OPINION: Data security, privacy

Listen to this article:

Picture: DATA PRIVACY GROUP.

Every investment you make for cybersecurity and privacy is ultimately to protect data.

The ICT industry defines data security and privacy technology as technologies that directly touch the data itself and that help governments and organisations:

n understand where their data is located and identify what data is sensitive i.e. prioritise data;

n control data movement as well as introduce data-centric controls that protect the data no matter where it is; and lastly

n Enable least privilege access and use. This still encompasses a wide range of technologies.

To address concerns from data breaches involving authentication credentials, you can enable multifactor authentication (MFA) to mitigate risks of credential stuffing and explore password less authentication methods such as biometrics, tokens, keys, or auth0-related solutions for employees.

To protect your Personally Identifiable Information (PII) and Intellectual Property (IP), the appropriate choice or combination of choices of specific data security technologies will depend on whether this data is in an unstructured or structured format.

Common controls include encryption and data loss prevention.

When we take a deeper dive into core technology adoption trends, we see that:

n Encryption is critical for data protection: The encryption technologies organisations have adopted most were for email (65 per cent), database (60 per cent), and cloud encryption (60 per cent).

About one in five decision-makers say that their organisation plans to implement a number of types of encryption, including email, database, cloud, media, full-disk, and file-level encryption.

This is no surprise, as some regulations — such as HIPAA (Health industry — patient records’ confidentiality), GLBA (Financial institutions), and CCPA (Consumer protection) — have specific encryption requirements.

For regulations that do not specifically mention encryption, like the EU’s GDPR, many organisations still look to encryption as a key control and safeguard for data.

This negates a lot of the arguments put forward by the Five-Eyes and other Nations including Japan and India, in the mandatory introduction of backdoors into applications, services and other encryption-protected devices in the interests of national security and criminal investigations.

A simple analogy I often like to use is after building your house – which is now your legal personal property, having the builder or real estate agency have a master key for all doors that can be given to authorities to access your property — should it be required, in the interests of national security or criminal investigations.

With all the proper legal documentation, of course.

Sounds reasonable, but what if the same master key also opens houses for every house the builder (or developer) has built which may run into the thousands or millions of customers in the digital scenario of encryption keys for applications or devices.

Law enforcement and security agencies with proper legal authority only are supposed to have access to the master key but when, not if, when criminal elements or even unfriendly nation states get a copy of the master key it negates all security and privacy rights for all customers.

Who then becomes responsible or liable for security and privacy breaches?

The builder/developer or authorities for mandating the backdoor rules?

n Data loss prevention (DLP): DLP as a technology capability persists because it is still a means to help enforce policies for data movement, report violations, and inform users of what is appropriate policy if they inadvertently violate it.

While prior deployments primarily focused on preventing accidental data loss, added functionality today can also support insider threat use cases.

The question is how we define DLP as it evolves; it’s a feature, a product, a service, and it’s also an approach supported by other (non-DLP) capabilities like access control or de-identification.

n Protecting data in the cloud starts before data moves to the cloud: Private cloud, infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) all require data protection.

As companies move critical data from on-premises to cloud, security considerations include securing access to the console, configuration of the cloud, connectivity/ networking, encrypting cloud data, and container security.

Today, almost a third of global security decision makers say that one of their primary methods of protecting these environments is to encrypt data before moving it to the cloud.

n Privacy regulations: GDPR and CCPA have been a catalyst for technology investments as firms prepare to comply with regulatory requirements and develop their programs for sustained compliance.

Among global security decision makers, about half have indicated that they have invested in privacy management software to comply with data protection regulations.

They also often report investing in data discovery and classification and other data security controls to help fulfill their compliance obligations.

While these can help to support your program, technology alone is not the solution. Solid processes and policies are required to deliver meaningful compliance.

In addition to conducting a risk and security maturity assessment to gauge where your capabilities for data security and privacy are today and where to focus your priorities for increasing maturity, organisations can learn from the patterns seen behind data breaches to evaluate their current practices and controls for data protection.

Among breaches in the past 18 months, Just over half involved insiders like employees and third-party partners (often overlooked). This is consistent with 2018-9.

News headlines of insiders stealing trade secrets from companies like Hershey, Philips, and Tesla mislead us to assume that insider threats are threats of malicious intent only, but the reality is that accidental misuse of data and lost devices cause a fair share of incidents and breaches.

In 2019, statistical analysis shows:

n Internal breaches were also accidental: According to global statistics from PWC, nearly half of the data breaches caused by internal incidents were the result of abuse or malicious intent.

The decrease in malicious intent from 60 per cent in 2018 to 45 per cent in 2019 means that internal accidental breaches are on the rise.

This correlates to the rise in successful phishing attacks. As we continuously focus on how to detect and respond to insider threats, we must not lose sight of how we approach our “human” firewall with building a strong cybersecurity culture through regular cybersecurity awareness training;

n Lost or stolen devices: Whether the devices are corporate-issued or bring-your-own (BYOD), the loss or theft of assets like Smartphones and laptops were involved in a surprising 20 per cent of the breaches reported in 2019, compared with 15 per cent in 2018.

Devices especially Smartphones, are increasingly an employee’s window for accessing data especially emails-on-the-go (for the busy executive).

It’s critical to have processes and capabilities to manage these endpoints, supporting your data security efforts with capabilities such as setting baseline security policies (e.g., requiring device passcode, OS updates), enabling risk- based conditional access, and encryption.

The top three data types compromised reflect their value: Personal ID (PII) remains the type of data that most organisations say has been compromised or breached; IP is also high on the list, coming second in 2018 and third in 2019.

While PII and IP have been mainstays at the top of the list for a while, authentication credentials took second place in 2019-20, after all why bother breaking in to a systems when you can just log in?

Here are a few cybersecurity suggestions for your organisation:

n Justify your budget: The size of your budget says nothing about how well you spend those resources and whether your investments are lifting your security posture in a meaningful way.

By assessing and measuring security maturity, IT staff members can better define and measure success.

Prioritising investments based on security maturity returns will focus your investment in the right areas and at the right level of investment required. Building your business case on value will also provide a more balanced approach than solely focusing on potential breach costs.

n Explore emerging technologies: Consider these as complementary or supplemental — rather than a replacement – to your core controls to meet protection requirements for specific use cases.

VPNs are now considered redundant post COVID-19 so consider and implement Zero-Trust strategies.

n Evaluate how your firm communicates about security and privacy: Consider how you do this both through normal business operations as well as times of crisis such as disruption to operations as well as data breach.

Include considerations for employee and customer communications in your breach response plans. Ensure all cybersecurity policies are in place.

n Build a culture that rewards whistleblowers: Provide automated, anonymous ways for employees to communicate concerns to an independent third party as a way to protect employee privacy.

Account for employee experience and privacy in your approach.

This includes avoiding questionable practices (even if legal) and understanding employee privacy rights.

Remember that insiders are not just employees but also your third-party partners that have access to your data and systems.

n Develop a privacy program, with a focus on sustained compliance: GDPR-style regulation is here to stay so work to embed elements of GDPR programs’ governance into your broader privacy governance, data management lifecycle, and security strategy to ensure that you can respond in an agile manner to changing regulations around the globe.

Remember, the key elements of cybersecurity are confidentiality, integrity and availability of your critical data. Anything less is not acceptable.

Ilaitia B. Tuisawau is a private cybersecurity consultant. The views expressed in this article are not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com

Array
(
    [post_type] => post
    [post_status] => publish
    [orderby] => date
    [order] => DESC
    [update_post_term_cache] => 
    [update_post_meta_cache] => 
    [cache_results] => 
    [category__in] => 1
    [posts_per_page] => 4
    [offset] => 0
    [no_found_rows] => 1
    [date_query] => Array
        (
            [0] => Array
                (
                    [after] => Array
                        (
                            [year] => 2023
                            [month] => 12
                            [day] => 28
                        )

                    [inclusive] => 1
                )

        )

)

No Posts found for specific category