Another year, another Cybersecurity Month beckons – but are we seeing major changes in approach that will signal a shift in how data, and in particular personal data, is treated by businesses?
Over the last six months, the game has appeared to shift slightly, with major regulatory actions on both sides of the Atlantic against household names including Facebook, British Airways and Marriott, alongside a host of smaller cases. But, high-profile as these cases are, there remains a question as to whether businesses are investing enough, and in the right areas, to show that they are taking risks to cybersecurity and client privacy seriously.
Businesses do not ‘own’ personal data – they are custodians of it and, as such, have clear duties, both in law and ethically, to make sure that it’s protected. Companies that protect data are those that people will trust – the corollary is the reputational impact that a data breach can – will – have.
Most businesses do not have the leisure of starting from scratch on data protection. Any approach has to be a blend of retrofitting controls to existing systems and processes as well as ensuring that they are designed in when new programs are developed. To achieve that, it’s important that businesses understand the threats and risks to data, both internal and external, so they can deploy appropriate solutions. Investing in quality governance, risk and compliance expertise can simplify this exercise in a cost-effective way that will delivered a tailored programme for the business.
Beyond that, minimizing the personal data a business is touching is a good start. After all, what you’re not holding, you can’t lose and it isn’t a privacy risk to individuals – or a legal or reputational risk to the business. For the data a business does need, there are basic controls – patch management, firewalls, role-based access controls for example – which will get you so far. Encryption, too, should be deployed as far as possible for data both at rest and in transit.
These will help to mitigate some risks – but not a determined attacked. Deployment of threat detection technologies that look for changes in endpoint behavior and actively monitor incoming traffic, alongside effective incident response – the ability to deal with a threat once it’s detected are critical in managing cybersecurity risks, and should be a cornerstone of an appropriate data protection programme.
But let’s contrast this with research showing that only 3% of businesses describe themselves as ‘well prepared’ for a major incident with, according to our Risk:Value Report, more than 30% say that they would rather pay off a ransomware demand than have to pay a regulatory fine. There is a serious misunderstanding of the law in any case, but also a worrying attitude that is, perhaps, supported by long-term under-investment in data protection and cybersecurity across many industry sectors.
A further element to consider here is the empowerment of data protection and cybersecurity teams; this means early engagement in significant projects, so that they can work as an effective business enabler. But it also means that they must be empowered to make decisions – or at very least have a very clear mandate that is accepted – in the event of an incident. If a process is compromised, but the business decides to continue running it, against the advice of their qualified experts, then the control isn’t effective – the risk is, if anything, multiplied.
We know that it is impossible to prevent breaches – whether caused by threat actors, a careless employee, or a combination of the two, breaches happen. But investing in data protection and cybersecurity measures, based on good risk assessment and planning will minimize the risk posed by a breach, and allow businesses to respond effectively – not least because they will stand a better chance of actually knowing that something is wrong in the first place.