Businesses in the Middle East need to get serious about data protection if they don’t want to be exposed to significant risks. Gordon Love, Vice President – EMEA Emerging Region, Symantec, provides us with a timely reminder about the importance of data protection.
In 2017, we saw attacks like Shamoon, WannaCry and Petya making headlines. According to Symantec’s 2017 Internet Security Threat Report (ISTR), UAE was the second most targeted country (after Saudi Arabia) for ransomware attacks in the Middle East and Africa.
Furthermore, Symantec found one in 136 emails in the UAE contained a malicious link or attachment. Large enterprises (more than 2,501 employees) in the country received the most emails containing malware and phishing.
Mega breaches are a stark reminder to not only have robust cybersecurity measures in place but also the importance of data protection. With the rise of digitisation it takes just one simple but sophisticated attack to cripple critical infrastructure across various industries. In the Middle East governments have set up regulations to thwart cyber-attacks.
The National E-Security Authority, established in 2012, regulates the protection of the communications networks and information systems in the UAE. The authority is dedicated to data protection and online privacy – two main priorities to the UAE government when it comes to cybercrime and e-security.
On an international level, the General Data Protection Regulation (GDPR) comes into force in the 28-member states of the European Union in May 2018. GDPR toughens rules around obtaining consent to process data. It impacts all organisations worldwide that do business with individuals or companies in the EU, and therefore, treat their personal data.
Many of the Middle Eastern organisations, including ones in the UAE, are therefore required to comply. This regulation forces companies, whether based in the EU or outside, to tell consumers whenever a serious breach occurs. The new regulation sets much more stringent standards for data protection. It means that companies can be forced to stop collecting or processing data and even face fines of up to €20 million or 4% of global revenue, whichever is larger.
But for companies that suffer a significant data breach, fines are just the start of their problems. Data loss can cause significant brand damage and customer attrition as well. But what does a significant data breach really mean for businesses in the Middle East?
Businesses need to get serious about protecting their data
A survey by Aruba Networks found out that employers in the Middle East were more likely to say Yes to BYOD, as compared to companies in other parts of the world. That means a lot of companies do not have any control on these devices. Once data is on those devices, it can go anywhere and be viewed by anyone outside of the company who has access to those devices.
That’s not all. Employees – or even entire departments – can sign up for cloud applications that have not been approved by IT and are operated without any IT oversight. Once data has been uploaded to cloud email, storage services or one of the many popular online CRMs, the business has little or no control over how it is shared, accessed or modified. There is also no guarantee that the cloud app itself stores and secures data in a way that complies with national data protection laws.
With the sheer volume of data and the speed at which it moves around organisations, these factors have made data protection a critical issue for every business. They need to get a better understanding of the data they are dealing with, how much of this data is particularly sensitive, where this data is transferred, how they can protect it, and how they can detect and respond to a data loss incident if it actually takes place. But without any visibility into data risks, this can prove quite a challenge.
You need to follow your data, everywhere it goes
The Symantec State of Privacy report in 2015, highlighted how consumers consider privacy the most important criterion when they go online to buy goods or when they establish some sort of relationship with organisations, private and public.
Technologies like Active Directory or LDAP give organisations the ability to specify how each user on the network may access, edit and share any piece of data. That was fine when data didn’t leave the network and was only shared between authorised corporate users but is insufficient today when data is as mobile as the devices your employees have in their pockets.
The answer is to secure documents using technology that is applied at the data level. When a document is uploaded to Dropbox or Google Drive, the access and editing permissions your IT department specified for that document should follow it into the cloud.
Even if a document is widely shared online – and recent research shows that 20% of documents are broadly shared – it will be strongly encrypted and only authorised personnel with the proper credentials should be able to open and edit it.
Unauthorised users will be unable to make any use of the data to cause harm to the individuals or the company. Without this level of control, you run the risk of personal data falling into the wrong hands, company documents and internal discussions coming to light in a way that may hurt the company’s reputation, your company’s intellectual property leaking into the public domain, as well as demonstrating sub-standard data protection practices that can run afoul of GDPR.
Evaluating 12 vendors across competitive buying criteria, Gartner named Symantec as a Leader in the Magic Quadrant for Data Loss Prevention for the 10th year in 2017. Some of the world’s largest brands entrusts Symantec with protecting their invaluable data. One of the many reasons why is that we provide the broadest coverage of data loss channels: cloud and web apps, endpoints, data repositories, and network communications including encrypted SSL. Furthermore, we make it easy to manage and deploy Data Loss Prevention with a powerful management console and flexible deployment options ranging from on-premises and private clouds to hybrid and public clouds.
A broader view of data risks
The coming into force of the GDPR is imminent. Organisations in the Middle East need to start preparing for it now and adopt the necessary information management solutions for compliance. The consequences of not doing so could be immense. A recent study found that, in the UK, the companies fined in 2015 would have cost 79 times more under the GDPR. In one instance, a fine would have risen from £400,000 to £59 million. Data protection authorities could also force organisations to stop collecting or processing data, which could prove even worse than any fine for data-driven companies like online retailers.
But our understanding of the risks posed by data loss should not stop at the legal consequences. A 2017 study found that stock prices fall by an average of 5% in the wake of a major data breach and customer churn increases by as much as 7%.
Only by applying security that can intelligently identify sensitive data across your extended organisation and following it in unmanaged and managed environments on the corporate network or in the cloud, can businesses adequately protect themselves against these risks.
Click below to share this article