SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Why a data protection mindset needs to be in your cyber agenda
Mon, 3rd Dec 2018
FYI, this story is more than a year old

Businesses often tend to collect data for data's sake.

That data then sits in storage with no business unit using or needing it.

When data is the catalyst behind how businesses operate in today's digital economy, simple data capture is not enough.

In order to succeed, businesses need to rethink how they analyse and interact with it. Businesses are also scrambling to understand their data, how to protect it and when to leverage it effectively as new regulations come into play, such as the General Data Protection Regulation and Personal Data Protection Breaches schemes.

The shift in the role of data in businesses is taking shape in Singapore.

The Singapore government provided a clear direction in this year's budget for businesses to find ways to unlock more value in data not only in quantity but also quality.

For example, the Open Innovation Programme, managed by the Info-communications Media Development Authority virtually matches enterprises of all sizes to infocommunications and technology firms with the aim to accelerate digital transformation.

Data, now recognised as the core to the success of new initiatives, must be protected. Taking an integrated approach to data protection needs to be tailored to businesses and across all facets of people, processes and technology to keep it safe.

Despite this, data protection fails to garner the attention it needs, despite the need to move it to the very top of cybersecurity agendas.

Businesses' access to and reliance on data also means that the risks are higher than they've ever been.

Businesses are well aware that they have to be prepared for data loss scenarios and develop recovery plans.

However, prevention and recovery do not equate to protection.

What is absent for many businesses is a holistic approach to data protection.

Businesses must have a clear understanding of what data protection is and close the gaps in their protection strategies.

Yes, data protection means ensuring data is safe and secure, but it also means ensuring that the same data is always available and always online.

Organisations struggle with three key issues when it comes to data protection:

  1. Cyber-crime is going nuclear. Threats are becoming more complex, more organised and more effective. During Singapore's most serious breach of personal data, 1.5 million SingHealth patients were affected, with their records being accessed and copied. Despite a national drive to tighten cybersecurity, including temporary internet-surfing separation, further attempts to illegally access HealthHub accounts were uncovered. Organisations are struggling between the level of controls vs. accessibility to information. This may have an adverse impact on the overall cost of doing business.   
  2. Data is rarely found in one place. Businesses have multiple places to store data, as do individuals, making it a challenge to protect. With many businesses, and even the Government seeking to modernise their infrastructure and leverage the cloud, this is only going to get worse. There are more instances of businesses not knowing exactly where all their data is. Not to mention keeping data beyond its intended lifespan may also pose as potential risk for the business.  
  3. Data volumes are growing exponentially. The amount of data produced doubles every two years, with a 50-fold growth from 2010 to 2020. A stopgap measure is to only protect live, primary data, however, more businesses than ever are gleaning insights from data in secondary storage. In fact, businesses keep 70% of their data in secondary storage – data that clearly has a business use. Not only is there more data overall as it keeps doubling, but the data in secondary storage also contains more business-critical data that must be protected. Instead, businesses are struggling to understand how much they rely on this data and where it lives.

Fortunately, there are practical steps organisations can take to overcome these challenges.

First and foremost, if data protection is not part of a business' cybersecurity strategy, it should be.

Data protection is as much related to cybersecurity as it is to storage.

In addition, data risk and loss can come from various sources: internal, external, malware, system failure, human error, fire or flood.

Businesses need to have a management and recovery plan for each of these scenarios.

Saying that, it's impossible to protect what we can't see.

Data no longer lives within an organisation – it also exists in the cloud, running applications and via other third parties.

Unfortunately, many businesses assume these third-party vendors are responsible for the data they are entrusted with.

Some mistakenly believe that migrating data to the cloud will automatically provide advanced security.

This is not the case.

Businesses are responsible for their data and information, irrespective of where it lives.

It is important for businesses to understand the concept of shared responsibility and their role play in the ecosystem.

Despite this, when it comes to making key decisions, two-thirds of businesses have access to less than 50% of their data.

Commvault estimates that when it comes to insights, only 30% of data is active, with the bulk in secondary storage.

Businesses are missing out on the opportunity to put data to work and glean better insights. This demonstrates the importance of knowing where data is stored in order to drive value across the business.

The final, critical piece of the data protection puzzle is ensuring that a business has access to its data, all the time.

Businesses today are extremely susceptible to data loss and breaches.

Considering the critical role data plays in all businesses, protecting it should be at the top of cyber agenda.