Over the past two years, data security has quickly climbed up the ladder when it comes to immediate concerns for business.
Whether the business be a budding startup, burgeoning SME or monolithic enterprise, cybercriminals do not discriminate, making any organisation that handles data a target.
It is why we have seen data breaches rise significantly as a result of the pandemic and remote working, where employees now pose the biggest threat to the integrity of a business environment.
While the hammering home of smarter and more thorough security practices and policies is advised, it can only get you so far, with human error perhaps being too large an obstacle for even the most sophisticated of solutions to address.
As such, where does the onus fall when it comes to a better security approach?
This was the topic of discussion at a recent virtual Cyber Resilience CIO roundtable where shop was talked, war stories were swapped and sage advice was shared among local and foreign executives with decades of experience in the IT security environment.
These are but some of the insights that the roundtable hopes people and organisations alike can glean in the bid to overcome the breach.
The regulators are watching
Outside of simply being a ripe target for cybercriminals, data regulation could soon play a part in dictating how quickly companies address security.
If we look locally, for example, the Protection of Personal Information Act (PoPIA) is yet to claim its first major scalp as the Information Regulator still needs a bit more bite to go with its bark, but overseas General Data Protection Regulation (GDPR) has already had an impact.
Last year saw Amazon issued a €746 million fine for a data breach in August, which remains one of the largest GDPR fines to date, but this Cyber Resilience roundtable is of the opinion that could have been avoided.
The same goes for WhatsApp, which too was handed a fine over a failure to disclose its data collection and sharing practices with users.
As such, the way data is collected, stored and handled is something that businesses need to think critically about, less they wish to be the first firm operating in SA to receive a PoPIA-related fine for a data breach.
Handling with care
Along with escaping any unflattering press and a sizeable fine, businesses need to focus on what is most important – the data itself. It is not gathered haphazardly and the cliché of data being the new oil holds true as the information given to businesses is done so with the belief that it will be handled with care.
It is why this Cyber Resilience roundtable session stressed the message of protecting, detecting and evolving.
This as organisations need to protect the data, detect where there are breaches and evolve as the business changes.
Ways in which organisations can take a more proactive approach is by implementing a multi-factor authentication approach and once that is in place look to evolve to an advanced multi-factor in order to better safeguard who has access to data.
Added to this is the approach to the cloud and where data resides.
The past two years have seen a significant desire to digitally transform across a myriad industries and push everything to the cloud too, but each customer requirement is different.
This therefore means helping your customer in their data security requirements by sometimes choosing not to give them everything they want.
As each executive attendee unpacked their respective stories as regards dealing with customers, the different challenges they posed and how they approached finding a solution, there was also a call to shift perspective in terms of access and control.
To that end, the term “purpose” was thrown around and applied to privacy.
Here we are talking about purpose-based access control, instead of role or attribute-based control that is more commonly known and practiced.
This focuses around the lawful and ethical elements when it comes to how data is collected, stored and shared by an organisation. If that permeates your thinking when it comes to dealing with customer data, it would address the why of security.
A purpose-driven approach could help organisations better overcome the breach by framing everything into a business perspective and develop enforceable policies around it.
[Image – CC 0 Pixabay]