It has long been said that ‘knowledge is power’ but never has that been more pertinent than it is for businesses today. Dragan Petkovic, Security Product Leader ECEMEA at Oracle, says what businesses know is a key differentiator.
Data is an increasingly valuable asset and those businesses best set up to extract maximum value from the data they collect and create are in a very strong position to succeed. But there are still significant hurdles to overcome, not least related to compliance and security.
As the value of data has increased, so has the scrutiny on how it is collected, stored and used, as well as who has access to it, where and when.
Headline-grabbing data breaches across organisations in entertainment, financial services, retail, telecoms and the public sector have put everybody on notice that they neither want the reputational damage nor regulatory penalties than can follow a data breach.
Keeping data secure, understanding its value
But organisations should not just keep their data secure because they have to. They should keep it secure because it is valuable and represents the future of their business. They should love their data and should not see keeping it secure as a chore. Every organisation should ensure its processes, its training, even its culture, are focused on recognising and respecting the value of its data. It should also have clear ownership within the organisation, in the shape of a data protection officer (DPO), working alongside a compliance officer and a chief information security officer (CISO).
However, the onus is not just on responsible, forward-looking organisations to determine what constitutes the right level of data protection. Governments and lawmakers are increasingly setting and enforcing the standards.
In May 2018, the introduction of the EU’s General Data Protection Regulation (GDPR) will be the latest high-profile example of new regulation imposed on the way organisations handle and use data, specifically consumer data. And while it is an EU regulation, its impact will be felt by any organisation doing business in the EU.
In South Africa, the Protection of Personal Information Act (PoPI) is expected to be tabled in parliament in the coming months with the anticipated date of publication of the final regulations in April 2018.
The PoPI Act enshrines the constitutional right to privacy by safeguarding personal information through regulating the way in which it is processed and providing individuals with recourse should their personal information not be processed in accordance with the regulation.
The act states that organisations must take appropriate measures to protect personal information against unlawful access or processing, as well as loss, damage, or unauthorised destruction. Companies are thinking about taking further measures to identify risks, maintain safeguards against such risks and ensure that these safeguards are continually updated in response to new risks.
Treating data with respect
Of course, while complying with the letter of specific laws can be a painstaking process, the wider need to continually review, refine and improve on existing compliance and security measures should be hard-wired into the ways of working of every business that handles valuable data. It shouldn’t take new regulations to make a company assess whether it is doing enough to protect its data.
So how do businesses approach the task? At the heart of PoPI and GDPR is a clear focus on assessment, prevention and detection and those are useful, albeit high-level starting points for every business seeking to protect its data and treat it with respect and responsibility.
Assess: Assessment is crucial. A lot of organisations have grown in a piecemeal fashion, with lines of business working in isolation and introducing their own applications and processes. Similarly, employees have, over time, circumvented rules and policies in ways that may make sense to them, but which undermine data protection and compliance. Organisations need to have an accurate picture of the problems they face before they can fix them.
Prevent: Once organisations know everywhere their data resides and where it is in use, they need to be able to set and enforce rules and implement robust defences that prevent unauthorised actions and protect against threats inside and outside the organisation, whether accidental or malicious. The next step is ensuring anybody outside the organisation, or anybody without privileged access, cannot use sensitive data, even if they get hold of it. Encryption must be used as standard, but businesses should also review the data they use to understand if they are carrying unnecessary risk. For example, anonymising customer data does little to impact its usefulness for analysing sales trends but does dramatically reduce the sensitivity of that data.
Detect: Vigilance is a vital part of compliance and security best practice. Automation can play a significant role in identifying anomalous behaviour and implementing defensive measures, based on established threat criteria. Systems need to be able to make smart assessments of who is accessing information, when and why and base responses on pre-agreed threat criteria, such as locking out a user whose behaviour contravenes security and compliance best practice, before they are able to access, move or use sensitive data.
As a sign of their ambition to succeed in a data-driven economy, where knowledge is most definitely power, businesses should love their data enough to want to protect it at all costs.
If they do so they will have the confidence and capability to really explore the full value of their data. Because compliance is the starting point for digital success, not an end. How businesses use their data will be what sets them apart and what makes them love their data even more.