Sensitive data hidden across the distributed workplace raises risks
Organisations need to take control of their sensitive data to significantly reduce their risk and exposure to data breaches. Sensitive data minimisation and retention focuses on obscuring volumes of data no longer in use and which are no longer subject to regulatory requirements. Privacy mandates such as POPIA are making compliance an ongoing challenge for businesses. These regulations require collecting and holding only the minimum amount of personal sensitive data to fulfil a specific purpose.
Last year it was estimated that data breaches cost South African companies on average of R40.2 million per breach with malicious attacks on customer, employee and corporate data being most prevalent – accounting for 48 percent of incidents – and proving to be the costliest cause of breaches to businesses. Security of data is an imperative when considering the implications of the cost of a breach.
Just last month, a new report showed that costs have increased by 15% in the past year – with the average time to detect and contain a data breach at its highest, taking 237 days (184 days to detect and 53 days to contain).
The move to a remote and distributed workforce, accelerated by the Covid pandemic, has highlighted the need for digital sovereignty to be a fundamental right for citizens, institutions and society.
“We do, though, need control over people's access to protect that right,” says Tito Pereira, CEO of Blue Label Technology Solutions, a provider of cybersecurity and data protection solutions.
“As cloud use and machine automation become more far-reaching, managing people's privilege access within a company is no longer enough,” he says. “The complexity and scale of access management offers far larger threat to organisation's data sovereignty than ever before. Add to that the variety of devices, IoT and DevOps, and you have an extremely complex control requirement for access across machines and applications from within and outside of the organisation.”
Data is a hot commodity and today, organisations have more of it than ever. The true reason for ensuring data compliance should be to protect customers from harm rather than running from the cost of a breach or the risk of reputational damage.
“Removing unnecessary personal data reduces the attack surface of any organisation. This can only be achieved through clear cataloguing and strict controls based on sensitive data, so that there is a faster response to breaches, should they occur. One of the most difficult and time-consuming acts for South African businesses right now is to identify where personally identifiable information resides across their network, devices and distributed workforce. You could say that PII is like a virus – finding it is the difficult part but once revealed, it can be contained and controlled,” adds Pereira.
Data breaches are a severe threat to any organisation managing sensitive data; they occur when malicious players access privileged information unlawfully. Even companies that invest heavily in cybersecurity are vulnerable to these attacks, as almost a third of data breaches involve phishing attacks.
“Full data discovery and real-time cataloguing is necessary to be able to protect, and respond, to data breaches in a way that eases regulator concerns, limits damage to customers and users, reduces communication costs, and increases transparency to a more knowledgeable client base,” concludes Pereira.