Data is growing exponentially, and in the run-up to the pandemic, businesses were already relying more on sensitive data to support their digital transformation initiatives, with personal data fuelling everything from customer experience programs to detailed analytics that optimizes business operations.
As the pandemic unfolded, countries across the globe took measures to restrict the spread, and remote work became the norm for all but essential services. The shift to remote work accelerated this digital transformation and created new attack vectors for data security concerns. There was a vast increase in data flow to ‘untrusted environments,’ such as home offices that weren’t historically set up with the same security assurances as traditional office environments.
Homeworkers became a more popular target almost overnight. Traditional phishing attempts, ransomware threats, and email and social media scams accelerated. While sophisticated technology companies and highly regulated industries, including financial services, insurance and healthcare, are typically more prepared, organizations that delayed their digital transformation suddenly found themselves blindsided. They had to manage a sudden, drastic transition to digital-first operations while contending with security threats. It’s no wonder we saw stories about ransomware and cybersecurity breaches almost daily in the first year of the pandemic.
Cyber scams that target end-users are at an all-time high, which should come as no surprise. The weakest point in any system is human inexperience and error. The average employee operating on untrusted networks and unsecured devices represents the path of least resistance for scammers, where they can operationalize ransomware attacks that compromise valuable business data by gaining access to sensitive data within corporate networks.
Less adept organizations are still grappling with managing and sharing sensitive data with end-users safely. Often, workers lack basic cybersecurity and data governance literacy and, unfortunately, are simply negligent when handling data outside of a traditional enterprise network. The issue must be tackled from all sides to enable a robust defense.
First, consider the unintentional weakest link of people. What training programs are in place across the business to inform and educate employees on data privacy best practices? Implement processes that help build a solid defensive data culture to alert teams to potential scams regardless of work location and handle data responsibly.
The technology is a little easier to navigate than the cultural shift, as data governance solutions have been adapting from on-premises to cloud and to distributed environments for some time. So it’s not a huge leap to extend this visibility when adopting new cloud-hosted business models. It’s not necessary to completely lock down data to protect it from any and all exposure; modern data privacy governance applies metadata intelligence and automated controls to help ensure that personal and sensitive data is used appropriately. Insights into risk exposure and ensuring consistency with consumer rights help enable organizations to derive more intelligence from their data responsibly to fuel innovation as they’re able to develop and improve products and services safely, creating more stickiness and loyalty – and consumers receive a customized user experience within the scope of their privacy rights, enabled by trust.
To round off the defense by ensuring new standards of due care that reflect today’s consumer demands, we’re seeing regulators in the UK step up to propose new laws that seek to address security weaknesses and gaps, primarily via the Product Security & Telecommunications Infrastructure Bill. This legislation would establish baseline security in connected devices, even going so far as to ban universal default passwords.
Newer cybersecurity proposals such as the National Cyber Security Centre’s Cyber Assessment Framework (CAF) is another important initiative to help shore up gaps in the current cybersecurity landscape. The first step to understanding new threats is assessment, and the CAF is a tool to systematically evaluate cyber-threat mitigation readiness and resiliency. In its efforts to raise the bar on security through meaningful legislation, the UK is arguably in a leading position to help protect its economy from the impact of cyber-attacks.
Data security and personal data privacy proponents live by common truths: security risk management is a journey rather than a destination. We don’t know if risk can ever be fully eliminated. Still, we can take measures to reduce our exposure to attacks and avoid being exploited to the extent possible – or at the very least, lessen its impact and demonstrate responsible data stewardship.