-led response and organizations must apply this mantra to their compliance and data protection obligations. The answer may be unified solutions, which provide a platform to take advantage of these best-of-breed video technologies and offer resources such as search-and-replay, e-discovery and end-to-end trade reconstruction across a diversified technical ecosystem. Now and for the future, the ability to analyze an entire dataset, as opposed to random manual sampling, is the key to eliminating gaps in reporting.”
Rishi Lodhia, Managing Director EMEA at Eagle Eye Networks, suggests that video monitoring in the cloud ‘as a service’ offers companies effective data management with secure remote access. "When it comes to cloud-managed video surveillance, confidentiality, integrity, and availability of the networked systems and the data they contain are of utmost importance,” says Rishi. “But that’s not always easy to achieve as traditionally-built networked video management systems require a significant amount of highly technical configuration to operate as a cyber-secure system. However, today’s purpose-built video surveillance products are made with security pre-configured systems. They’re cyber-secure by design. Still, these systems have to be updated and upgraded, which can be a cumbersome and very manual process. When delivered ‘as a service’ instead, users can be sure that the platform is run by a professional team of experts as up to date as it can possibly be, thereby minimizing the risk that sensitive data could be unlawfully accessed or worse, stolen."
Supporting businesses on data-driven decisions
Forward planning and understanding the needs and concerns of your customers is the key to best practice for securing data, says Rich Pugh, Chief Data Scientist at Mango Solutions, an Ascent company. He explains: “It means mapping and properly planning all data-based projects, with clear desired outcomes. Our approach ensures any data required for ‘customer insight’ projects is anonymized, to ensure appropriate compliance.”
Aligning business objectives with relevant legislation can provide organizations with better control of data. Jay Ryerse, VP of Cybersecurity Initiatives at ConnectWise, agrees that data protection needs to be top of mind for all business leaders. What’s more, it’s important for all employees, partners, vendors in the supply chain to understand their personal role when it comes to complying with GDPR.
“The age of data privacy and security is now. We are continuing to educate colleagues and our customers that data privacy should be built into everything we do. Service providers need to fully immerse themselves into the threat landscape and the best practices associated with securing data. Without cybersecurity, there is no such thing as privacy. This deep dive includes the governance aspect of data protection as well as the technical and physical controls necessary for the confidentiality, integrity, and availability of data.
Consumers and businesses need to start asking the tough questions of their vendors. They need to understand the supply chain for the services they outsource and what those companies are doing to provide the best in class cybersecurity protections. If those vendors don't believe they are at risk, then it may be time to find a new provider.”
- Best antivirus software of 2021
Anurag Kahol, CTO and co-founder at Bitglass
Tim Bandos, CISO, VP Managed Security Services, Digital Guardian
Samantha Humphries, senior security strategist, Exabeam
Gareth Tolerton, Chief Product Officer, Totalmobile
Martin Taylor, Deputy CEO and co-founder, Content Guru
Rishi Lodhia, Managing Director EMEA, Eagle Eye Networks
Rich Pugh, Chief Data Scientist, Mango Solutions
Jay Ryerse, VP of Cybersecurity Initiatives, ConnectWise