Why are NZ businesses increasingly mindful of data risk and sovereignty? And what does that actually mean?
Over the last five years, a number of large companies have been rocked by data breaches, including Yahoo, Marriot International, eBay and Uber.
12,449 data breaches were confirmed in 2018, an over 400% increase from the previous year.
With businesses collecting and storing more and more data, the risk and consequences of a data breach to their company, employees, customers and other stakeholder is immense.
So, what are organisations doing to make sure their data is secure and not at risk?
Most companies take their data responsibility seriously and a recent study by the Ponemon Institute shed light on how IT and IT security practitioners are dealing with data risk in their organisations.
While the study focused on US businesses, we have found similar results in New Zealand.
What are data breaches? And what do data sovereignty and data risk mean?
A data breach is basically unauthorised access to an organisation’s data.
In the cases of the companies mentioned earlier, this took the form of vast amounts of personal data being hacked and available to be publically distributed.
In addition to the risk to the people whose data has been accessed, the negative publicity and erosion of trust in the company that has been breached were extremely damaging.
In simple terms, data sovereignty means that data is subject to the laws of the country in which it is stored.
With the proliferation of cloud storage and technology, data is quite often stored in a very different location to where a company operates.
Not knowing the sovereignty of your data puts an organisation at risk of unknowingly breaking the laws of the country that their data is actually located in.
A good example is the EU General Data Protection Regulation (GDPR). While you may not currently do business in any EU countries, if you are using cloud software or storage that is located in the EU – you have to comply with GDPR.
Not complying opens your company up to the risk of prosecution.
Data risk applies to any situation where there is a potential for some sort of a loss related to your data.
In addition to data breaches and data sovereignty, other data risks include compliance risk, data loss, data rot, deanonymisation (identifying people from anonymous data), regulatory risk, dark data risk (data that is collected but not used), data corruption, data remanence, and privacy.
Data risk can arise from an organisation not transmitting, using, storing, managing or securing their data correctly.
Why you should be concerned
The Ponemon Institute found that a lack of knowledge of where sensitive data is stored and the data risk were the biggest security problems for IT and IT security practitioners.
Simply put, if you don’t know where your data is located, it’s at risk.
This is not just from a data sovereignty point of view, but also whether it is secure or potentially vulnerable to a data breach.
For this very reason, participants in the study largely agreed that data breaches are their number one security risk. And, as mentioned earlier, it's a problem that is continuing to get worse.
What companies are currently doing
Over half the people surveyed said their organisations used an automated solution to discover sensitive data and understand its risk.
Many companies used a solution they’d developed in-house, while some used a commercially available solution.
These solutions included data classification (most popular), data monitoring, tokenisation and encryption, and data discovery.
However, there were limitations for these businesses.
User activity is difficult to track and there were gaps in the commercial solutions that were being used.
Risks caused by user and employee negligence or malicious access and use of data were reasons companies looked to develop their own solutions.
Looking to the future
Participants predicted that the top three trends in the IT security industry will be consumerisation of IT and shadow IT (IT solutions used and deployed without organisational approval), mobility (smartphones and tablets), and greater stealth and sophistication of hackers.
With all of these, understanding your data sovereignty, the risk of data breaches, and a clear understanding of your data risks is critical.
Over the next three to five years, organisations see target and process-focused security controls as being the most relevant to their business and the threats their data is likely to come under.
In our experience, the starting point for any data security or data risk solution is understanding what data an organisation has and where its located.
From there it is much easier to assess the risks and put the right measures, security, and solutions in place to keep the data safe from attacks and breaches.
Overall, with the significant rise in data breaches, coupled with an increase in the amount of data organisations collect, data security is extremely important.
Not knowing where your data is located leads to potential data sovereignty issues and a lack of understanding around data risks make companies vulnerable to data breaches.
These concerns are at the forefront of IT and IT security practitioners’ minds, both in New Zealand and worldwide.
While there have been gaps in the current solutions used by organisations, new and more powerful tools are entering the market that better help companies understand, use, and protect their data.