12 minute read
How the Disposable Nature of Tech is Putting your Businesses Data at Risk
Written by Rick Vanover, Senior Director Product Strategy at Veeam
It has become common practice for people to chase the latest technology trends. As tech becomes part of our everyday life, the lifecycle of our devices becomes smaller and smaller.
Advertisement
This is posing a huge issue to the sprawl of data.
With the lifecycle of tech shortening, many are abandoning old devices at second-hand stores (thrift shops) and selling them to new owners without thinking about the data and personal information that is left on there.
Many people are now working from home and opting to use a personal computer to get work done. This is making the challenge of controlling and managing your organisations data near impossible. With data now sprawling across company and personal devices, there is no control over it, especially when it is sold on to its next home, left behind at a second-hand store or thrown away.
To add to this, workplace trends like BYOD (Bring Your Own Device) are gaining popularity and making it harder for organisations to keep track of data. IT teams have less control over employees’ personal devices and so protecting the data on it becomes a challenge. Things like a lack of encryption or outdated operating systems can lead to potential hacks and data loss.
This is something organisations need to consider when implementing a cyber security strategy. This means educating staff in understanding the risks involved with discarding old devices and setting up the right protections within an organisation.
Educating staff
The first step in managing this is for IT teams to educate employees about the risks involved with using personal devices for work purposes and then eventually discarding it. Employees should be trained in the security practices of an organisation and also understand how that translates to personal devices.
Part of this should be educating staff on how to properly wipe the contents of their phones if they eventually discard it to a second-hand store. This is not something that is considered by most organisations.
Employees also need to be briefed to understand how to identify potential malware, phishing, or ransomware attacks on their personal devices. If employees are able to identify these threats, it mitigates risk of data being lost at all.
Protections
If educating staff fails, there are some protections IT teams can manually put in place to mitigate risk even further.
• Constant software updates – if employees opt to use their devices for work purposes, this has to be under the precedent that the phone is updated regularly. Be sure to provide employees with the support necessary to deliver these updates. • Password security – to minimise security risks, roll out a compulsory monthly password change.
Also ensure that you are putting up restrictions around the type of passwords employees are using, making it less obvious to potential hackers. • Encrypt data for protection – smartphones and tablets have encryption options that will provide protection of storage. Smartphones that are encrypted have a lower risk of being hacked. • Clear all phone data – if employees decide to move on to a new device or stop using their current device, ensure you manage the deletion of all data from that phone and a strict policy around discarding devices.
As work from home has become the new normal this year, it is becoming increasingly complicated to manage the sprawl of a company’s data. While these agile work trends had been predicted for the next 5-10 years, organisations were not prepared for them to become so mainstream in 2021. As we look to the future, this is only going to become more and more complicated.
It’s important for IT teams to understand all the risks as their companies take on more flexible working arrangements in the new future. A huge part of this is of course understanding the risks that come with using personal devices, particularly in the process of discarding them or sending them to a new home.
SECURITY AND PRIVACY GO HAND IN HAND
Ephrem Tesfai, the Sales Engineering Manager at Genetec, speaks about data security and data privacy
How has the need for data security and compliance changed over the past year?
The past year has uncovered vulnerabilities across multiple verticals as data security becomes a rising concern. The need for compliance to avoid potential breaches increases one news headline at a time. As seen in the Genetec EMEA Physical Security in 2021 report, physical security professionals have embraced digitalization and have started shifting their operations and data to the cloud. While this allows better data protection, it does not leave them immune to data breaches and cybersecurity risks.
The report also outlines that cybersecurity is more important than ever in the physical security industry following last year's events, with decision-makers in the sector choosing to prioritize it moving forward. As the focus on data security increases, so does the augmented need for compliance with local regulations. Complying to data security standards globally, regionally, and is becoming more important for consumers and companies. Both sides can benefit from compliance and be harmed by the lack of it for personal and legal reasons.
With the continuous evolution of technology, securing data has become more complex as the cybersecurity landscape is perforated with impending threats. Therefore, companies need to put together best-practice standards and frameworks to ensure that their data is secured and remain compliant with the relevant regulations. This begins with staying informed about new laws to reinforce cyber resilience and avoid penalties for non-compliance if your network is breached.
Companies need to be well prepared at all times, not only when expecting an audit. As data security can be compromised at any given moment, remaining compliant and implementing the correct methods to counter these risks is essential. For this, regular cybersecurity risk assessments are required.
Companies also need to create a data security framework based on access control and identification, which means stricter accessibility to footage on an internal basis to ensure that sensitive data is available only to those with the relevant credentials. Regulations concerning what is done with the video surveillance footage need to be set and define where the data is stored and the disposal of any irrelevant data.
Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow?
As the General Data Protection Regulation (EU GDPR) came into place, this has forced many countries to reevaluate their existing data compliance regulations and frameworks, including the MENA region. With countries within the region operating differently, there is no one size fits all in terms of data protection regulations. For example, the UAE’s Dubai International Financial Centre (DIFC), Dubai Healthcare City (DHCC), and Abu Dhabi Global Market (ADGM) have chosen to enact their specific data protection laws. The latter has been inspired by the EU GDPR as well as other international best practices.
These rules and regulations outline the requirements for collecting, handling, disclosing, and using personal data in the different areas and the rights of the individuals whose personal data is held.
Many countries have passed their own version of data protection laws recently. How does your company help its clients with securing their data and staying compliant?
With countries within the region strengthening their data protection laws, Genetec aims to provide its clients ease of mind for both physical and data security. Physical security solutions should protect its clients’ people and assets while also helping them remain compliant by integrating policy and regulations in the platform and allowing the creation of security and operational reports acting as evidence for audits.
Genetec products also highlight the need to provide robust cybersecurity defenses within physical security. As physical security solutions can be an entry point for threat actors to access enterprises' networks, it is essential to focus on how crucial it is to unblur the lines between physical and cybersecurity. Genetec solutions are built with core cybersecurity pillars in mind, including encryption, authentication, authorization, and privacy.
Do you believe the line between data security and data privacy has started to blur? Security and privacy go hand in hand, and companies must maintain a balance between the two. Securing the individual’s data means ensuring their privacy, which can be done by implementing regulations within the video surveillance sector to protect unconcerned individuals. With stricter rules globally, video surveillance technologies will be forced to adapt to find a balance between security and privacy.
Providing safety and protection to the public cannot be done without collecting personal, private data such as identity details, images, and videos. Video surveillance vendors need to move forward with product development with privacy and security as a priority in mind. This will achieve compliance and strengthen trust between vendors and clients. In turn, the clients, and the individuals that these technologies are protecting. When security is assured, privacy is provided in turn.
Data Security is the Heart of Cybersecurity
Syed Ashfaq Ahmed, the Head of Encryption Business Unit at Spire Solutions, speaks about how data security and compliance needs have changed in the past year, the blurring line between data security and data privacy, and lots more
How have data security and compliance needs changed over the past year?
The last 12 to 18 months have seen a paradigm shift in technology adoption due to COVID and many initiatives which would have taken years to adopt have fast-tracked.
The region has seen work from home, digital transformation, IoT, cloud adoption, etc take off in an unparalleled manner. All these changes make data one of the most valuable and strategic assets to the business therefore data protection has become a priority.
Though the complexity in cybersecurity has increased, the idea of securing the data at the core using encryption has not changed. The authentication, integrity, and access to data are directly governed by encryption.
Encryption is literally the last frontier of data security. Given a scenario when all the other security measures are breached, if the encrypted data cannot be broken, the stolen data will not be of any use to the adversary. The health of the cryptographic primitives should be at the highest level to give a core advantage for an organization in securing its data.
In my opinion, data security is the heart of cybersecurity, and most organizations now believe that they are inherently addressing data security when they adopt various cybersecurity measures. Data security & compliance to regulations are no longer choices but mandates that companies must adhere to so they can protect their most prized asset (data) from newer attack vectors.
What best-practice standards and frameworks can help companies achieve and maintain data security and compliance?
Data breaches can lead to stringent financial penalties and can have catastrophic effects on an organization so building robust data security programs that are in line with industry standards and led by skilled personnel becomes non-negotiable.
Organizations can couple their internal experiences and industry best practices along with local laws and most popular frameworks developed based on years of academic research, training, and education such as: • Payment Card Industry Data Security
Standard (PCI DSS): Protects the payment card data in electronic form during transmission & storage. • Health Insurance Portability and Accountability Act (HIPAA): Protects sensitive patient health information & personally identifiable information. • NIST Cybersecurity Framework & NIST
Privacy Framework: Provides standards, guidelines, and best practices to help organizations manage cybersecurity risks & data privacy risks. • ISO/IEC 27701, Security Techniques: Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines, helps companies manage their privacy risks for personally identifiable information. • eIDAS: This allows the EU to provide a legal framework for transnational digital transactions. It establishes a framework for electronic identification and trust services, including the topic of the electronic signature.
What according to you are the five tips that companies need to follow to comply with data security regulations?
Irrespective of the framework an organization adopts, the following five tips will help them on the journey to regulatory compliance:
• Identify/Discover Critical Data: On the
Data Security journey, the initial / First step is to identify or discover what data is present and where your data is present.
Organizations should opt for solutions such as Atos Data Protect for discovering both the structured data like in Databases, or Unstructured data like data in File shares, SharePoint etc. Atos Data
Protect can you help in discovering the data based on cardholder information (PCI DSS), health records (HIPAA), PII of
EU residents (GDPR), or other data. • Classify and Protect the Data: The second stage in data security is to Classify and Protect the data. Organizations must use Solutions like Data Classification and
DLP which can help in Classifying the data and protecting the data from leakage. • Data and Identity Security: Adopt a data-centric security approach to ensure your most critical assets are protected.
Monitoring & detecting suspicious behavior on sensitive data & ensuring access rights to sensitive data is properly managed. Also, Identity is the new perimeter in today’s world and organization should adopt strong measures to protect the Identities & the access, internal or external. • Develop a clear plan: Organizations must develop a strategy while implementing
Data security solutions. Organizations should start with minimal scope, rather than going for exhaustive scope. Organizations must understand that developing these measures will be “User Behavior/
Culture Change”. Adding more controls in the initial stages will increase the user frustration and in turn decrease the productivity of the users. • User Awareness: Organizations must ensure educating and creating awareness in the users. Organizational users must be trained to understand the importance of data security & the role they play in protecting critical assets of the organization.
How does your company help its clients with securing their data and staying compliant?
Spire Solutions has a team of data security professionals focused on data protection solutions that address compliance regulations of countries in the Middle East and Africa.
We are partnered with ATOS, a global cybersecurity leader, to provide end-to-end protection of data at rest, in motion, or in use; and emerging quantum leader QNu Labs to bring quantum-safe security to the region with Quantum Key Generation & Distribution.
Our consultants are adept with the regional data protection laws and agile enough to adapt to newer regulations to help our customers in their data security journey.
