Ramon Ito, highlights that many companies have been making the same mistakes in relation to security and correcting them is fundamental to ensure the protection of sensitive data.
With the transformation of IT environments, increasingly complex and decentralized, the concern with security tends to grow as well. The point is that, because of this complexity, many perfectly avoidable security problems are beginning to be seen as normal business practice. It doesn't have to be that way.
A 2021 survey, conducted by IBM, pointed out that data breach costs increased from $3.86 million to $4.24 million, the highest average total cost in the report's 17-year history.
The fact is that many companies have been making the same mistakes in terms of security and correcting them is critical to ensuring data security. One is to imagine that undergoing audits and certifications of compliance is sufficient to ensure data security. It is not. Compliance and Information Security are not exactly equivalent and many of the data breaches recorded so far have occurred in organizations that were in compliance with some regulation or the audit.
The exclusive focus on compliance decreases the effectiveness of security on fronts such as:
Incomplete coverage - companies often endeavor to correct incorrect settings or outdated policies only before an annual audit, when these vulnerability and risk assessments should be ongoing activities.
Minimal effort - many companies adopt data security solutions only to meet the legal requirements or requirements of a business partner. This “let's implement a minimum standard and get back to business” mentality almost always goes against good security practices.
Urgency that decreases - many companies tend to become complacent in managing controls when regulations, such as the Sarbanes-Oxley Act (SOx), General Data Protection Regulation (GDPR) and the General Personal Data Protection Act (LGPD), mature. Over time, leaders may pay less attention to privacy, security and protection of regulated data, but the risks remain.
Omission of unregulated data - assets, such as intellectual property, could put the organization at risk if they are lost or shared with unauthorized personnel. Focus only on compliance it can cause security organizations to neglect and not sufficiently protect important data.
To avoid falling into this specific trap, organizations need to establish strategic programs that consistently protect their data, rather than just responding to security requirements. compliance. These programs must have practices such as:
• Discover and classify sensitive data in on-premises data repositories and in the cloud;
• Assess risk with contextual information and analysis;
• Protect sensitive data through encryption and flexible access policies;
• Monitor data access and usage patterns to detect suspicious activity quickly;
• Respond to threats in real time;
• Simplify the compliance and reports.
Another very common mistake is failing to define who has responsibility for the organization's data. The NewVantage report, Big Data and AI Executive Survey 2019, pointed out that 67.9% of the companies have a data director (CDO), but in most of them their function is not well defined.
For an organization, data is among the most valuable assets. But without a specific person in charge, protecting sensitive data properly becomes a challenge. A data director (CDO - Chief Data Officer) or data protection director (DPO - Data Protection Officer) would be ideal to fulfill this function and, when choosing a responsible person, it is interesting to take into account objectives and responsibilities such as:
Technical knowledge and business acumen - assess risk and create a practical argument that non-technical business leaders can understand about adequate security investments.
Strategic implementation - direct a plan at a technical level that applies detection, response and data security controls to provide protections.
Leadership in compliance - understand the requirements for compliance and learn how to map them against data security controls so your business is in compliance.
Monitoring and evaluation - monitor the threat environment and measure the effectiveness of the data security program.
Flexibility and scaling - know when and how to adjust your data security strategy, how to expand data access and use policies in new environments through the integration of more advanced tools.
Division of labor - set expectations with cloud service providers about service level agreements (SLAs) and responsibilities associated with data security risk and remediation.
Data breach response plan - prepare to play an important role in developing a strategic mitigation and response to the breach plan.
A data director, or data protection director, must ultimately lead the collaboration for data security across different teams and across the company, as everyone needs to work together to protect corporate data effectively. This collaboration can help you to oversee the programs and protections your organization needs to help protect sensitive data.
Think only of compliance and not having a professional dedicated to data protection are just two of the most common mistakes made by companies. Correcting them is not complicated and can prevent a lot of losses.
Ramon Ito is a Partner at [SAFEWAY] | Privacy | GRC | Cyber Security | LGPD | DPO
