As data privacy and protection become a priority for organisations, we start to wonder if there is a perfect strategy to safeguard our data in all scenarios.
According to Gartner, 65% of the world’s population will have its personal data covered under various privacy regulations by 2023 — up from 10% in 2020. It may then be easy to assume that most organisations have watertight policies in place to protect our personal information.
But, Singapore has received the dubious honour of being ranked sixth in the world for having the most exposed databases. And, with recent breaches targeting large and established organisations such as Redmart and MyRepublic, the situation may soon worsen unless we enhance our cybersecurity stance.
Organisations can no longer turn a blind eye to data privacy and protection, especially when a recent study by Visa found that consumers are looking to gain more control of their data.
The government also introduced more stringent measures to ensure data privacy, with amendments being made to the Singapore’s Personal Data Protection Act, increasing fines for data breaches to SG$1 million or 10% of their turnover, whichever is higher. The Inter-agency Counter Ransomware Task Force was also created to strengthen the country’s defences, thwart ransomware attacks, offer support recovery, and collaborate with international partners for a well-coordinated global response to the problem.
Despite these initiatives, navigating this complex environment of compliance and policy continues to be challenging for both individuals and companies. Is there a prescription for a successful data management and data protection strategy? What do organisations need to do?
Let’s review the top five things to consider when managing data privacy and data protection:
1) Data protection and sovereignty strategy
As a first priority, organisations should create or update their data privacy, backup and recovery, and disaster recovery plan as part of an overall data protection strategy. There are many facets to a reliable data protection plan and how it relates to protecting the private data your customers shared with the organisation.
Regulations around the sovereignty and storage of private data must also be considered. This includes addressing data storage and compliance concerns, such as ensuring adherence to regulations regarding the regions in which snapshot and data protection storage will be used.
2) Encryption and multi-person authentication
Next, encryption plays a crucial role in data protection and safeguarding private data. Implementing data encryption, both at rest and in transit, helps prevent unauthorised access to personal information, particularly when dealing with large volumes of private data.
In today’s landscape, data is no longer confined solely to corporate data centres. Many organisations use one or multiple public clouds for storing workloads and data. Implementing encryption throughout the lifespan of the data helps organisations secure their information, mitigating potential attacks, and avoiding complex recovery challenges in the future.
In addition to encryption, organisations should prioritise safeguarding their systems against malicious attacks. One effective measure is the use of multi-person authentication (MPA) for data protection. MPAs require multiple approvals from pre-approved users for critical tasks, providing an extra layer of security. Despite its simplicity, this approach is often overlooked, yet it serves as an effective measure to prevent data exfiltration or deletion.
3) Data governance and discovery
In a BlueFort Security 2022 survey, 57% of CISOs admitted they don’t know where some or all of their data is, or how it’s protected. As the amount of data continues to grow, the increasing number of regulations has led to confusion about what and how private data should be protected.
For example, organisations should only apply immutable storage, which prevents data from being modified or deleted, to data crucial for their development. Therefore, organisations need to understand their data, its locations, and the associated risks. After all, you cannot protect what you don’t know about!
4) Classification of data and retention
Knowing what data exists and where it resides is only part of the puzzle. Organisations must consider which of their data is private and belongs to customers, which is business-critical, and any other relevant categories based on its importance to the business and customers. Relying solely on protecting on-premises data may overlook critical customer data stored in the cloud or with SaaS solution providers.
However, it is not enough to depend on SaaS vendors or IaaS cloud providers alone for data protection. While they may provide some level of protection and redundancy, a solid data protection plan is irreplaceable.
Additionally, it is crucial to be aware of and consider the data’s relevance over time. Identifying and classifying data based on its lifespan can help reduce the risk of data sprawl and lower costs. Efficiently managing governance, risk, and compliance requires a comprehensive approach to unified data management.
5) Resilience plan testing, incident response, and risk assessment
Resilience plan testing, also known as a runbook, is an often overlooked aspect of a data protection strategy. However, creating or updating an outdated plan can be a daunting task. Partnering with solution providers or experienced data protection companies can significantly streamline the process.
While some organisations may view runbooks as passé, the strategy can prove to be invaluable during true disaster recovery events or ransomware attacks. Maintaining a regular update cadence for runbooks establishes an organisational posture that is well-prepared to confront data security threats.
In addition to runbooks, it is advisable to work with strategic vendors for semi-annual or annual risk assessments. Scheduled assessments contribute to the development of solid data protection and data privacy practices.
By implementing these considerations and regularly refreshing your resilience plan, you can have confidence in the security and compliance of personal information in accordance with the latest privacy regulations.