Covid-19

Building the Foundations of Effective Data Protection Compliance

Source: Enterprise Times

Author: Adam Strange

Achieving compliance across a wealth of new international data privacy laws and regulations is a growing challenge, with many organisations struggling to keep pace. A significant number still have not yet invested in data discovery and classification in their efforts to help fulfil compliance obligations. Add to this the open systems that employees have in place to communicate through the supply chain, especially in the new remote working dimension established by COVID-19, and business is at risk of significant data breaches.

The landscape of Regulatory Change

Serious data breaches and incidents of cyber-intrusion have resulted in a myriad of regulations coming into force across the globe. GDPR, CCPA, the Australian Privacy Act, DPTM and the Japanese Privacy Law are just a few. These will only grow as businesses scramble to make sure they are compliant.

The extent to which businesses are concerned about meeting new regulations was evident by recent calls to delay the start of enforcement of the CCPA. It was scheduled for July 1, 2020, and businesses wanted it delayed due to disruption caused by the COVID-19 pandemic. There is no doubt that businesses are facing a heavier burden than ever before when it comes to proving they are meeting data protection and cybersecurity obligations. However, higher authentication should not be thought of as a burden. It is a must for businesses if they wish to remain secure.

Covid-19 creates an escalating threat environment

You only have to look at recent attacks like the those faced by Honda to see that the threat landscape is intensifying. The Covid-19 Pandemic has created additional security threats. Organisations are facing increasing risks from threat actors looking to take advantage of the increased proportion of employees working from home. Being away from the office in an unfamiliar working environment, with the domestic distractions that come along with it, means the frequency of breaches is likely to increase as security is not in the forefront of people’s minds.

The list of threats associated with the pandemic is extensive. It includes phishing emails, spearphishing attachments, cybercriminals masquerading fake VPNs, remote meeting software and mobile apps. There is also a new family of ransomware known as Coronavirus that has recently been reported. However, not all threats are external. A high percentage are caused by simple employee errors like inadvertently sending a file to the wrong person by email.

Forrester analyst Heidi Shey recently published a report entitled: “The State of Data Security and Privacy, 2020”. Among breaches in the past 12 months, 46% involved insiders like employees and third-party partners. These can actually be more damaging as businesses should appear to have a strong hold on their internal data and who can access it.

Meanwhile, the tone from regulators remains unchanged. The ICO states: “A crisis situation is no excuse for failing to meet data security obligations”. Compliance penalties are not frozen whilst we are in a pandemic. It means businesses need to make sure they are covered more than ever whilst the risk of data breaches is greater.

What Can Be Done?

Investment decisions have to focus on protecting data. By incorporating technology that directly touches data, businesses can start to establish a compliance position in a regulated environment. To do this, businesses need to first know where all their data is located, establish what is sensitive and what is not. They also need to determine appropriate access rights to data and in so doing, control its movement. The better the visibility, the more compliant an organisation will be, which can then be used to drive competitive advantage.

In basic terms, they need to adopt a ‘Privacy by Design’ approach. This takes privacy into account throughout the whole process and starts with Data Classification.

Classification by Design

Data protection by design and default needs to be planned within the whole system. It should be based on the type of data and how much data a business has. Data classification is the categorisation of data according to its level of sensitivity or value, using labels. These are attached as visual markings and metadata within the file. When classification is applied, the metadata ensures that the data can only be accessed or used in accordance with the rules that correspond to its label.

Businesses need to mitigate attacks and employee mistakes by starting with policy – assessing who has access. Then they should select a tool that fits the policy, not the other way round. Never select a tool and then rewrite your policy to fit it. This will then support users with automation and labelling that will enhance the downstream technology.

Once data is appropriately classified, security tools such as Data Loss Prevention (DLP), policy-based email encryption, access control and data governance tools are exponentially more effective. They can access the information provided by the classification label and metadata that tells them how data should be managed and protected.

Compliance pointers when setting your strategy

Compliance can be a challenging task, but businesses should see it as a positive. Customers who know their data will be secure will trust businesses with their most important data. Here are a few pointers to keep top of mind when looking at data classification and your compliance strategy:

  • IT security and operations do not own business data – so do not look to the CISO for all the answers.
  • Data stewardship will correctly align to regulations only when the data owners are identified and engaged.
  • Identify and engage stakeholders right across the business, including risk, legal, and compliance. This is critical to the success of your compliance programme.
  • Organisations must educate users as a whole about the sensitivity of data. They must also ensure the appropriate controls are in place around confidential and sensitive information.
  • Alert users when data is leaving the organisation to warn them before sending messages that contain sensitive information.
  • Users must classify or label data with visual labels to highlight any specific handling requirements.
  • Use metadata labels to enforce security controls to stop unauthorised distribution of data.
  • Link data classification tools to solutions such as DLP, encryption and rights management to enhance overall data protection.
  • Make sure you provide critical audit information on classification events. It enables remediation activity and helps prove your compliance position to the regulatory authorities.

With this methodology in place, it will provide a firm foundation towards onward compliance and long-term competitive differentiation and efficiencies to businesses.

An Enterprise Times article