How to stay safe on Data Protection Day

Data Protection Day serves as a reminder of one of the most important responsibilities for any organisation: keeping sensitive data secure, says Anurag Kahol, Bitglass’ CTO and co-founder.

He says that Data Privacy Day (Data Protection Day in Europe), January 29 in Australia/New Zealand, brings a timely notice on how urgent it is for organisations to guard their information.

Kahol says: “Consumers are constantly discovering the information that is collected about them, how that data is used, and how daily breaches put that information at risk. Consequently, to maintain consumer trust (and remain compliant with regulations), it is imperative that companies make security a top priority.

This past year marked a pivotal change in how companies conduct business, with most being forced to shift rapidly to a remote work style of operations due to the global COVID-19 pandemic. Now that we have begun to see distribution of the vaccine, some may think it’s only a matter of time before ‘normal’ in-office work resumes.

However, that is not likely to be the case. Instead, we are going to see a permanent blend of remote and in-office work, as well as mobile employees whose workspaces are constantly changing. Organisations must be prepared to continue to operate in this manner while ensuring that data is secure no matter where or how it is accessed.

Unfortunately, many organisations lack the ability to achieve the above, and are relying on outdated tools that are designed for predominately on-premises operations and lack the granularity needed today.

To address these challenges, a few steps must be taken. First, organisations must have an accurate inventory of data. This step is critical for adhering to data privacy regulations including GDPR and CCPA, because if companies don’t know the information they have or where it is going, then they cannot properly protect it.

What’s needed is a set of comprehensive activity logs that track all file, user, app, and web activity to reveal everything that is happening with consumers’ data.

Next, companies need to protect access to consumer information as well as the various systems that store it. This can become more challenging for improperly equipped organisations that adopt cloud technologies and other remote work capabilities, as consumer data can then potentially be accessed across numerous applications and on various devices.

To address this problem, organisations can require that employees attempting to access consumer data are authenticated via single sign-on (SSO) as well as multi-factor authentication (MFA). This will aid in ensuring that only legitimate, authorised users can handle consumer information.

Finally, organisations need to have a thorough understanding of data jurisdictions and any security challenges they may present after migrating to the cloud.

With respect to certain data privacy regulations like CCPA, data may be stored or transferred only where the state has jurisdiction or an agreement is in place. Similarly, under GDPR all personally identifiable information must be secured with policies and processes in place which allow for audit and compliance.

To ensure compliance, organisations should look for security solutions that allow them to encrypt cloud data (wherever it resides) while maintaining local control of encryption keys.

Additionally, solutions that dynamically allow or deny access based on contextual factors like a user’s location, device type, or job function are highly helpful, along with data loss prevention (DLP) capabilities. For ease of management and cost-effective, consistent security, organisations should look for a single security platform that integrates all these capabilities into one offering.