It’s hard to imagine that it’s been 12 years since Data Privacy Day began – starting in Europe and soon after in the US. Important work has been done to vastly improve how personal data is protected, but if you read the headlines it looks like we’ve been going backwards, with massive data breaches every week. But 2019 is a good time to look at where we are and what concerns should be addressed going forward.
The EU General Data Protection Regulation (GDPR) came into force on May 25, 2018, and we have already seen the first fines being levied including a rather large once by France against Google – €50 million ($57million). While this is unlikely to put Google out of business, it’s a strong indication that violations will not be taken lightly and that companies need to pay attention even if they are U.S. based companies. One of the biggest misconceptions about GDPR is that it only affects EU companies, but that’s wrong – any company with customers in the EU needs to meet the requirements of GDPR.
ComputerWeekly estimates that over one billion people were affected by the loss of personal data due to the 13 biggest data breaches of 2018. Breaches are problematic for the individual consumer – we all worry that our personal information is going to get into the wrong hands, and that’s what is driving the emergence of GDPR, California Consumer Privacy Act (CCPA), New York Dept. of Financial Services regulation 23 NYCRR 500 and others in the past couple years. And surely more, and probably tighter, regulations are to come.
But breaches can also be devastating to companies that are breached, causing an embarrassing loss of reputation that leads to a loss of customer trust and the real possibility of declining revenue. Even if business is not immediately affected, this is not the kind of news story you want attached to your corporate reputation. The only saving grace is that there are now so many breaches that, well, you may be in good company and your news may fade quickly when the next breach occurs. It may fade, or it may end up in every vendor deck you see for the next couple years. You don’t want your company to be a “cautionary tale.”
Another reason that we are at a critical inflection point – the massive adoption of the cloud. Where once you locked your data securely within your own data center, under your watchful eyes and your trusted staff, now data is distributed among thousands of constantly moving virtual machines or containers, in an application that your DevOps team revised 3 times just yesterday. The challenge of securing data just got a whole lot more complicated. The cloud, containers, DevOps – they aren’t new technologies this year, but you could make a strong argument that we are in the middle of massive adoption of them.
Should we celebrate?
There is no doubt that challenges for IT security teams are more complicated and faster moving than ever before. But the security industry is evolving in an attempt to meet these challenges and keep ahead in the never-ending cat and mouse game against the evolving threat landscape. So check your dashboards and make sure you aren’t being breached and then celebrate Data Privacy Day for a few minutes, by attending a Data Privacy Day event – but then back to vigilance and proactive security measures, because threats are not going to abate.
What can be done?
There are recommended best practices for securing your data, and you can find some very good advice in the more technical blogs on our site, which go into details on these practices. A combination of various security tools along with human practices can go a long way to keeping your sensitive data from being breached.
At SecurityFirst we focus on securing the data where it resides, on critical servers. Even if the perimeter defenses are compromised, encrypting the data will prevent a hacker from extracting or damaging it. Proper encryption must include comprehensive key management, policy control to prevent unauthorized access, and thorough reporting and alerting via centralized systems.
SecurityFirst’s DataKeep product protects files, volumes and objects, are integrated with other security components, including:
- IBM QRadar – for visibility into data access
- SPLUNK – to centralize reporting, logging and alerting
- IBM DRM – to identify where encryption should be deployed
- IBM SKLM – to add extra protection for keys
- IBM Spectrum Protect – to secure data even during backups
- IBM COS – to provide client-side controls for data sent to public clouds
Having this tight integration allows more comprehensive coverage with finite IT staff.
While we are thrilled that the industry has a Data Privacy Day on January 28, to focus attention on this very important topic, at SecurityFirst we regard every day as a Data Privacy Day – because good security requires constant data protection.