Last Saturday was Data Protection Day. With GDPR fast approaching and hacks exposing everything from local Scottish councils to banks to electoral booths, the need to recognise the importance of protecting a company’s data is paramount.
Data Protection Day is an opportunity – albeit a whimsical one – to further raise awareness about the need for organisations to protect their data properly.
Why is data protection important?
With the increasing scale of data breaches and hacks we’ve seen recently everyone is asking Why data protection is important. Data Protection Day has become more important than ever, just this week a hacker took control of a hotel’s key card system, locking guests in their room until a ransom was paid.
The fact so much of our society is now tied to computers – our money, our cars, our homes, even medical devices – leaves us all vulnerable to hackers with malicious intent.
>See also: Dealing with apparently “minor” regulation
This only serves to emphasise the importance of good data protection practices that should be implemented throughout society, not just in the workplace.
According to the EU’s GDPR website, the legislation is designed to “harmonise” data privacy laws across Europe as well as give outstanding protection and rights to individuals.
- Makes data protection laws fit for the digital age in which an ever increasing amount of data is being processed.
- Empowers people to take control of their data.
- Supports UK businesses and organisations through the change.
- Ensure that the UK is prepared for the future after we have left the EU.
What is the danger, in the BYOD era, of the cross-pollination of personal and corporate data?
The danger with cross-pollination of corporate data on employees’ personal devices is that once an employee leaves a company, they do so with sensitive company data.
If this company data leaks into the wild, it can be used for targeted attacks on their previous employer, including phishing attacks on company employees.
Given the typical employee stays with a company for four years, companies on average turnover 25% of their employees annually. In a mid-sized company of 1000 people, that’s 250 departures and a lot of potential leaks.
One way to resolve this is to enforce good data practices by having two accounts on a single laptop; one for company data and apps, and another for personal use. Companies can remain in control of the corporate account and revoke access once a user has left the company.
Why are attacks on the cloud increasing?
The amount of cloud data each person uses is expected to triple from 2015 to 2020, which can be used in a wide variety of attacks.
>See also: Data hoarding creates a digital wasteland
Roughly half of such attacks are committed by cyber-criminals, as opposed to hacktivists, nation states, terrorists, or competitors.
How can organisations secure data in the cloud?
From an identity perspective, it means using strong authentication methods – sufficiently complex, hard-to-guess passwords that are regularly rotated – combined with a second factor of authentication, such as an authenticator application.
Cloud access security brokers, or CASBs, are also helpful to detect suspicious user behaviour. For example, if one user is accessing an application from two geographically remote locations (say, the UK and US), an identity cloud will be signalled to revoke access, as it’s likely they’ve been compromised.
What does implementing a successful cyber security strategy entail?
In addition to using an identity cloud and CASB, companies need to strengthen phishing defences.
Companies should conduct regular phishing assessments with employees, by sending a phishing email and tracking how many fall for the scam.
Ideally, such assessments should be done on a monthly basis, with failure rates published and learning sessions conducted with employees.
Also helpful for phishing, is to have a closed employee messaging system, such as Slack, which cannot be accessed from outside the company.
This is helpful in mitigating phishing attacks that use an urgent message, supposedly from a senior executive, to entice users to click a malicious link or open an infected file.