Will 2016 be the year that businesses finally stop being their own worst enemies when it comes to data security? In 2015, incident after incident demonstrated that management and IT staff are largely oblivious to bad employee practices, such as the use of unsanctioned, consumer-grade file sharing apps. And, if they are aware of the behaviors, they’re often unaware of the associated risks. A Ponemon Institute report found that more than 60 percent of C-level executives – including IT leaders – confessed to accidentally forwarding documents to people not authorized to see them and the same number acknowledged failing to delete confidential documents as required by company policies. These practices need to change in 2016 if we’re ever going to make progress on data protection. The stakes will be too high, especially as we face a growing global trend of sweeping data privacy reform.
So, what can security pros do differently in the New Year to reverse this trend of risky user behavior that opens an organization up to risk?
Here are five achievable resolutions all organizations should make in 2016 to protect confidential information:
- Resolution 1: Understand your organization’s data privacy obligations. The final text of the European Union’s General Data Protection Regulation (‘GDPR’) was agreed the week of 14 December 2015 and will be formally adopted by the European Parliament and Council in early 2016. It will then have a two year implementation phase. Heralded as the “most extensive data protection laws in the world,” these regulations require any business that collects, stores, processes, shares or disposes of personal data belonging to citizens of the EU to adhere to new practices or face steep fines – up to 4% of the organization’s annual revenue. Ouch! The US/EU Safe Harbor pact is likely to be just as strict at CGPR, which, rumor would have it, is supposed to be agreed by January 31, 2016. These regulatory changes call into question current data sharing, transfer and storage models for all businesses that deal with the personal data of EU employees, and also makes an organization solely responsible for how customers, partners and stakeholders handle this personal data. Now is the time to understand your business’s obligations in terms of protecting the personal data of EU citizens.
- Resolution 2: Join professional bodies like ISSA, CSA, and others. There’s power in numbers. Joining one of the several associations on the front lines of these issues can help you and your organization stay on top of changing technologies, standards, regulations and practices. So, joining associations like the Information Systems Security Association (ISSA), Cloud Security Alliance (CSA) or others like them would be a smart move in 2016. CSA, for example, helps its members identify and support best practices to help secure cloud computing tools. ISSA provides educational tools and forums for cybersecurity practitioners to help them develop skills, understand emerging threats and advance their careers. Compared to trying to understand data privacy regulations on your own, joining and being active in an association is an easy way to stay informed of industry developments and trends.
- Resolution 3: Keep employees up-to-date with attack vectors and new threats. Cybersecurity intrusion methodologies like phishing schemes and password theft are tried-and-true ways hackers penetrate enterprise networks, and they aren’t going away anytime soon. With the decentralization of network architecture and the migration to cloud and mobile-based collaboration, the areas vulnerable to attack have expanded and attack vectors are growing in sophistication every year. In 2016, make a promise to educate staff on the most commonly used attacks, as well as emerging ones. Most importantly, once you’ve started an educational initiative with your team, share this information throughout your company and across departments and leadership tiers, including the C-suite.
- Resolution 4: Look for tools that meet the recommended standards for sharing highly-regulated information. A recent survey conducted by Ovum revealed that global IT decision-makers have little control over data leaked outside of the company. This lack of control puts companies at tremendous risk of violating the new privacy laws. Many leaders aren’t taking advantage of available technologies that can help them protect sensitive data and comply with new regulations. In fact, according to the Ovum survey, only 44% of survey respondents said that they currently monitor user activities and provide alerts to users of data policy violations, and only 53% protect sensitive information by using access control technologies. Almost half (47%) of those surveyed indicated that their organizations have no policies or controls limiting employee access to consumer-grade cloud storage and file-sharing systems. In 2016, businesses can and should resolve to evaluate and invest in technology tools such as Information Rights Management (IRM) and identity-based permissions that place restrictions around which internal stakeholders can access, edit, view, share and dispose of information.
- Resolution 5: Name or hire a chief data privacy officer. Most companies today have a CSO and/or a CISO as part of their leadership team. But, given the changing nature of regulations, 2016 is the year to consider naming or adding a chief privacy officer (CPO) to the leadership team. As multi-national companies face wildly varying legislation that will dictate how they store and share data, a CPO will be one of the most worthwhile new recruits your business can make in the New Year. A CPO’s job description involves overseeing data governance within the company and serving as a subject matter expert on all things related to data privacy. As a recent California case shows, there’s even a possibility that adding a CPO will become a requirement for private sector companies. In a 2015 court case against Silicon Valley startup Houzz, California’s Attorney General required the company to hire a CPO as part of a settlement resolving breach-of-privacy allegations. This was the first time the California Attorney General’s office has imposed such a provision, but I suspect it won’t be the last.
No IT security expert has a crystal ball at his or her disposal. We can’t know everything, of course, but we can prepare for the changes and trends that we know are coming our way. Proper understanding of bad behavior by users, regulatory changes, and other IT security considerations in a rapidly evolving threat environment will give you a competitive edge in 2016. Failing to look ahead and make the necessary changes to your current IT security approach can mean less ability to prevent or respond effectively to a breach – resulting in a damaged reputation, and a diminished bottom line. These resolutions won’t protect you against every threat, but they most certainly put you in a better position for whatever comes our way in the New Year.