‘Access Denied’: what constitutes ‘adequate’ data protection and how to achieve it

The growing inter-connectedness between businesses worldwide has ushered in an era of advantages to customers as well as economies, but for the businesses themselves, the growing threat of security breaches leading to loss of data ranks as their top nightmare. Technological advances have also brought about advances in cybersecurity, yet, businesses are constantly under attack, and the sophistication of the attacks continue to increase. For cybersecurity companies, the challenge is to stay ahead of the curve and ensure that their clients are not exposed to the various cyber threats. So how can a cybersecurity company help clients understand and respond to such threats?

Know your data thoroughly

As a starting point, it would be helpful for companies to understand their organizational data from its origination to deletion. Whilst on the one hand companies operate in divisional silos of functions such as sales, finance, HR, manufacturing, and data, on the other hand, these tend to move laterally alongside the business processes. There is added complexity when one understands that security technologies work to secure data in silos at each stage from origination to deletion and that the data is secured by different tech stacks. It is therefore essential for organizations to undertake a structured data flow analysis (DFA) activity, wherein the first step would be to define the critical business processes.

For each such process, the company must analyse the key data parameters – what is the data, who creates it, where is it stored, how does it move, and who has access to it.

According to the 2018 Insider Threat report, a major percentage of insider attacks occur from access to critical data and an increased number of devices which contain critical data. Access to the data can be in the form of creating, sending, receiving, modifying, as well as deleting. Layering a security strategy based on DFA helps the organisation secure critical data as it traverses through networks. DFA can also help the client understand how to classify their own data, create access controls, call for regular security audits, etc., to contribute towards their own protection.

Identify critical data points

This leads us to our next point – identification of critical data. While many companies choose to work with cybersecurity experts to create data security strategies, only the company knows what data is critical and cannot be lost under any circumstance. For example, drug formulation data for a pharma company or customers’ financial information for a bank would count as critical data. Once these critical processes and data elements are identified, implementation of mechanisms such as classification, rights management, access policies, audits, and monitoring systems will help companies gain a more comprehensive understanding of their overall data security posture.

Companies also need to understand the legal framework that they are covered under in the context of their data privacy policy. There is an increased amount of regulatory requirement that clients need to appreciate and incorporate into their data security posture. In India, an organization has to ensure that implication of the IT Act, the upcoming data privacy act, and industry regulators such as RBI, SEBI, and IRDA from a data security perspective are all well understood and incorporated into the security policies.

Companies also need to ensure that their personnel are trained consistently in understanding the need for and the processes of various compliance measures. A lack of regular training and awareness among the client’s personnel may result in protection measures being a mere check-the-box attitude. As mentioned above, a lack of awareness regarding compliance measures could lead to a careless attitude among personnel when handling customer or vendor data. Bad or weak security practices by personnel may result in data leaks. An integrated approach to security must aim to transform the perception of security in the client’s business and organisational culture.

Keep partners and vendors in the loop

It is also critical to sensitise sub-contractors and vendors, as they may be subject to the same compliance measures which apply to the client. An awareness training of what sub-contractors, vendors, intermediaries, etc. mean will help increase security practices among personnel as each of these terms has different terms and conditions among compliance measures.

In the unfortunate event of a data breach, it is important that the client has measures to secure gateways and restore critical delivery services. These come under measures known as Business Continuity Planning (BCP) and often a Cyber Incident Response Plan, whereby the client can determine the internal and external extent of the breach, inform compliance authorities, develop a public information plan, and fall back on legal measures to counter the breach.

In summary, enterprise data security needs to be a business-led initiative with a focused understanding of what constitutes critical data and flow of data, and potential risks at every stage through the organization. It is also important to understand the legal angle thanks to increased regulatory activism that is pushing for better privacy norms.

(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)