On 26 January 2006, the Council of Europe (CoE) launched Data Protection Day to celebrate Convention 108 (CETS 108) – the first legally binding international instrument to address the protection of individuals with regards to Automatic Processing of Personal Data.
While deemed “technologically-neutral, principle-based approach” CETS 108 was updated in 2018 to “address the challenges for privacy resulting from the use of new information and communication technologies; and to strengthen the convention’s follow-up mechanism.”
The skeptical in me asks whether these efforts are sufficient. According to DLA Piper “the aggregate daily rate of breach notifications in Europe experienced double digit growth for the second year running with 331 notifications per day since 28 January 2020, a 19% increase compared to 278 breach notifications per day for the previous year.”
Dexter Ng, CTO at Privacy Ninja commented that with the pressure of digital transformation, some companies have lapses in cybersecurity and data security. With the enforcement of work from home, some employees have poor cyber hygiene at home. Common mistakes including using default passwords, using same passwords across multiple accounts, not encrypting sensitive data and sharing it via WhatsApp and email, and software not up-to-date leading to cybersecurity breaches.
FutureCIO approached information technology firms for their recommendations on how to approach data protection in 2021.
“With widespread remote working; accelerated cloud migration and digital transformation, it’s never been more important to make data protection a priority. It’s important for organizations to focus on micro-segmentation in creating secure profiles for remote access and data protection. Beyond educating and training employees to transform them into a ‘human firewall’, organizations should also be deploying a security solution to secure and backup their data.” James Forbes-May, Vice President, Barracuda APAC
Along with investing in comprehensive privacy management capabilities underpinned by information governance and automation, leaders should instil a culture of privacy within their organisation by going back to the basics of educating every employee on the importance of cyber hygiene. Each employee has a role to play and dedicating time to training sessions to ultimately achieving top-notch data protection satisfies regulatory requirements, curbs non-compliance penalties and most importantly, maintains customer trust.” Sumit Bansal, Managing Director, ASEAN and Korea, Sophos
Business leaders need to establish the right protocols to classify, regulate, and protect sensitive data while enforcing the technical capabilities of the team. Leveraging innovative solutions that intelligently protect, govern, and manage data across an organization’s endpoints is a good starting point. Beyond protecting data stored on devices, employees also need to be aware of the protocols when transferring data between devices, or between environments such as from the data centre to the cloud storage and vice versa. Sunil Mahale, Vice President, Sales Engineering & Emerging Technology, APJ, Commvault
CIOs need to distinguish the critical from non-critical, essential from non-essential and zero-in on systems that are critical. For critical systems, minimal access with reasonable and adequate controls to be run from the remote sites should be allowed only through secure connectivity. The organizational hierarchy must not be a yardstick to provide any access in the network. For instance, a CEO should not be granted access to the CBS or the database when working remotely as his role doesn’t require that access – this is zero trust in the most fundamental sense.” Bharat Panchal, Chief Risk Officer – India, Middle East & Africa, FIS
Organisations need to use modern solutions that reduce data risks by accurately identifying, classifying, and taking corrective action on how they handle personal data. From a compliance perspective, PDPA is only the beginning. Let’s call for decisive actions from business leaders to foster trust in the digital economy.” Sheena Chin, Head of ASEAN, Cohesity
Managers must learn to handle shadow IT and related security incidents as part of their new reality. The key is to combine mandatory upgrades with fundamental changes in corporate culture with regards to cybersecurity. One of the ways company leaders can motivate employees to embrace the change is by adjusting budget spending to focus more on security training and explaining potential risks, cybercriminal tactics, as well as investing into protecting remote workplaces.” Stas Protassov, Acronis co-founder & Technology President
But even the most advanced software is vulnerable to lapses by individual employees. Some high-profile breaches internationally – for example, the Twitter breach in 2020 – involve individuals letting their guard down in phishing or social engineering attacks. That is why companies should limit the number of privileged users as well as to conduct repeated awareness campaigns internally – such as simulated phishing attacks.” Christian Fischer, Head of Technology at iSTOX
As companies move to the cloud in the “new normal”, stringent data governance and privacy standards is needed for risk mitigation. Data governance & privacy needs to be a C-suite agenda and data protection standard need to be internalized through regular communications and mandatory training so that everyone understands the risk implications and work towards safeguarding the company data assets. Tony Frey, VP & GM, Informatica Asia Pacific & Japan
A traditional perimeter-level security setup works well when the data is within the confines of an organization. However, with data and devices that access it moving beyond the confines of an enterprise, a whole lot of unknowns are brought into the picture. Under this scenario where threats and risks galore, the significance of data protection at every step of the way increases manifold. IT teams have no other choice than to implement measures such as endpoint management, cloud access authentication and more. Mathivanan Venkatachalam, vice president, ManageEngine