Building a data protection framework

Why it's important to approach data protection holistically and within the context of the specific organisation.
Ethan Searle
By Ethan Searle, Business development director, LanDynamix.
Johannesburg, 28 Feb 2024
Ethan Searle, LanDynamix business development director.
Ethan Searle, LanDynamix business development director.

The explosion in the proliferation of both structured and unstructured data is a source of a serious headache to the management of organisations, with considerable efforts being undertaken to store and manage this data.

But the protection of this avalanche of data takes the headache to new levels, with businesses increasingly focusing on securing the privacy of data.

Let's get one fact onto the radar − there is no silver bullet when it comes to data protection.

This is evidenced by the Gartner Digital Markets 2022 Global Software Buyer Trends Survey, which revealed 84% of businesses believed data privacy is the most valuable factor for them when buying software.

Most effective method

It's important to approach data protection holistically and within the context of the specific organisation.

Commence by understanding the business at a highly-granular level: How does it generate revenue? What data does it use to do so? How is that data accessed? Where is it stored – on-premises or in the cloud? What redundancy is there in the whole system? How are employees accessing that data?

Once the answers to these questions have been clearly mapped out, consider how the data is being protected or should be protected.

Let's get one fact onto the radar − there is no silver bullet when it comes to data protection. All too often, companies treat technology as a solution, but while it has a role to play it needs to be complemented by business processes and user education.

Data protection must be aligned to how the company's data is structured and used. For example, the move to Office 365 has removed one of hackers' easiest backdoors into the corporate network: the exchange server. Because Office 365 is so well protected, we have seen a huge shift towards attacks on the end-user.

In the age of hybrid or fully-remote employment, users access e-mail via their mobile devices outside of the corporate firewall. Hackers can use such devices to gain access to e-mails via various means.

The end result is that e-mails pass through the hacker's server before they reach the corporate system, and this gives the bad guy access to information like who the suppliers are and what invoices are being sent.

We are seeing invoices being intercepted and account details changed before the e-mail continues on its journey. The only way to counteract this kind of activity is to ensure business processes are well-designed and examine how payments are approved. Are staff primed to verify bank accounts before payments are processed?

User education is the vital third piece of any data protection approach. The good news is there are a range of excellent vendors out there with easy-to-use and well-thought-out products that emphasise real-world examples of good and bad behaviour.

If going the managed services route, companies should explore the benefits of outsourcing for the business. This approach can lead to shared value for the business and provider.

Get a policy in place

Overall, it is hard to overemphasise the importance of having a data policy in place to provide the framework within which these approaches operate.

The policy should specify things like who has access to specific data, and how data can be shared. Again, the policy framework must be tailored to the business's context and strategy, as no one size fits all.

As data continues to grow, so will the complexity of compliance, with the need for regulations to evolve as the importance of data grows.

Globally, GDPR provides the data security framework, as does POPIA in the South African business environment. The real consequence for organisations is that while their data holdings are vital, they also represent a huge risk in the shape of fines − which can prove to be immense − for below-par protection measures.

That's even before taking into account the reputational damage and subsequent loss of business in the wake of a hack.

It's wise to approach compliance positively rather than just ticking the boxes. The need for compliance can actually guide the company towards developing an effective data protection regime.

The big data impact

Big data emerged as organisations woke up to how useful data could be if it was aggregated and analysed well. Its growing importance has made it valuable, and as such − a target.

Bearing in mind the risk that comes with a treasure-house, we can expect security to become much more robust and proactive. Trends that have emerged include increased specialisation, with security moving out of the network operations centre into its own facility.

There is also a growing reliance on automation, which will play an increasingly important role in responding to security issues and handling routine (but vital) tasks, such as administering security patches.

The necessity for automation will increase as the internet of things (IOT) drives network size. The deployment of data analytics in protection is a significant trend, as is the harnessing of artificial intelligence by security vendors that are harnessing its power, combined with big data to spot hacking trends and act proactively to block them.

The IOT risk

This should possibly rather be referred to as IOE − the internet of everything − which has increased risk in multiple ways.

Networks continue to expand hugely as sensors and SIM cards are placed on more and more objects, and more and more data flows into the corporate network. Keeping sensors and SIMs secure is a massive task that will surely create new weaknesses in the whole network environment.

A critical issue here has to be how the corporate network is designed. As always, this must begin with a deep understanding of how the business works and what is important to it.

Segmenting the network appropriately will be critical in order to quarantine those areas that are mission-critical from other, less secure, and less important ones.