Table of Contents
In the highly mobile and data-centric world we reside in, organisations are grappling with the problem of data protection. Every company and IT department must secure organisational data and prevent its loss; be that loss accidental or by a deliberate attack. They need an elegant solution that can be quickly and easily slotted into their existing environment.
A data protection solution for the modern workplace must not disrupt business, and must be compliant with new privacy laws – Notifiable Data Breach or APRA CPS 234 in Australia and GDPR for those who share privacy data with European organisations.
The business impacts of a data breach are not always apparent at first glance. Here are some:
- Unable to transact business with customers unless compliant with laws (e.g. CPS 234, GDPR)
- Significant penalties/fines for the business and individuals
- Legal costs for engagement with commissioner
- Legal costs to defend civil action by people damaged by their data exposure
- Excessive cost of managing legacy security solutions
- Harder to win new business due to brand/reputational damage
Please note that the above business impacts are not an exhaustive list. There are many more. But these are examples of significant risks to Australian businesses today. With cybercrime escalating and daily reports in the media of data breaches, there is a pressing need to look at new methods for securing data.
While solutions exist to secure different types of data, many businesses are unaware of the effort and challenges in finding the right solution.
Are you considering a Data Protection solution? Here are seven points to consider:
1. What type of data does your organisation collect and/or store?
Understanding the types of data you collect, and store is often difficult to determine. If your organisation manages personally identifiable information (PII), classifying and keeping track of this data in particular is where you need to focus.
Personally, identifiable information may include:
– Healthcare records
– Financial data such as a credit history
– HR or employment records
– Any government ID such as Tax File Number (TFN) or License number
…and any other information that could be classified as ‘sensitive information’, such as private conversations or information about a person’s religion.
It is wise to perform a Risk/Vulnerability assessments to map out the risk and impact within your organisation, should a data breach occur.
2. Where is your data?
It is important to identify personal data across the enterprise and establish an inventory of personal data holdings which can be kept up to date. This requires identifying the complete scope of where personal data is stored, including internal IT systems and third parties.
Category definitions of personal data types and sensitivities must be developed in order to know what data you are dealing with before you can start to build an appropriate classification and labelling strategy.
Most organisations know where a lot of their production data is housed but are not completely aware of where copies might be kept. Often their business units keep copies in other repositories for convenience, backup, high-availability, performance and many other reasons. This can be in Cloud platforms, home copies, mobile/laptops, USB, archives, backups, site servers, email, etc. All of these are reasonable reasons for storing data in other locations.
We must always assume that data is on the move – that someone new is being offered the chance to view, store, and even compromise your sensitive data.
Many complex environments face the same challenges. Looking at their systems, we hear the same thing “we know we have sensitive data…we just don’t know where all of it is”.
Once you have a clear view of where your data is, classifying it so you can set access levels is at the heart of a secure data environment.
3. How do you classify your data?
Chances are, your organisation stores personally identifiable information regarding staff, customers, and contractors. You may find PII that doesn’t belong in any of these categories (example: a resume with confidential information provided by a recruiter, for a candidate that was interviewed but not hired).
Classification can often be a significant hurdle for many organisations when trying to protect data. A piece of data can vary in its level of importance to different people within the same organisation, depending on their viewpoint. Also, data importance/relevance/sensitivity can change with the introduction of new laws or standards (e.g. NDB or GDPR). Some organisations spend months, even years discussing and debating the problem, and often cannot agree at the end.
Some organisations have a classification/labelling scheme that is provided by the Legal and Compliance team but the IT function struggles to implement it without impacting user experience. Often, IT relies on the end user to carry out the classification process. However, relying on the user to create metadata and classify data at the point of creation not only leads to subjective and often incorrect classification, but is largely useless for existing data that has not been classified. Many organisations have terabytes of existing documents that have not been classified.
As challenging as this is, Data Discovery and Classification are the first key steps for data protection.
4. What Data Protection policy should you set for different data types?
Understanding how to classify data is only the beginning. Applying policy to the data once classified is a different problem. How do we decide and manage who has access to our data? What convention should we use to ensure everyone agrees with our method? How long should we retain the data? Should we allow people to amend/copy/print/forward/store/…? And many more questions. Once again, some organisations spend months or even years discussing and debating this problem.
5. How do you label your data to reflect these different policies?
Once there is broad agreement on classification of data, we can then look at how we inform staff, customers, partners, suppliers and other users of our data.
6. What is important when choosing a Data Protection solution?
One of the key imperatives when introducing a data protection solution is to ensure that it does not prevent the business from doing business, or the staff from doing their jobs effectively. The right solution must work in the background without adversely affecting productivity.
It should be able to automatically classify, label and enforce policy based on the data content to ensure the solution is accurate, doesn’t impact user experience and is easy to manage. It should also be able to classify and label existing data retrospectively or the solution is pointless. Another possibility to consider is when organisations are in the process of moving data from on-premise repositories to Cloud solutions (during a period of co-existence) data should be classified in both on-premises and online solutions.
7. Do you need a Data Breach Incident SOP?
Every organisation should write and maintain a Data Breach Incident Standard Operating Procedure. Implementing excellent data protection solutions does not guarantee that a data breach will not occur. Often malicious attackers will watch and wait for months until a small window of opportunity opens to allow them access. Frequently this can be due to inadvertent user error.
Where Data Protection policy will often protect the data, no one can guarantee that data will not be lost. In this event it is important to have a SOP to notify people who are affected by the breach and react appropriately and responsibly.
What is the right Data Protection solution for your organisation?
There are a number of excellent solutions available that address various data types and situations and organisations may need to deploy more than one to achieve the most secure outcome for their business. Once the solution is chosen and implemented, it must be well maintained. Classification policies must be regularly reviewed, and any required changes must be implemented in a timely manner.
For example, a document may become more important due to sudden changes outside an organisation, requiring an immediate change in policy for that data. Any solution must be flexible enough to allow this. The integrity of the solution must be tested periodically to ensure it is delivering what is required for security and legal compliance. As new laws or standards are introduced, new policy must be written and enforced across the business.
When deciding on how to select the right solution, consider that ease of use is more important for data protection than most people realise. Traditional data protection solutions such as formal document management software is usually slow, not easily searchable, and typically accessed only from a local network. These limitations lead impatient users to finding innovative and dangerous ways of bypassing organisational controls.
An easy solution must also be a capable and complete solution. It must include all use cases and be able to classify and protect all disparate organisational data, not just information stored in a specific database.
The Experteq Data Protection solution
At Experteq, we recommend and use solutions that intuitively implement data classification and protection controls. They integrate into Microsoft Office, Adobe Acrobat, Email, and other common document formats in use today, and can secure your data with a single click. They also offer a range of in-product notifications such as recommended classifications, so users know when they are dealing with sensitive data so they can make the right classification decisions.
Our solutions are highly capable, backed by some of the largest and most trusted vendors in the world, and at a basic level, designed to be usable by even the most basic of users.
Our customers include Universities, medium and large Enterprises, and Government bodies – who all share three common issues: increasing volumes of sensitive information, an expanding threat landscape, and heightened compliance and regulatory constraints.
If you need a holistic data protection solution or have a question about how to enable your workforce while keeping information secure, contact us for a confidential conversation with our expert team.