Opinion

What does it take for companies to stay on top in the new landscape of data security

Eight new cyber threats detected every second; organizational compliance failure is the main reason behind this surge. Compliance transcends geographical boundaries; companies find themselves cornered by rising security threats, and increasingly complex laws. Most data is on the Cloud, and most of it is highly sensitive as well as unstructured data.

Sunil Peter Apr 26th 2018

Data security has been the top priority for policymakers in the new digital age as stronger laws are now being enforced to ensure security to private data. Data privacy is serious business, and it is the single most important compliance requirement for companies in the wake of increasing cyber security attacks and data theft. Eight new cyber threats are being detected every second, warns McAfee in its latest report, and blames organizational compliance failure as the main reason behind this surge. Most data is on the Cloud, and with a majority of data being both highly sensitive as well as unstructured data. In such a context, compliance transcends geographical boundaries as companies are finding themselves at the centre of a storm surrounded by rising security threats, and increasingly complex and stricter laws.

All data security actions are centred around the user, whose private information, be it financial or otherwise, is sacrosanct, and must be shielded from unauthorized and malicious access attempts. All consumers expect digital transactions to be both instant and private at once, and do not tolerate any unauthorized spill overs or ‘accidental’ exposure of their data to anyone outside the intended circles.

As companies rally to meet customer expectations amid stiff competition, regulators are keenly watching if all processes are truly compliant to the all prevalent security laws. Therefore, the proliferation of social network advertising and new services can never be at the expense of companies losing sight of privacy compliance. While the right technology increases privacy, companies are also obliged to inform customers about the various pros and cons of such technologies. Are they doing enough, and what are the actual requirements? Let us find out.

No compromise on data security

Most industry surveys reveal that organizations are not doing enough to protect data privacy. The recent PricewaterHouseCoopers’ (PwC) 2018 Global State of Information Security Survey (GSISS) conducted across nearly 10,000 senior business and technology executives from 122 countries reveal that a very few companies are investing enough towards cyber and privacy risk management in their digital transformation, have robust third-party privacy policies, have invested enough in encryption, and hold accurate inventory of their data.  Only 53 percent of companies even require employee training on privacy policy and practices.

Unstructured data security

Companies cannot pick and choose data to secure, and it includes the huge amounts of unstructured data too. Unstructured data is data that does not fall under defined data models (such as excel sheets), and that includes the vast troves of social media data as well. Though unstructured data accounts for 80 percent of any organization’s data, it is also the least controlled and the most fluid. There are hardly any viable security perimeters to protect unstructured data, which is expected to grow to 93 percent of all data in the world by 2022, according to IDG. Securing the sheer volume of unstructured data is challenging, and is crucial for financial success of companies.

One way to address complete security to unstructured data is by protecting all data by default, unless specifically opted out of.  Assuming that all data is at risk from both internal and external sources is a great way of looking at it.  In a world that is increasingly storing its data on the Cloud, companies should comply with all the stringent regulations that are in place for the particular industry that they operate in, such as the Gramm-Leach-Bliley Act (GLBA) for financial institutions, Payment Card Industry’s Data Security Standard (PCI DDS) or the upcoming EU General Data Protection Regulation (GDPR) that will come to force in May. The mounting challenge for companies is to imbibe all the right methods without hindering user experience.

For robust cloud security

One of the first avenues that come under the data privacy radar is Cloud. Companies are moving more sensitive data to the Cloud, which clearly brings all of Cloud management under the ambit of security laws. The GDPR applies for not just all data stored in European soil, but also all data that belongs to Europeans on Cloud, anywhere it is hosted. Though cloud has the advantage of having security layers embedded in the data layer itself, many organizations do not fully understand the security responsibilities they face as they opt for public Cloud, private Cloud or an on premise environment.

To avoid any risk to Cloud data, organizations should double check configurations, patch their servers up to date, and restrict exposure to the Internet. Companies should also restrict access by notching up security encryptions, and ensure that the management knows and keeps constant track of what data is on public Cloud, private Cloud or are hosted on premise.  

Internal employees need coaching

The human is most often the weakest element in any cyber security practice. Most data security lapses are directly linked to human behaviour, owing to a lack of awareness. A Gartner study of cloud adoption in 2015 revealed that 80 percent of all data leaks in the Cloud are due to incorrect information, account management and other mistakes by IT departments, and not due to vulnerabilities inherent in the Cloud provider.

Threats are therefore not always from hackers outside the organization, and many are internally triggered. Employee inadvertent misuse of data causes 36 percent of all data breaches, say a Forrester report.  Cybersecurity is therefore much more than securing access to applications and data, and reacting to the ever-increasing threats. It is about enforcing strong controls of data integrity, stopping data loss, and ensuring availability of data in the most secure manner for businesses to function. Rather than complying for the sake of it, or to avoid hefty fines, companies should proactively work to understand and applying new data security measures whenever brought into force, and train their human resources to stay on top.

Sunil Peter is AVP–PMT, Maveric Systems

Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).