Data protection is one of the central pillars of cybersecurity, everything we do in the profession is to protect data before it is attacked. So for us, every day is Data Protection Day.
For many organisations, data protection feels like a daunting task. It requires investment of both time and resources, and it never ends. However, the risks of failing to protect the data an organisation holds can be catastrophic. Research by the US Securities and Exchange Commission in 2015 found that 60% of small and medium businesses (SMBs) who suffer a cyber attack do not recover and shut down within six months.
So, this Data Protection Day we look at some practical steps every organisation can take to secure the data they hold.
Data Privacy Week and its final day, Data Protection Day were established by the Council of Europe in 2006. The original purpose of Data Protection Day was to raise awareness among individuals about data privacy as a whole, including how organisations use their data, the responsibilities of organisations towards individuals’ data, and how they can protect their own data.
Data is integral to many businesses. They collect data about their clients and customers to use in everything from service delivery to marketing and business growth. Data helps businesses optimise their activity, and make a profit.
However, organisations also have a responsibility to both their customers and to protect that data. Thanks to initiatives such as Data Protection Day, and regulations such as the European GDPR and the Californian CCPA, customers know their rights, and will demand that organisations protect their data privacy in return for providing it to them.
Many regulatory frameworks are able to fine organisations who fail to suitably protect data privacy. For the GDPR, these fines can be up to €20 million, or 4% of annual worldwide turnover, depending on the severity of the offence.
As a result, it is important for organisations to implement an effective data protection programme to avoid the damage to their reputation and finances that a data breach will cause.
Data protection and data privacy are often used interchangeably, and they are two sides of the same strategy. Data privacy defines who is authorised to access the data; Data protection provides the tools and policies to restrict access to that data. Both work together to ensure that customer data is secure within the organisation.
The purpose of data protection is to protect the confidentiality, integrity, and availability of data.
Confidentiality is the ability to keep something secret. Organisations must implement protections to ensure that data remains secret from the wider world, by ensuring that only authorised people can access it.
Integrity is the knowledge that the data is accurate and correct. Organisations must implement protections to ensure that data can’t be changed or tampered with.
Availability is ensuring that data and the systems that hold it are available to authorised users at all times (or as close to it as possible). This includes protecting data from an attack that takes it offline, disrupting business.
In order to ensure the confidentiality, integrity, and availability of the data, it must be protected:
Protecting an organisation’s data can be broken down into a set of practical steps to initiate a data loss prevention programme that combines strategies and tools to prevent data from being deliberately stolen or compromised, accidentally sent to the wrong recipient, or unintentionally deleted.
– Know what data the organisation holds, and where it is stored. Protect that data from unauthorised access, and implement controls to avoid data being held outside of specific storage areas.
– Monitor systems and use tools to detect personal data. Data is saved in many different places across a network including file servers, cloud services, employee laptops, portals, and more. Data is generated and saved all the time, so it is vital to stay on top of it.
– Don’t collect data you don’t need, and don’t keep data longer than necessary. The more data collected, the higher the risk it poses to the organisation. When a data set is no longer needed, dispose of it safely.
– Manage access to data. Who has access to what data, and do they really need it? Data should only be accessible to users who need it to do their daily jobs.
– Keep accounts safe with strong passwords and MFA. Use a password manager to help users create strong, unique passwords for every account.
– Support employees to work safely remotely. Provide training in how to work safely out of the office, and how to identify basic threats. In addition, implement remote working controls.
– Encourage safe data practices such as clear screen and clear desk policies to avoid data lying around, safe transfer protocols, encryption for sensitive data, and password protected files and emails.
– Configure firewalls to prevent unauthorised transfer of data out of the organisation’s network.
– Encrypt data in transit and at rest. This protects data at all times and ensures that even if it is accessed or intercepted, it can’t be used.
– Back up data regularly to help the organisation recover in the event of a breach or accidental deletion. Backups should be stored securely in a different location to the main network, and should be retained for a set period of time before they are overwritten. Backups should also be tested to ensure that they are restorable.
– Securely dispose of data. Ensuring that all data is removed from devices before they are disposed of securely.
As we all know, prevention is better than cure. So use this year’s Data Protection Day as your cue to start implementing an information security management programme that protects the data you hold from harm.
Stay safe