Every day is Data Protection/Data Privacy awareness day at SC, so there should have been no need for any special promotion of the issues to our readers – but given that the industry has chosen this day to publicise and promote the issue, and the fact that data breaches continue to happen, it would seem advisable to pass on the observations, warnings and advice for best practice emailed to SC for the occasion.
Both the scale and extent of last year's breaches – a data awareness year – are drivers for action, further spurred on by the upcoming EU General Data Protection Regulation (GDPR) with fines of up to four percent of a company's global revenue. While everyone agrees that people are a major vulnerability, there is disagreement over the extent to which education or technology is the solution, and whether we can actually learn to value our data as individuals. And while there are no easy answers – we do need to make sure we don't get stung by not doing the easy stuff.
Jens Puhle, UK managing director at 8MAN observes that despite all the concern about attackers, the biggest risk of all is that of an internal data breach. Therefore to protect themselves against this risk organisations need to ensure that only the people that need to have access to certain documents do. Don't automatically give employees administrator rights; go through and allocate permissions based on job requirements. “Measures can be implemented to ensure that access is only granted on job function and that alerts can be set up if data is accessed at unusual hours and from remote locations,” says Puhle.
He adds that what matters most is not EU GDPR and potential fines, it is that, “an internal data breach is the biggest threat to any organisation and can cause the most damage. Protecting their data from the inside is critical and is what businesses should be focussing on today.”
Also worried about the workforce is Richard Anstey, CTO EMEA, Intralinks who agrees that human error remains a huge problem and causes a significant number of data leaks, but suggest education is the answer. He says that many employees bring bad cyber-security practice from home into the workplace, and businesses don't realise the implications that bad security habits can have on an organisation.
“Educating the workforce is as critical as implementing technology solutions to manage data flows, especially when handling very sensitive information, such as intellectual property. It is not financially viable – or legally sound – to focus solely on technology, process, or employee activity individually, because all three are important. There's no silver bullet.”
Anstey cites a recent survey by Intralinks and Ovum which revealed that 55 percent of businesses said they are planning new training on the GDPR for their employees, but worryingly 52 percent also expect to be fined.
He concludes: “If we want to take back control of our data, we need to start by ensuring businesses know what value their data has, where it flows across the world, where it is encrypted and how it's being used by its employees. Only then can organisations make informed decisions about how to manage and secure data appropriately. For this reason, you'll see more Chief Privacy Officers on executive teams in the coming years.”
Echoing the need for education and social understanding of the value of our data, Raj Samani, CTO for Intel Security EMEA, draws the contrast in society between, on the one hand, often being outraged over regular news around data breaches, while on the other hand, trading our identities for a chocolate bar or less, often volunteering intimate data such as medical or financial information. He warns: “In 2016 we're only going to see the further exploitation of people's data and the expansion of what we call the 'data economy', especially as the Internet of Things becomes part of our day-to-day lives with smart homes fast becoming a reality. Data Privacy Day serves as a reminder for us as a society to wake up to the fact that what an organisation knows about us is among its most valuable and marketable assets. It's time we stop declaring ourselves 'data bankrupt' – what we're doing when we assign zero value to our information, buying patterns and preferences.”