A data protection strategy is a fundamental means for many companies to support the customer relationship and avoid large fines. If you do it well as organizations, it can even be a competitive advantage. How do you implement and maintain the right data protection strategy? We spoke to Tapan Kumar, Pre-Sales Engineer Data Security at CyberRes, a business unit of Micro Focus.
In recent years, data protection has been prioritized more and more in companies. While for some years it was still seen as something to be invested in, now the urgency is much higher. If you’re not protecting data in every part of your organization, there’s a good chance you’ll become one of the familiar examples of cybercrime victims.
In addition, data protection laws have become stricter. In Europe we are dealing with GDPR. Multinational companies must also comply with local laws. A user from the Netherlands should be treated differently than a user from the United States. Large companies therefore actually encounter a lot of chaos in relation to legislation that must be followed.
The increased interest of organizations in creating data protection has also not gone unnoticed by CyberRes. CyberRes is a business unit of Micro Focus and in recent years has invested heavily in building its Voltage platform for data protection. This means that privacy must now be addressed as completely as possible, from discovery to gaining insight and protecting sensitive data. Your company gains insight into what data it actually has, what risks there are and how to protect the data.
Know what data you have
According to Kumar, things often go wrong at the first stage of discovery. He regularly comes across companies that don’t know exactly what data they have. However, it is crucial to know what data your organization has, because you can only move on to protection once you know what you have.
Kumar often sees companies sending out questionnaires to corporate departments in the first phase of privacy. In this they ask what type of data the department has and whether the database is usable. This statement gives a rough idea of what is happening in the organization. “When I talk to clients who are for protection, they worry about encrypting all personally identifiable information. But when they ask the company if they have any PII data, they always say they don’t. Then they use a discovery tool and finds that 90 percent of the data is PII data,” Kumar said.
He sees that most employees make an incorrect assessment of the data in the company. This while there are enough tools on the market to analyze a data landscape and really discover what is present.
Pressing the facts with the nose
To give organizations a better picture of where they stand with their privacy strategy, CyberRes offers the ability to get some kind of risk score. It takes into account things that not everyone in an organization immediately thinks about, such as data flows or how critical the data is. “Not only do we look at it from a strict privacy perspective, but we also take a data security look at it. So what if SharePoint or a particular user is compromised? What is the financial impact if the business ever experiences a data breach? We include topics like fines , damage to reputation and loss of revenue,” explains Kumar. The result is an estimate of millions, expressed as a percentage of how likely the high damages are. That way, companies are confronted with the facts.
CyberRes maps the risks a company runs and the associated value with the financial risk calculator, based on data from the research institute Ponemon Institute. The calculation is made on the basis of information from a company. This concerns, for example, data flows in a company, the degree to which data is critical, and whether it concerns employee or customer data. All information is entered into an algorithm, made by a third party that has investigated many data breaches in recent years. This ensures that they are not looked at with a CyberRes cap, but that an independent judgment follows.
Start, refresh and maintain strategy
If a company embraces a modern data protection strategy, a hybrid solution is part of it. This is due to the fact that organizations increasingly rely on hybrid environments. As a result, data is also spread across different cloud applications and cloud environments. This makes it useful to know where the data is in complex environments. CyberRes responds to this with a service-based cloud solution with which a company can very quickly start data discovery.
The discovery tool takes into account different types of data as far as possible. Data that comes from text is obvious, but the tool can also handle media files. It uses optical character recognition for this. There is also an option to scan for ROT data, which stands for redundant, obsolete and trivial. This kind of data may add little to nothing, but it still exists somewhere in the infrastructure and may contain information that is still sensitive. Ultimately, Voltage was built in such a way that it can handle more than 1,000 data formats. This is necessary to handle the ways applications and databases write.
In addition to arranging and maintaining the discovery part, a privacy strategy involves setting up the protection part. Protecting data means preventing hacking attempts as much as possible. At the same time, there is no guarantee that attacks will be kept out completely. In the unlikely event that a hack does occur, the hackers should not be able to do anything with the information.
To make this possible, there is technology that prevents data from being linked to identity. Encryption and tokenization are suitable for this. Data is thus encrypted and the original information is linked to unique symbols. It is still possible for the employee or relation to an organization to read data, but for the malicious party, the sensitive data is useless and cannot be seen.
In addition, creating and adhering to policies is important to privacy. You can think of a rule that prescribes using only secure services to share information. But also which person has access to the data, what he or she can do with the data and what the associated risks are. If you have created such measures and rules, you can also associate them with related services and frameworks. Consider integrating your data protection products with identity and access management technology NetIQ.
With data protection, it is therefore assumed that a malicious person can enter the company’s network. When that happens, however, the cybercriminal can do very little with the sensitive information due to encryption, tokenization, and policy enforcement. It makes attacks much less attractive. Naturally, we have also taken a closer look at how CyberRes wants to achieve this globally. The image below gives an idea.
Data, identity and access
This image may look a little complex to those unfamiliar with the Voltage product. However, many things can be linked to detection, protection and analytics (to gain insight into what you have, the associated risks and what to respond to), Kumar assures us. Separate products may be needed for the above, but the goal is to solve as many privacy issues as possible from one platform. Especially when you consider that many things can ultimately be traced back to data, identity and access.
For example, SecureData, SecureMail and SmartCipher are services within the portfolio that focus heavily on encrypting the data. For example, SecureData can protect sensitive PII or Payment Card Industry (PCI) data. SecureMail tackles, as the name suggests, securing information in the mail. SmartCypher more encrypts the policies associated with files to provide protection everywhere. The Structured Data Manager and File Analyzes Suite can again do more to find and classify data that suits the discovery part.
Safety gain and competitive advantage
Given the many regulations and the customer’s requirement to be able to provide data in confidence, privacy is in any case a necessary step. Yet not every organization is aware of the data it holds. If it is not clear, the correct policies and encryption steps cannot be applied. In the event of a breach, this means that the company can grind to a halt, suffer significant reputational damage and can expect a hefty fine from GDPR.
That fact alone should be an incentive to take a closer look at your privacy strategy. Yet privacy today is more than just a security concern. A good strategy also means that employees can work together with trust, which is essential in light of the increased use of digital tools. In addition, data is constantly protected even when moving between cloud environments. A time saver from the desire to move more and more workloads to the cloud.
We can therefore conclude that a proper data security strategy can guarantee the confidentiality of data within any place in the organization. It doesn’t matter how old the information is. Data security enables a company to focus on its core activities, for example retail or banking. Worries about loss of reputation and money are allayed.