Data is by far one of the most important assets an organization may have. Naturally, it is vital to ensure it is adequately protected, managed, and used at all times. However, that can often be easier said than done owing to just the ever-evolving nature of the threats to data as well as any potential lapses in the organization’s own internal security measures.
Hence, the maximum utilization of resources that can be leveraged to protect such a vital resource is a business necessity. This interview with Paul Lewis hopes to do just that, giving the readers vital information and insights into best practices, key considerations, and mechanisms that can be used to ensure data is well protected at all times.
Q1. In an ever-evolving digital landscape, what measures should organizations take to protect user data, ensure their privacy, and keep up with evolving privacy laws and regulations?
As digital transformation seeks to change the behavior of an organization to offer products and services to clients the way they WANT to receive them, companies need to move far away from the concept of exclusively adding MORE engagement, replacing it with BETTER engagement.
Implementing highly immersive and highly personalized customer journeys requires investment in IT programs and building new applications to BOTH:
- understand who/what/where/why of existing and desired customer segments,
- provide them with timely opportunities to engage with your offerings.
Understanding and engagement require data. Data on your existing customers, data on customers unknown to you. What they buy, how they buy, who they buy it for, where they are when they buy it. All sensitive, private information. All need appropriate protection.
A few targeted measures:
- A thorough and recurring learning series for all employees on the importance of protecting customer privacy information, updates on international and local privacy legislation and regulation, and reminders of implemented corporate best practices and policy;
- Appropriate technology controls in place to:
- ensure only necessary and limited personnel have access to consequential customer information,
- Information is tracked from its source during the course of its use for business purposes,
- Limitations on what data can be shared externally, including data room controls, and
- Policies including only using data for its intended purposes.
Q2. In your opinion, what are the best practices organizations should take to minimize the risk of data breaches and unauthorized access?
While there is no real way to completely prevent a data breach or unauthorized access (apart from halting business entirely), there are several best practices that organizations can implement to minimize the risk:
- Regularly update and patch software: Poor currency in infrastructure, middleware and applications are the highest risk of potential exposure. Continuously ensure software and operating systems are up to date with the latest security patches and updates
- Limit access: Limit access to sensitive data to only those employees who need it to perform their job duties. This can be done through access controls, such as role-based access control, row/column access control, semantic layering and data zoning for analytical purposes
- Data encryption: Use encryption to protect sensitive data both in transit and at rest.
- Regular backup/recovery and testing: Make regular backups of all data to ensure that data can be restored in case of a data breach or system failure. Test frequently and not just in case of business failure or natural disaster
- Monitoring and detection: Implement monitoring and detection tools (internally and externally) to identify potential threats and respond in real time.
Q3. How important is it that employees are aware of and trained in best privacy practices?
It is FUNDAMENTAL that employees are trained in privacy best practices, especially since the pandemic, where a significant percentage of the workforce is remote. In a massive set of uncontrolled environments, physical and virtual environments, the potential for misuse or mistakes is exponential.
Employees are the first and last defense to protecting clients' private data and need to have recurring education on policy, the procedure of breach, do’s and don’ts, regulatory and legislative boundaries and expectations, and the potential impact of problems.
Fortunately, employees are keenly aware of the importance of their own personal data and appreciate the benefit of keeping that information secure for themselves and their families. They jump at the chance to learn more and adhere to the policy and procedures.
Q4. How frequently should organizations conduct privacy impact assessments for new products or features?
Privacy impact assessments should be BOTH an ongoing exercise AND implemented as a core foundation of application development. Secure coding guidelines and privacy impact guidelines should be part of development frameworks, unit and integration tested through sprints, and regularly audited throughout the process and in production.
Conclusion
The tech industry is rapidly undergoing one of the most transformative periods in recent memory. Leaps in technology, traditional roles being redefined, and a combination of regulation and globalization has meant that organizations have had to adopt a radically proactive approach to tackle these challenges.
The aforementioned interview represents one important step towards adopting a radically proactive approach by leveraging the insights provided by an industry expert. Used properly, organizations can not only avoid any direct threats to their data assets but also take necessary remedial measures to improve their own internal security infrastructure and practices.
DISCLAIMER: This interview represents the opinions of Paul Lewis. The content here is for information purposes only. Securiti is hosting this blog post but did not edit the content of this review.
