January 28 marks Data Protection Day, known in the US as Data Privacy Day.
Designed to promote privacy and data protection best practices, the annual Data Protection Day has grown ever more important in a world increasingly under attack from cyber criminals.
Despite government action to regulate and protect citizens’ data with laws such as GDPR, data is a highly sought commodity by both criminals and enterprise. Consumers and businesses alike are urged to take stock of their data practices on this day, review processes and understand the what, where and how about their data.
To celebrate Data Protection Day, CBR reached out to the industry experts to get their advice and thoughts on what businesses need to do in this increasingly complex data world.
Trust Is Key
Doug Davidson, global head of cloud security offers and UK cyber security CTO at Capgemini
Trust is a key part of any relationship, particularly when between a business and its customer – which can have serious consequences if it’s broken. Protecting data should therefore be of paramount importance to every business that holds sensitive information. This not only means having the right security solutions in place, but also making sure everyone in the company that comes into contact with that data knows how to protect it. With the Government recently showing its commitment to boosting cybersecurity, the UK is certainly heading in the right direction. However, this needs to focus on improving the skills of those handling the data, as more often than not, it is employees that are found to be the weakest link.
Understand the Value of Data
Thomas Fischer, threat researcher and security advocate at Digital Guardian
The first step in keeping customer information protected is to understand what value the data has, where it is being used, whether it needs to be encrypted and how employees or third parties are interacting with it. This information is central to helping organisations make informed decisions about how to manage and secure data appropriately. It’s not a one-size-fits-all approach, but done correctly, it can greatly assist companies in meeting governance and compliance regulations, as well protecting intellectual property.
With Great Data, Comes Great Responsibility
Jason Hart, CTO, Data Protection, Gemalto
In an age of convenience, consumers are more than happy to share personal data with businesses and organisations, as long as it enhances their online and offline experiences. Whilst this provides considerable benefits to the business receiving the data, it also comes with a huge responsibility – consumers expect that their data will only be accessed by internally authorised individuals, and be completely secure from external threats.
Businesses must implement encryption to ensure that the data they hold is secure, and can only be accessed by select individuals. Additionally, two factor authentication is crucial in helping mitigate any outside threats. By encrypting the data, and managing the encryption keys properly, the data is useless to the hacker, as well as any unauthorised personnel within the organisation. This means that, even if a breach takes place, consumer data remains private.
Cyber Insurance Will Not Protect You
Lillian Pang, Senior Director of Legal and Data Protection Officer, Rackspace
Towards the end of year we are likely to see more UK businesses turning to contingency measures such as ‘cyber insurance’ to protect themselves from data breaches. This is likely to be driven by businesses that wish to safeguard themselves against potential fines emanating from the upcoming GDPR legislation. In turn, we will have to wait until 2018 to see how sizable the pay-outs on cyber insurance claims are, and thus, how effective they will be for businesses. It’s important to remember that while cyber insurance may help with financially protecting them in the event of a data breach, it will not be sufficient to protect businesses from any costly reputational damage.
The sooner organisations work towards compliance with the latest regulations, the sooner they can be confident of their own security, and reassure the businesses and customers they work with. To help businesses understand the steps they should take to ensure compliance, they should turn to their Privacy experts or DPOs, CIOs and CSOs, or source additional expertise externally.
Having a Plan B and ending procrastination in the cloud is also a must for all businesses on Data Protection Day – find out more on the next page.
End Procrastination in the Cloud
Wieland Alge, VP & GM EMEA at Barracuda Networks
The GDPR might seem a way off, but compliance will require businesses to make some significant changes to their privacy policies, culture and technologies. If one thing is for sure, data protection will have to become a cornerstone of security strategy.
One area especially relevant to this is the cloud, which is now widely being used both for the storage of data and to host applications that may contain sensitive customer information. Placing layered protections around cloud services, above and beyond those offered by the cloud vendors themselves, will help ensure that customer information is not being left open to cyber attack. The time for procrastination has passed, organisations should start looking for ways to future-proof their data protection policies now.
Annual Training Is Not Enough
Tom Pendergast , Chief Strategist of Security, Privacy, and Compliance at MediaPro
You’ll never create a privacy-aware culture by releasing annual training; you won’t even get there with quarterly training. But if you consciously plan to create moments that engage people’s thinking, and if you weave those moments throughout the year—if you weave them into the fabric of your culture—you stand a good chance of making data protection one of the central values of your company. That’s why doing something to spark conversation and engagement on Data Privacy Day is so important.
Have a Plan B
Rob Strechay, VP of Product, Zerto
Coming off a year of numerous high profile data breaches and with ransomware still running wild, businesses need to not just prepare for an attack, but ensure they can maintain critical business operations in such an event. While IT security efforts largely focus on defending the perimeter fence, there are too many opportunities for hackers to get past these defences to not have a well-constructed and easily implemented “plan B” in place.
That plan B must include being able to quickly and as completely as possible recover critical data using proper tools and processes to help significantly reduce, if not nullify the impact of the intrusions. Traditional backup is nice, but it is critical to implement and successfully test a rigorous business continuity and disaster recovery strategy.