There are currently over 111 data protection regulations and standards around the world. Many of these are widely known in the IT security and technology industry, such as HIPAA, Sarbanes Oxley Act, ISO 27001, UK Data Protection Act and EU GDPR. There are also lesser known regulations, such as the Network and Information Security Directive (NISD).
Regardless of how well-known regulations are, businesses are nevertheless expected to both understand and comply with each and every one of them. What’s more, the ability to impose record-level fines when these regulations are not adhered to is one of the key weapons in the armoury of data protection regulators.
When a business fails to adequately protect sensitive information, they could come up against both legal and financial problems. What’s alarming is that when we asked IT professionals in the US and UK about their concerns with regards to data privacy regulations, most businesses flagged that they are more interested in protecting their reputations (48 per cent) than passing audits (38 per cent). Many of these organisations are further risking the health of their businesses by only performing compliance audits and assessments as little as twice a year or worse still, only when requested.
What organisations are failing to realise is that these regulatory fines and failed compliance audits are only the beginning when it comes to the negative consequences they could face. Their reputation, which we already know is highly important to them, will be on the line. By suffering a data breach, they would not only be at risk of losing customers, but more often than not, sales see a considerable decline and that could lead to a possible decrease in share price. If they truly hold reputation dear, then they should be doing everything within their power to ensure that this does not happen, and must be fully considered when agreeing to their IT security and governance programs.
The TalkTalk data breach is still in the forefront of most people’s minds. Not only did it result in a regulatory fine of £400,000, which has this week been increased to £500,000 due to “unlawful and unauthorised access” by a third-party suppler, it also cost the organisation more than £60 million in lost revenues and exceptional costs. Considering that the upcoming GDPR is threatening victims of data breaches with fines of €20m, or 4 per cent of annual worldwide turnover, whichever is greater, now really is the time for companies to take heed and learn from these mistakes.
As the enforcement date for the EU GDPR fast approaches, I firmly believe that now is the time for organisations to sit up and listen when it comes to understanding the value they are placing on their reputation. And data protection regulations need to be respected now more than ever. With the arrival of severe consequences and requirements around criteria such as the ‘right to be forgotten’, as well as data breach notification within 72 hours, it should undoubtedly focus CIOs’ minds on the importance of permanently erasing data when it is no longer needed, when it reaches its end of life, when customers demand its removal upon terminating their subscriptions/accounts and when it is required by regulators for compliance purposes.
We need to get organisations to change their thinking in order to better protect their reputation. They should be encouraged to make it a priority to conduct audits on a regular basis to enable them to identify existing gaps and problems within their IT infrastructure and security posture. This will allow them to both correct such problems, as well as to drive complete regulatory compliance in the future.
The more often audits take place, the more certain an organisation can be in terms of knowing exactly how much data it is responsible for. After all, the more data you hold, the higher the chance you have of forgetting some of it exists. If you’re unsure of the types of data you hold, you have a lower chance of being able to understand how to properly prioritise actions to protect that data and prevent it from being accessed or exposed. If you’re unsure of the volume and type of data you’re working with, how can you properly manage it, mitigate the risks and prevent unnecessary data theft? Without a comprehensive picture of your data landscape, and if your organisation were to fall victim to a data breach, it would become all but impossible to fully comprehend the scale of the issue and how many people it would have effected. This really could be the point at which your reputation truly comes into question.
One recent example of this is when four-year-old data from 200 million Yahoo! accounts were leaked onto the dark web by the hacker “Peace”. What the organisation had failed to realise is that as data ages its usefulness diminishes until it eventually changes from being an asset to a problem.
In order to fully comprehend the extent of the data any organisation holds, they first need to classify the data that already exists. You might think this is obvious, but we often see this first step is the one that is overlooked. Once this has been completed, you can then think in terms of data lifecycle management. This is a comprehensive approach to managing the flow of information system’s data and any associated metadata from point of creation and storage to its end, where it becomes obsolete and must be sanitised so that it can never be recovered.
Many organisations are also completely unfamiliar with how much data storage is actually costing them. This includes both soft and hidden costs. Once you are fully aware of how much money you are spending to store your obsolete data, you will really be able to see the true benefit of erasing that unnecessary data (as well as how much money could be saved). Once you have done this, the next important step is to create and maintain processes for classifying and then erasing your unnecessary data, as well as regularly monitoring and updating how your data management processes are controlled.
As the number of data breaches increases every year and hackers become more and more sophisticated, organisations themselves need to become increasingly astute in terms of protecting their reputation. The bottom line is, to avoid attacks, you need to know what you’re storing, where and why. Many organisations have been able to mitigate their security risks through data erasure, and thereby, protect the reputation they have worked hard to establish.
Richard Stiennon, Chief Strategy Officer, Blancco Technology Group
Image Credit: Balefire / Shutterstock