teiss guest blogger Adam Strange explains that privacy by design, underpinned by data classification, is an essential component of compliance with the Data Protection Act and GDPR.
Achieving compliance across a wealth of new international data privacy laws and regulations is a growing challenge, with many organisations struggling to keep pace. A significant number still have not yet invested in data discovery and classification in their efforts to help fulfil compliance obligations.
Add to this the open systems that employees have in place to communicate through the supply chain, especially in the new remote working dimension established by COVID-19, and business is at risk of significant data breaches.
Landscape of regulatory change
Serious data breaches and incidents of cyber-intrusion have resulted in a myriad of regulations coming into force across the globe, including GDPR, CCPA, the Australian Privacy Act, DPTM and the Japanese Privacy Law. These will only grow as businesses scramble to make sure they are compliant.
The extent to which businesses are concerned about meeting new regulations was evident by recent calls to delay the start of enforcement of the CCPA – scheduled for July 1, 2020 - because of disruption caused by the COVID-19 pandemic. There is no doubt that businesses are facing a heavier burden than ever before when it comes to proving they are meeting data protection and cyber-security obligations. However, higher authentication should not be thought of as a burden. It is a must for businesses if they wish to remain secure.
Covid-19 creates an escalating threat environment
You only have to look at recent cyber attacks like the those faced by Honda to see that the threat landscape is intensifying. The Covid-19 Pandemic has created additional security threats, as organisations face increasing risks from threat actors looking to take advantage of the increased proportion of employees working from home. Being away from the office in an unfamiliar working environment, with the domestic distractions that come along with it, means the frequency of breaches is likely to increase because security is not in the forefront of people’s minds.
Some of the biggest threats associated with the pandemic include phishing emails, spearphishing attachments, cybercriminals masquerading fake VPNs, remote meeting software and mobile apps and a new family of ransomware known as Coronavirus that has recently been reported.
However, not all threats are external. A high percentage are caused by simple employee errors like inadvertently sending a file to the wrong person by email. In fact, according to a recent Forrester report by analyst Heidi Shey entitled: “The State of Data Security and Privacy, 2020”, among breaches in the past 12 months, 46% involved insiders like employees and third-party partners. This can actually be more damaging as businesses should appear to have a strong hold on their own internal data and who can access it.
Meanwhile, the tone from regulators remains unchanged, with the ICO stating that a crisis situation is no excuse for failing to meet data security obligations. So, if compliance penalties are not frozen whilst we are in a pandemic, businesses need to make sure they are covered more than ever whilst the risk of data breaches is greater.
Privacy by design
Investment decisions have to focus on protecting data. By incorporating technology that directly touches data, businesses can start to establish a compliance position in a regulated environment. But in order to do this, businesses need to first know where all their data is located, establish what is sensitive and what is not, determine appropriate access rights and in so doing control its movement. The better the visibility, the more compliant an organisation will be, which can then be used to drive competitive advantage.
In basic terms, they need to adopt a ‘Privacy by Design’ approach. This takes privacy into account throughout the whole process. Its foundation is Data Classification.
Classification by design
Data protection by design and default needs to be planned within the whole system, depending on the type of data and how much data a business has. Data classification is the categorisation of data according to its level of sensitivity or value, using labels. These are attached as visual markings and metadata within the file. When classification is applied, the metadata ensures that the data can only be accessed or used in accordance with the rules that correspond with its label.
Businesses need to mitigate attacks and employee mistakes by starting with policy - assessing who has access. Then they should select a tool that fits the policy, not the other way round: you should never be faced with selecting a tool and then having to rewrite your policy to fit it. This will then support users with automation and labelling which will enhance the downstream technology.
Once data is appropriately classified, security tools such as Data Loss Prevention (DLP), policy-based email encryption, access control and data governance tools are exponentially more effective. Tthey can access the information provided by the classification label and metadata that tells them how data should be managed and protected.
Compliance can be a challenging task. However, businesses should see it as a positive, as customers who know their data will be secure, will trust businesses with their most important data.
Here are a few pointers to keep top of mind when looking at data classification and your compliance strategy:
- Data owners. IT security and operations do not own business data – so do not look to the CISO for all the answers. Data stewardship will correctly align to regulations only when the data owners are identified and engaged.
- Stakeholders. Identify and engage stakeholders right across the business, including risk, legal, and compliance. This is critical to the success of your compliance programme.
- Data users. Organisations must educate users as a whole about the sensitivity of data and ensure the appropriate controls are in place around confidential and sensitive information. Alert users when data is leaving the organisation to warn them before sending messages that contain sensitive information.
- Classification. Implement data classification. The first step is the need to classify or label data with visual labels to highlight any specific handling requirements. Then, ensure metadata labels enforce security controls to stop unauthorised distribution of data. Link data classification tools to solutions such as DLP, encryption and rights management to enhance overall data protection.
- Audits. Make sure you provide critical audit information on classification events to enable remediation activity and prove your compliance position to the regulatory authorities.
With this methodology in place, it will provide a firm foundation towards onward compliance and long-term competitive differentiation and efficiencies to businesses.
Adam Strange is Global Marketing Director at Boldon James, pioneers in data classification and secure messaging.