Security best practice includes sound contingency planning

Looking at the security fails of 2019 is amusing but it ought to set against the progress by many in adopting best practice when drawing up the security ledger for the year.

Security success stories tend to start with establishing an effective security policy coupled with a training program and sound contingency planning, a collective approach often absent from organizations.

But businesses and public sector bodies are moving to improve the way they secure personal information, not least because of the harsh fines imposed by tightened data protection rules such as the EU’s General Data Protection Regulation (GDPR).

Requirements for companies to disclose breaches, whether under GDPR or many of the data breach notification laws found throughout the US, are among the main reasons why organizations are starting to become more open about any data loss that they may experience.

This has equally prompted change in the way a business collects and uses data, and how it keeps their customers informed. Increasingly, user or customer education is part of a company’s data security team remit.

Businesses are now finding, in part, that a perimeter security approach – building ever-higher walls around systems and data – is unsustainable. A strong data protection policy, in short, is better for business.

This approach is known as “data stewardship”.

Why it’s worth investing in data stewardship

“Data stewardship starts with an effective data strategy,” Dr Sanjana Mehta head of market research strategy for EMEA at (ISC)², the security professional association, told The Daily Swig.

“This means asking fundamental questions such as: what data is an organization collecting? What is the purpose of storing or processing that data? And are the data subjects fully aware of and have they consented to these purposes?”

An organization should be collecting only the data it needs for its business process, and it should be informing the customer, citizen, or employee about why the data is needed, how it will be processed, and for how long it will be kept. The GDPR, for example, sets out – for citizens residing in the EU – a legal ‘right to be forgotten’.

Unless organizations practice good data stewardship, knowing the data that they hold and where that data is, they will not be able to meet the obligations set out under the legislation, or indeed any similar data protection law that is to pass in 2020.

“Organizations continuously tread a fine balance between optimizing data processing to inform strategic decisions which means providing more people access to more data and securing the interests of their data subjects, which means tightening access to data,” Dr Mehta said.

“Companies must take data stewardship seriously and grasp its true value so that their customers’ personal data is better protected,” cautions Tim Ogle, a cybersecurity expert at PA Consulting.

“We see organisations invest large sums in the latest technology that they think will fix all their problems. They often find that the technology does not provide all the benefits they first envisaged, and that is now a new monster they need to feed.”

Ogle added: “Businesses that don’t just see data stewardship as a tick-box exercise will fare better in the long run.”

READ MORE Swig Security Review 2019: Part II

Clean data is good for business

Good data management makes it easier to protect information. The business can target protection measures – including firewalls, encryption, and data loss protection tools – and train staff to reduce accidental data loss. This is hardly news to CISOs.

But minimizing data collection, and being clear about why data is needed, goes further. It is also about trust.

“I have been saying for a couple of years that you can’t have customer experience without permission,” Darren Guarnaccia, chief strategy officer at Crownpeak, a digital experience management company, told The Daily Swig.

“Part of that experience is trust… So much of that has been eroded through events of the last couple of years. Brands have to earn some of that back.”

This is why Guarnaccia advocates an open approach to data policies, as well as on-going training for employees. His views are echoed by Phil Slingsby, head of governance, standards and assurance at converged ICT services supplier GCI.

“As a tech company it’s easy to forget the importance of people,” Slingsby warns. “Privacy, in particular, is a human right, so it’s fundamentally focused on people.

He told The Daily Swig: “To be as effective as possible when it comes to data protection, we’ve had to get better at engaging with our people and integrating data protection into the fabric of how we do business.

“This has meant a shift in priority away from just being certificated to things like [the] ISO 27001 [security standard], and more towards ensuring that we are actually ‘doing the right things’ when it comes to data protection.”

Good shepherds

Clear and relevant data collection policies are vital. Some organizations go further, and actively promote data and privacy protection to their customers, as well.

Mozilla, the organization behind the Firefox browser, promotes a free service for internet users to look up pwned passwords, for instance. The service holds breach data going back to 2007.

And Nest, the Google-owned smart home company, set up a service last year warning users about password breaches, even if they were found to affect rivals’ hardware.

But our favorite is the privacy policy video from European low-cost airline easyJet. In a parody of those in-flight safety videos frequent travellers largely ignore, it sets out why the business collects data, and how it might even lead to lower fares.

YOU MIGHT ALSO LIKE Year in Review: Security needs a reboot in 2020