In our increasingly data-driven world, personal data is shared every second – when shopping, at work, travelling, or simply browsing the internet. It is the responsibility of every organisation to make an active commitment to protect the data it holds. After all, it could have serious implications for its reputation if a data breach occurred and its customers’ personal data was stolen and misused.
Data Protection Day seeks to raise awareness and promote best practices around keeping data safe and secure. In this article, eleven experts in the technology industry give advice on how to best protect your data and maintain trust from your customers.
“Data Protection Day serves as a reminder of one of the most important responsibilities for any organisation: keeping sensitive data secure,” explains Anurag Kahol, CTO at Bitglass, a Forcepoint company. “Consumers are constantly discovering the information that is collected about them, how that data is used, and how daily breaches put that information at risk. Consequently, to maintain consumer trust (and remain compliant with regulations), it is imperative that companies make security a top priority.”
“There is a growing crisis of trust in technology and personal data security is at the heart of this,” adds Michael Queenan, CEO and Co-Founder of Nephos Technologies. “In the current day and age, ‘personal data’ has become something of an oxymoron – it’s anything but ‘personal’. We don’t own our personal data and we have limited control over what happens to it.
“Generally, the onus of responsibility on how to use, protect, sell and leverage our personal data lies with big companies and government institutions. Now is the time for tech leaders to stand up and ask how we can work together to mitigate risk for the public.”
Stay ahead of the laws
Countries around the world are increasingly enforcing and updating their data protection laws.
GDPR established a solid regulatory framework for dealing with emerging technologies and we’ve since seen other countries adopt their own, such as the Protection of Personal Information Act (POPIA) in South Africa and China’s Personal Information Protection Law (PIPL).
As the UK looks to replace the current UK-GDPR law with its own data protection legislation, “cross border data flow is and will remain one of the top issues,” states Jakub Lewandowski, Global Data Governance Officer at Commvault. “For now, the European Commission determined that the UK offers an adequate level of data protection, allowing for a free flow of data between the European Economic Area and the UK. That may change however, if the Commission finds that there are indications that an adequate level of protection is no longer ensured. The UK is also planning to strike new global data partnerships and establish its own package of measures covering international data transfers, which may affect the adequacy decision. The hottest developments will, however, likely concern the EU-US transfers following the Schrems II ruling.
“These trends together with a varying approach to data privacy from region to region, signal that we are set to see increased fragmentation and complexity of the legal landscape. This will particularly affect companies operating globally or relying on global vendors. Such businesses will need to contribute significant resources to comply with new legal requirements, when perhaps they could put them to better use if they were targeted at improving organisations’ cybersecurity posture or addressing cyber security threats instead.”
“Organisations working around the world need to be aware of the latest requirements in every country and ensure that their systems and processes meet these needs,” agrees Gareth Tolerton, Product Innovation Director at Totalmobile. “To do so, there are a few top tips to follow. Ensure that you have specific policies in place around the handling, storage, access, visibility, and transmission of personal data so that staff know exactly when and how they can interact with this. In the same vein, training is vital. Initial GDPR training would have occurred almost four years ago, so regular refreshers are key to keeping teams secure. And finally, organisations that can appoint a dedicated Data Protection Officer will be able to give their full attention to internal compliance strategies and processes, adding that extra layer of protection”.
Back it up
There is not one single solution to data protection that fits every organisation, but every organisation should have a reliable backup solution, should the worse happen.
“Check whether disaster recovery and automated backup are taking place (and with what frequency) within your SaaS environments,” urges Hugh Scantlebury, Founder and CEO at Aqilla. “That way, if the worst does happen and you’re stung with a DDoS or other malware attack, you can quickly recover your data. This is essential as a quick recovery means you’ll get back to regular business without any serious financial implications and without impacting customer service.”
“The final part of every data protection solution should be disaster recovery and backup,” furthers Gregg Mearing, Chief Technology Officer at Node4. “However, it remains important that these systems are also protected and not simply considered the last line of defence – they are increasingly being targeted as cybercriminals grow in sophistication.”
Trust in training and technology
Data Protection Day serves as a reminder of how important the human element is in the world of cybersecurity. Without a proper understanding of online privacy risks, organisations can be left defenceless against hackers.
“The solution to fending off cyberattacks at both an individual and company level is twofold: training and technology,” explains Danny Lopez, CEO at Glasswall. “Training will arm employees to be alert to risks and follow best practices. This can be as simple as using strong passwords and multi-factor authentication, not opening links and/or attachments from unfamiliar sources, and using anti-virus software.”
“Lack of education and human error are two of the largest causes of data breaches and it is easy for an employee to unknowingly fall into the trap of poor security practices,” agrees Terry Storrar, Managing Director, Leaseweb UK. “This might be something as basic as storing confidential documents on a personal device, reusing passwords or forgetting to update software. The good news is that these are relatively simple to fix through training that encourages all employees to take responsibility for the safety of the data they use.”
However, employees should not be the only line of defence for an organisation. Investing in technology can take some of the pressure off of employees and be very effective in detecting and preventing unauthorised access.
“Automation software can help an organisation deliver on the key requirements of GDPR whilst also unburdening employees, helping them to do their jobs better, and allowing them to focus on more value-add tasks,” explains Simon Spring, Senior Account Director EMEA at WhereScape. “There needs to be a shake-up in priorities and how business leaders approach their responsibilities for data security. Automated processing of data could be that change we need to see.”
Martin Rehak, CEO at Resistant AI continues: “a combination of AI, automation and the human brain is the strongest form of defence against cybercrime and protecting customer data. The intention is to find a problem before it becomes a threat and today’s AI powered solutions are able to detect advanced fraud and manipulation earlier and faster – call it real-time identity forensics.”
“Taking a proactive, zero trust (never trust/always verify) approach when it comes to security can not only protect the companies that implement them but their customers as well,” adds Glasswall’s Lopez. “Having these measures in place will not only assist with preventing attacks, but it’s also more cost-effective and efficient than using employees as an organisation’s first line of defence. By combining training and technology, individual, company, and client data privacy is significantly more achievable for organisations around the globe.”
Thomas Cartlidge, Head of Threat Intelligence, Six Degrees concludes: “2021 was a tough year in the fight against cybercrime, and the bad news is that things don’t look like getting any easier in 2022. Whatever this year brings, all organisations will need to be serious about achieving defence-in-depth across their people, processes and systems if they are to protect their data and mitigate the risk of downtime and data breach. A thorough understanding of the evolving threat landscape, along with the introduction of zero-trust cyber security principles, will go a long way to achieving this goal.”