Companies must be vigilant and agile to mitigate data-based risk in a fast-paced, global business environment that is constantly changing.
As multiple high-profile data security events have demonstrated in recent years, the financial cost of a breach (including remedial costs, fines, and reparations) is only the most obvious impact on an organization. Companies are also likely to suffer from declining stock prices, erosion of brand value and reputation, loss of consumer trust, and customer turnover.
Regulations such as the EU's General Data Protection Regulation (GDPR) and privacy laws and regulations in many countries around the world make the data security stakes even higher, because companies can be held accountable for non-compliant practices even if an actual breach never occurs.
The recent enactments of sweeping privacy regulations also remind us that data security is a moving target. Companies must be vigilant and agile to mitigate data-based risk in a fast-paced, global business environment that is constantly changing.
Key breach prevention strategies:
Because data security is a dynamic, large-scale, multidimensional business problem, it should be addressed from several different perspectives encompassing company policy, technology and culture:
1. Policy
The National Privacy Commission of the Philippines (NPC) is checking the privacy performance of companies and has just started to increase the fines and potential jail terms for companies that are negligent in privacy protection.
Every company should use these guidelines to develop cybersecurity policies and procedures, tailored to the industry they operate in and the regulations they are subject to. This should be a formal, living document that is updated annually. The Data Privacy Officer (DPO) of the company hopefully has the processes and automation software to protect the organization. If assistance is needed, contact me.
Companies must have a robust, independent and well-funded compliance program that combines process analysis, data-based tools, employee training and companywide programs that explicitly link core values and ethics to compliance and embrace proactive compliance as an essential component of data security.
2. Technology
COVID-19 has driven home the many advantages of cloud technology for organizations making the transition to remote work. This is particularly true when it comes to data security.
Organizations that have migrated to the cloud have more control around data access and security and are better positioned to quickly respond to potential breaches or compliance issues. Advanced security monitoring tools, events logging, and intrusion detection and prevention systems are all standard among today's major cloud providers.
Web application-specific firewalls built into cloud systems monitor data coming into individual applications and warn users about specific vulnerabilities. Perhaps even more important than specific tools, moving operations to the cloud forces organizations to develop better thought processes about security.
Of course, data security measures must also be applied outside the organization. Companies should rigorously vet any vendor who handles company data to understand their data security protocols. This is a due diligence responsibility that too many companies fail to embrace.
3. Culture
Data security and compliance cannot be addressed with technology alone. Companies must build a solid security culture within the organization, and leadership on security must come from the top.
Employees and email inboxes are still the most common attack vector and the weakest link in company defenses. Companies that take security and compliance seriously conduct regular, mandatory role-specific training at all levels.
In addition to role-based training, general awareness training is essential to establish clear rules of behavior, alert employees to phishing schemes and similar threats, and encourage them to remain alert and report anything suspicious.
A company whose security plan adopts a purely defensive posture is much more likely to bungle their response to an incident and amplify its negative impacts. Organizations must develop, and regularly review, a detailed incident response plan that designates key roles and responsibilities, establishes incident reporting procedures, and outlines protocols for IT to follow to secure operations and fix vulnerabilities.
Solid data security programs are not developed overnight. They are long-term, strategic initiatives aimed at mitigating existential threats to the organization. They require rigorous, sustained effort over a period of years. Companies should focus on making continual, incremental improvements to frameworks and toolsets, and reinforce these efforts through regular training and communications reminding employees that security and compliance are responsibilities shared by everyone.
If you need assistance in implementing data privacy protection in your organization, let us know; we are ready to assist; contact me at hjschumacher59@gmail.com