Whitepaper | Data Protection for the Information Economy: The Data Awareness Challenge
Data protection is increasingly recognised as fundamental to trade, security, and privacy in our modern information economy. Data protection legislation has been passed in almost 80% of countries, all mandating the same universal principles of data protection. Fundamental to meeting any data protection legislation is knowing your data: what you have, why you have it, how you got it, what you do with it, and where you keep it. Building data awareness through validated data discovery is now an essential element for an effective data security strategy capable of navigating a data-driven landscape, but with new regulations being introduced and the rapid proliferation of data, can businesses keep up?
We invited a group of CISOs, IT directors, VPs of information security, and data management leads to discuss their approaches to data protection, and more about:
- Tackling the ever-evolving regulatory landscape
- Managing the risk around data awareness
- Adapting to modern ways of working while staying secure
Rela8 Group’s Technology Leaders Club roundtables are held under the Chatham House Rule. Names, organisations and some anecdotes have been withheld to protect privacy.
About Ground Labs
Ground Labs enables organisations to discover and remediate all of their data across multiple types and locations – be that on servers, on desktops, or in the cloud. Ground Labs takes the guesswork out of compliance as their solutions, Enterprise Recon and Card Recon, empower organisations to meet and adhere to an ever-changing state of global and regional regulations, including: GDPR, PCI, DSS,CCPA, HIPAA, and Australian Privacy.
A constant battle
With data protection becoming increasingly important as organisations expand into global data landscapes, organisations are taking data protection risks more seriously than ever. New regulations and compliance laws are written all the time to help guide organisations, but between GDPR, PCI, HIPAA – the list goes on – organisations are struggling to keep up. To compound the issue, more data is being created, moved around, duplicated, and shared all the time. To stay on top of this shifting landscape and avoid falling a foul of regulatory requirements, organisations need to know their data inside and out.
Regulations and risks
Our global panel of experts all agreed that it can feel like new data processing agreements are coming in every day. The common-sense approach is to look at local regulations as the baseline and expand compliance as required when the organisation comes into contact with other laws. Fortunately, the technicalities of these regulations are often shared, meaning that if you are working to comply to the GDPR for example, you are already in a good position should another regulation need to be met. However, this doesn’t account for sudden updates or changes that could require immediate action, a notable example being the Schrems and Schrems II judgements.
What is the price of inaction? It varies, meaning that organisations need to stay on their toes. A lot of regulations will impose serious fines, and while some offer a grace period if businesses can demonstrate that they are on the way to compliance, not all do. Regulations like the USA’s Federal NIST standards leave no wiggle room and can result in jail time if not met. PCI data regulations will come down on organisations looking for evidence of compliance before any hint of a violation. Our panel were all well aware of the risks and work diligently to take the necessary steps to stay compliant, but not every organisation has the maturity required to manage these risks. In order to do so, a culture of data awareness needs to be fostered.
The biggest nightmare for IT and data security experts is data exfiltration. You can manage the risk with technology such as immutable backups, data loss prevention (DLP) solutions, and identity and access management (IAM) tools. From a technology standpoint, our panel were all confident that their systems were protected and could be recovered if needed. Where they were most concerned was the human element, as ultimately, you are only as secure as your weakest link.
Short of totalitarian levels of control, there will always be a risk that someone could misplace a USB, leave their laptop open where they shouldn’t, or take screenshots of sensitive information. As a result, focusing on good education and reinforcement is acritical element of securing against insider threats, be they malicious or accidental. While our panel agreed that technology alone is not enough, and that rigorous training and education is also needed, they were also quick to point out you can’t protect what you aren’t aware of and without data awareness, no amount of security or training will make a difference.
Building data awareness has traditionally started by speaking with the business teams and putting together a data map. Once IT teams have a good understanding of what is happening in each area, then they can swoop in with the technology required to secure it. Our panel were quick to point out the snag in this approach – working with the business teams will only tell you about the data they know about but won’t cover what might be happening or might have happened outside of their knowledge. Getting into the habit of scanning your systems and data at rest will help to provide a clearer picture of where your data is and how it is being used.
What you aren’t aware of
Traditionally, data scans have always been driven by assumption. The folly in this is that the biggest risk will always be around the data the organisation isn’t aware of. Factoring in what you aren’t aware of is understandably difficult, that’s why careful structure of the data landscape is so important. Our panel had seen success with compartmentalising their data and providing each group with spaces of privileged access to work in. Further network segregation ensured that the risk of data crossing into places it shouldn’t was minimised, making it harder to lose track of.
Another important piece of the puzzle is effective data classification. To minimise the risk of incorrect classification muddying the waters, our panel were using automation to maintain data health and classification integrity. Where we can’t minimise the burden of human error, focus on training staff to understand the importance of data processes and remind them that the responsibility for the data lies with them, not with the IT team.
The challenges of remote & hybrid working
While some organisations were already providing remote or hybrid working options, the vast majority were thrown into the deep end by the COVID 19pandemic. New ways of working were quickly propped up, but what took longer to adjust to, was the threat to data protection they introduced. It became all too easy for shadow IT projects to pop up, sensitive information to be saved locally on devices it shouldn’t, and for VPNs to be abandoned for the sake of convenience. To combat this, some took a militaristic approach by forcing their users onto restricted virtual desktops. Others forced local storage to replicate onto shared drives so the business could at least see what was being created. Most common was the gating of important resources behind VPNs to ensure that disconnecting wasn’t an option. None of these approaches made IT the most popular team in the organisation, but they were deemed necessary by the most risk averse organisations to protect sensitive data.
When it comes to securing remote and hybrid work forces, there is a balance to be struck between employee experience and sufficiently controlled data. Again, adequate training and the fostering of a data culture are essential to developing trust between the business and its staff. Security and IT teams need to bedoing whatever they can to support this endeavour by rewarding good behaviour, and crucially, not punishing mistakes.
Data awareness & protection
We live in a world where knowing the what’s, where’s, and why’s of the data we’re handling is fundamental because the security technologies we rely on can’t yet function autonomously without data awareness. In the meantime, organisations must track their data across every conceivable location and endpoint, only then can they make educated decisions about how to put the right controls around it.
Understanding your data is only half the battle. Staff are the custodians of that data, and they need to accept the importance of that responsibility if they are to ensure that data health is maintained. Technology and people working together will stand the best chance of effective data protection, but regulations aside, the only possible first step is to understand the data.
Start a conversation by sharing this article: