As we enter a new decade, data protection and IT security are more important than ever. But as organisations evolve towards increasingly intertwined business models, it’s not only their own security they need to consider, writes Andy Kennedy, Security Engineer at Google Cloud.
Those relying on technology and infrastructure managed and run by other businesses need to ensure that every link in their supply chain is secure. A natural suspicion of technology can be healthy, however it shouldn’t impede an organisation’s capacity to extract value from the data they hold. As part of the risk management function, it’s essential that businesses pay due attention to the possible consequences of inappropriate use of this data.
At the same time, the technology industry needs to be transparent in its operations, measured in the use of data entrusted to it for the agreed purpose of providing a given service, and to allow companies full control and ownership of their own data. Only then can organisations harness the full potential of their information, trustfully.
Start with Knowing the Relevant Regulations
Security is a top priority. But it’s not only the well-documented cyber attacks businesses need to be concerned about; an example of a recent concern regarding business data has focussed on The Clarifying Lawful Overseas Use of Data Act or put simply, the CLOUD Act.
The regulation is a US cross-border law which requires technology, data and communication companies to provide relevant information held on their servers when requested as part of a criminal investigation. Given that this includes customer data, companies are entitled to reject or challenge the request if they believe it violates specific privacy rights.
Looking into exactly how the CLOUD Act works and what it means for your business or supplier can prepare you for how your data might be affected in future uses of the act. Understanding this upfront will give you an edge when considering the legal implications on your ongoing corporate data policy and to inform decision making on cloud infrastructure developments.
Establish Trust Along the Supply Chain
The key to establishing trust is to have visibility as a company – or even as an industry, on the respectful use of data. In the first instance, an industry should make its processes public – and specifically the processes by which data can be shared with a third party. These processes are becoming more complex as organisations start to work closely with other businesses along the supply chain. If a supplier were to have to rely on a third party with whom it would have to share any data, it’s important to ensure this doesn’t have a ripple effect and impact your organisation further down the supply chain. A culture of transparency must be upheld across suppliers, who should provide details of their own security controls and processes to manage any third party requests for information.
Understanding how these interdependent business models work means organisations can contractually establish the obligations of each party upfront and set clear and rigorous rules for data protection and security. This same climate of trust can only be made stronger if authorities communicate directly with organisations, explaining when, how and why they are requesting access to data.
In today’s digital world, every business depends on technology to meet their goals. The success of data-driven businesses has been made possible by technology being able to quickly gather insights from large volumes of data. Rightfully, this has also resulted in greater scrutiny of how data is used and protected throughout its life-cycle.
While security remains the responsibility of the company collecting the data, technology providers, or data processors, need to bear some responsibility too, for the security of those using their product or software. Using their intelligence on threats, vendors can establish a complete view of potential security risks and support organisations accordingly. This should include both identity and access management and data loss prevention, as well as encryption of data, whether at rest or in transit.
Businesses should contractually commit technology providers to technical controls to reduce vulnerabilities, as well as confirm upfront agreements on third-party processing or access. These contractual obligations will strengthen the commitment and trust between a company and its supplier.
Harness the Power of your Data
Information is the lifeblood of modern organisations, but not every business is in the position to harness its potential. Dedicated specialists within the company need to act as the custodians of customer data, orchestrating how information flows through the business. Better data governance, cataloguing and lineage means that not everyone in a business needs to have access to everything, enabling businesses to better manage both the data lifecycle, as well as who is granted access, when and in what capacity. Such visibility and control should not be limited to internal data management, but also extend to outside businesses partners and suppliers. IT providers are required to give organisations the keys to data management, and to offer all the technological means and methods to enable it to be in control of its own data.
As we know, data has become an organisation’s most valuable asset – but its potential can only be achieved when it’s properly understood, managed and used appropriately. To do these things effectively, companies need to be able to harness the controls that the technology offers. The benefits of cloud technology and “smart” data management tools are far too important for companies to hesitate in their adoption due to security fears. There are regulatory and technological resources already available and under development to allow the intelligent and effective use of data. With strengthened security measures in place, the technology industry transparent in its operations, and companies in control of their own data, organisations can leverage the full potential of their information moving forward.