From threat to risk: A case study on tackling data governance in financial services

With data breaches costing companies millions every year (reaching an all-time high in 2021[1]) and regulatory non-compliance threatening executives with fines or jail time[2], it's no wonder that cyber incidents are ranked the number one risk to business in 2022[3].

In an attempt to understand how to predict cyber threats, respond to them and minimise their business impact, companies are moving their focus from ad hoc cyber threat response to calculated cyber risk management. Mission-critical topics, such as data governance, is a good case in point. Overseeing how data is protected and processed is crucial for South African organisations, especially financial services organisations that process highly confidential personal information.

When the enforcement date of South Africa's data protection legislation, the Protection of Personal Information Act (POPIA), became known, a globally renowned financial services provider contacted AVeS Cyber Security to assist them with their POPIA compliance efforts. AVeS Cyber Security's background in IT governance and IT architecture, as well as its Gold partner competencies in Microsoft Security and Cloud Platform, positioned the team uniquely to work alongside the client's risk and IT teams to fulfil their POPIA obligations.

Since the client's Board-Level Risk Committee oversaw the project, the business goals were clear: minimise its cyber and regulatory risks by governing its confidential business data and continuing to enable its remote working staff. On a technical level, this meant identifying where the organisation's data should reside and what technical controls they should put in place to protect the data's confidentiality, integrity and availability.

Since the organisation had an existing on-premises data centre investment, AVeS Cyber Security had to investigate what the most cost-effective solution would be: expand its current on-premises infrastructure with better data protection capabilities, or shift its data centre (either partially or entirely) to a cloud-based platform that has scalable data protection built in from the start.

"Our board made it clear that data governance was a strategic priority for the business. We had to consider all possible angles to arrive at a cost-effective answer from year one. The solution also needed to provide a solid, scalable foundation on which we could build the company’s medium-term data governance initiatives," says Mohammed Dawood, IT Manager at the client.

AVeS Cyber Security compared the client's existing infrastructure against their risk register to identify technical gaps and completed a cost analysis to evaluate which option – expand on-premises or migrate to the cloud – would be the most cost-effective and allow for the most amount of scalability and predictability in the medium-term.

"Looking at an organisation's current, technical data protection needs is one thing, but one has to allow the organisation to easily scale up or down as their business requires it. Although the minimum baseline was to ensure that the organisation meet its POPIA requirements now, the organisation also had to empower their staff to work more securely with data in the future," says Bradley Adams, Infrastructure Sales Director at AVeS Cyber Security. "That's where we move from pure data protection to data governance and consider more than the technology involved: the key is to make process and people part of the solution. After all, successful data governance projects empower organisations to work efficiently and securely today and three years from now."

With no on-premises data scanning tools, the client didn't have a clear idea of what data they had stored where and how much of that data was "personally identifiable information". Their workforce comprised both office and work-from-home staff, which meant that data was continually on the move and hosted in different locations.

The cost analysis revealed that the client's best option was to rebuild its data centre in the cloud and provide a safe space for employees to store and process business data wherever they were. The client decided to migrate all of its data, in an unstructured format, to the cloud to start controlling access to data as soon as possible, gaining visibility into how they use data for business purposes, and labelling data according to its level of sensitivity. Due to the nature of the business, the organisation worked daily with massive amounts of special personal information and needed the technical security measures defined upfront and applied automatically to data sets to enable their workforce to work efficiently.

"When clients contact us to assist them in containing data breaches, we often find that their cloud platform's security is lacking severely at the time of the breach. It's because people tend to treat cloud security as an afterthought, thinking cloud means out-of-the-box security. It's a general problem with data centre migrations to the cloud: people don't close enough backdoors before migrating their data. Just like with any other platform, one should build fit-for-purpose security into the cloud's design from the get-go, not treat it as an afterthought. So, we knew what our first step was: design a secure cloud data centre," says Adams.

In collaboration with the client's risk and IT teams, AVeS Cyber Security created a POPIA roadmap to the cloud that identified the following:

• Which layers AVeS Cyber Security will build into the cloud's security design, as per security best practices, to protect data in the cloud;
• What data to move to the cloud;
• How to structure the platform's licensing to be cost-effective and predictably scalable;
• How to best approach the data migration phase of the project, enabling business operations to continue running; and
• How to support the client's IT team throughout the process.

AVeS Cyber Security also recommended that the client follows change management best practices to ensure a seamless transition for the organisation's workforce. "Companies can greatly improve their projects' return on investment and adoption among employees if they follow the guidance of change management best practices," says Charl Ueckermann, Group CEO at AVeS Cyber International. "We've seen technically brilliant projects achieve sub-optimal results when the people in the business aren't included as part of the project. No one likes logging into their computers on a Monday morning and discovering that everything they knew on Friday has now changed."

With the technical roadmap in place, AVeS Cyber Security set out to implement the safeguards required to help the client acquire a secure, data-governed cloud data centre.

Using Microsoft 365 and Microsoft Azure as the platforms of choice, AVeS Cyber Security could introduce various built-in security features in the newly built secure cloud:

• Data and e-mail protection tools like Azure Information Protection (AIP) to discover, classify and protect documents and e-mails by applying labels to content;[4]
• Multi-factor authentication with Azure AD (Active Directory) to enforce identity and access management rules in real-time and reduce the risk of breaches due to stolen passwords, all while feeling seamless to employees;[5] and
• Azure Sentinel, a cloud-native SIEM (security information and event management) solution with built-in machine learning capabilities. Sentinel monitors how data is used, provides alerts and insights on security events and provides task automation and orchestration to improve the IT team's response time to incidents.[6]

"For us, the choice came down to the platform's reliability (99.95% uptime[7]), flexibility (range of applications available to easily expand the platform's functionality) and scalability (compliance with various data governance regulations around the world). We now also have more predictability in our budgeting process. User-based costing means that we know exactly what our monthly or yearly spending will be based on how many people we employ and who has access to which productivity features. In the past, we had to speculate how much data we would store in the next 12-36 months, and everyone had access to the same toolsets, irrespective of what they actually needed. Now, we can assign fit-for-purpose resources to high-risk staff, such as executives, when they need it," says Dawood.

"With the cloud data centre now up and running, the client has been able to make better data-driven decisions at board-level to advance its data governance efforts across the business," says Adams.

Ueckermann adds that other industries that deal with highly confidential data, such as the medical and manufacturing industries, can also learn from this client's data governance journey and apply key learnings to their own projects. "This project demonstrates that data governance can be successful if it's led from the top. As the ultimate custodians of data governance, boards should step in to lead organisations through the multi-connected and hyper-regulated business landscape. Without this kind of risk-managing leadership, organisations will not be able to prevail against the cyber threats yet to come."

References:

1. https://newsroom.ibm.com/2021-07-28-IBM-Report-Cost-of-a-Data-Breach-Hits-Record-High-During-Pandemic
2. https://www.popiact-compliance.co.za/popia-information/16-offences-penalties-and-administrative-fines
3. https://www.weforum.org/agenda/2022/01/biggest-business-risks-2022/
4. https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
5. https://www.microsoft.com/en-za/security/business/identity-access-management/mfa-multi-factor-authentication
6. https://azure.microsoft.com/en-us/services/microsoft-sentinel/
7. https://azure.microsoft.com/en-gb/support/legal/sla/summary/