Cybersecurity, ransomware and data breaches have captured international headlines and heightened consumer awareness around their personal data. On top of that, with legislation such as the GDPR carrying potential penalties of up to 4% of global annual revenue for non-compliance — Amazon's $886 million EU data fine being a recent example — board rooms are alarmed, too. Significant breaches may be career ending for company executives. As the level of attention to this area rises, so too do the potential reputational as well as financial damages to these organizations.
So how can organizations prioritize their data protection and information security program in the context of rapidly evaporating perimeters, data accessible from anywhere, and the misguided conception that “more is always better” when it comes to data?
Push for Transparency With Your Cloud Provider
First, it is critical to consider your cloud provider’s transparency when it comes to security and data protection. A part of compliance is understanding your provider's back up and data recovery procedures. If your company is subject to data sovereignty requirements, for example, you not only have to ensure the data is kept in country, but also that back-ups for that data remain in country as well.
The same reasoning applies for defensible data destruction and records management requirements. Make sure you know where all the copies of your data reside. This is a challenge for most companies on their own systems, so setting clear expectations with your cloud providers is key.
Related Article: Why Cloud Should Be Your Default Setting
Understand the Roll-Out Plan for Cloud Updates
Do you know how your cloud provider will roll-out new enhancements to your service? One of the advantages of cloud computing is service providers like Microsoft, Amazon and others can continually innovate their offerings. While this is a great advantage from a technology perspective, it may create privacy and data security implications.
One simple way to address this is to ask the provider to first introduce any updates in a test or non-production instance of your tenant, so your security and data privacy teams can fully assess any risk. Only then will they introduce the new features to production data and systems. At the very least, you should request time to review any new features with the company’s privacy, security and compliance teams before moving forward.
Align on What You Are Protecting, Where and How
Finally, you should be able to answer five critical questions as you establish the data protection and information security program.
- What kinds of data are you trying to protect and from whom are you trying to protect it?
- What are the systems you use within your organization as well as with partners, vendors and customers?
- Which of these systems will be holding protected data?
- How will you prevent sensitive data from being stored in the wrong place?
- How will data be stored in — and flow through — these systems?
Many companies today can’t answer those questions. Understanding what the data is, where it resides, and properly classifying it will allow you to set the appropriate levels of protection in place. For example, many companies apply the same security protocols and procedures for all data. But do you really need to put the same security protocols around protecting pictures from your company picnic as towards protecting your customers’ credit card information?
Start by understanding how employees use any IT systems — such as Microsoft 365, Google Workspace, Slack, etc. — that hold information potentially at risk. Understanding that will give you a better grasp of vulnerabilities, so you can start to set goals. While the heightened awareness around ransomware and hackers may make it tempting to quickly set compliance requirements and standards, don't rush. Devise your regulations after establishing where the threats and vulnerabilities are. Ultimately, it is impossible to protect an organization from all threats, but by following the steps outlined above you can begin to minimize risk.