Every day is Data Protection/Data Privacy awareness day at SC, so there should have been no need for any special promotion of the issues to our readers – but given that the industry has chosen this day to publicise and promote the issue, and the fact that data breaches continue to happen, it would seem advisable to pass on the observations, warnings and advice for best practice emailed to SC for the occasion.
Both the scale and extent of last year's breaches – a data awareness year – are drivers for action, further spurred on by the upcoming EU General Data Protection Regulation (GDPR) with fines of up to four percent of a company's global revenue. While everyone agrees that people are a major vulnerability, there is disagreement over the extent to which education or technology is the solution, and whether we can actually learn to value our data as individuals. And while there are no easy answers – we do need to make sure we don't get stung by not doing the easy stuff.
Jens Puhle, UK managing director at 8MAN observes that despite all the concern about attackers, the biggest risk of all is that of an internal data breach. Therefore to protect themselves against this risk organisations need to ensure that only the people that need to have access to certain documents do. Don't automatically give employees administrator rights; go through and allocate permissions based on job requirements. “Measures can be implemented to ensure that access is only granted on job function and that alerts can be set up if data is accessed at unusual hours and from remote locations,” says Puhle.
He adds that what matters most is not EU GDPR and potential fines, it is that, “an internal data breach is the biggest threat to any organisation and can cause the most damage. Protecting their data from the inside is critical and is what businesses should be focussing on today.”
Also worried about the workforce is Richard Anstey, CTO EMEA, Intralinks who agrees that human error remains a huge problem and causes a significant number of data leaks, but suggest education is the answer. He says that many employees bring bad cyber-security practice from home into the workplace, and businesses don't realise the implications that bad security habits can have on an organisation.
“Educating the workforce is as critical as implementing technology solutions to manage data flows, especially when handling very sensitive information, such as intellectual property. It is not financially viable – or legally sound – to focus solely on technology, process, or employee activity individually, because all three are important. There's no silver bullet.”
Anstey cites a recent survey by Intralinks and Ovum which revealed that 55 percent of businesses said they are planning new training on the GDPR for their employees, but worryingly 52 percent also expect to be fined.
He concludes: “If we want to take back control of our data, we need to start by ensuring businesses know what value their data has, where it flows across the world, where it is encrypted and how it's being used by its employees. Only then can organisations make informed decisions about how to manage and secure data appropriately. For this reason, you'll see more Chief Privacy Officers on executive teams in the coming years.”
Echoing the need for education and social understanding of the value of our data, Raj Samani, CTO for Intel Security EMEA, draws the contrast in society between, on the one hand, often being outraged over regular news around data breaches, while on the other hand, trading our identities for a chocolate bar or less, often volunteering intimate data such as medical or financial information. He warns: “In 2016 we're only going to see the further exploitation of people's data and the expansion of what we call the 'data economy', especially as the Internet of Things becomes part of our day-to-day lives with smart homes fast becoming a reality. Data Privacy Day serves as a reminder for us as a society to wake up to the fact that what an organisation knows about us is among its most valuable and marketable assets. It's time we stop declaring ourselves 'data bankrupt' – what we're doing when we assign zero value to our information, buying patterns and preferences.”
Samani advises that we need to think about our data and where it's going, who is using it and what we're giving it away for, we need to be even more cautious and hard-nosed about entering into data transactions by driving harder bargains and asking ourselves smart questions such as 'who our data will be shared with and how it's going to be protected'.
In contrast, David Mount, director, security solutions consulting EMEA, Micro Focus sets out a plea for greater use of technology, observing that something definitely isn't working given that significant data breaches continue every week. “My feeling is that often there's too much emphasis placed on users to uphold security. We know people are the weakest link in the security chain, and yet too many solutions still rely on users making good security decisions.
“The harsh reality is that most employees don't really care about security. And even those who do are going to get it wrong sometimes, especially as attacks grow more sophisticated and targeted. As an industry, when we consider users to be the last line of defence, the technology has failed. At an employee level, we need security solutions to take the responsibility for fundamental security decisions away from users. Experience has shown that it's difficult to get users to make smarter decisions, but smarter technology will always make better choices which will have a definite positive impact on an organisation's security stance.”
And Lawrence Munro, director of EMEA and APAC, Trustwave refers to both the EU GDPR and last year's slew of high profile security breaches as making it a most pressing time for organisations to pay attention to Data Protection Day.
“With so much at stake, no organisation can afford to take any chances. We continue to see Password1 as the most common password year after year, and such abysmal security presents an open door to hackers. Likewise, phishing scams over email and phone continue to trick droves of workers into financial or data theft.
“Practices such as regular intensive network testing using real experts rather than occasional automated scans are crucial if businesses are to avoid the reputational and financial fallout of a breach this year,” concludes Munro.
Eduard Meelhuysen, VP EMEA at Netskope also followed up on the EU GDPR, noting how it will require organisations to take adequate measures to ensure the security of personal data, and applies to any business operating in the EU. He advises that as a result, “2016 will see major organisational manoeuvring as businesses rework data storage and sharing to ensure they are not in breach of these regulations. Businesses can – and must – take steps to protect their data. Careful planning, clever policy setting and enforcement, and staff coaching can all mitigate risk, but businesses must implement these actions now to ensure the appropriate level of protection is in place before it is too late.”
Mark Noctor, EMEA sales director at Arxan Technologies, who notes that 84 percent of all cyber-attacks occur at the application layer (according to SAP figures), highlight how it is important to recognise the critical role that applications play in protecting data. He adds: “Often in the rush to bring new apps to market, businesses tend to overlook critical security measures. Businesses must ensure that robust security such as runtime application self-protections, are baked into their applications before the apps are released into the wild. This not only allows the security to follow the app no matter where it goes, on any device, but it also safeguards the integrity and confidentiality of the application, and the sensitive data and IP within it.”