I recently had the pleasure of being interviewed by Sumaiyah Qadri of Magnus Legal Consultancy on the topic of the importance of data protection as we emerge slowly from COVID-19 lockdown and it is with pleasure that I reproduce the link to the subsequent article and the full content of the article here on the UKDataSecure website.
I hope you find the content of the articles useful as you continue to secure your organisation whilst emerging from COVID-19 lockdown.
MLC in Conversation With a Data Protection Officer
We had the honour of sitting down with Stuart Golding from 'UK Data Secure' to talk about data protection and what it means for business in times of uncertainty and increasing online presence. We asked questions relating to start-ups and established businesses and the importance surrounding data protection in a post Covid world. Stuart Golding is the founder of UK Data Secure, with over a decade of practical experience. You can visit UK Data Secure here: www.ukdatasecure.com What is data security/protection? Data Security and protection is the perpetual endeavour required for organisations to protect their data and information assets, to avoid data and information loss through security incidents and breaches, in order to maintain the continued viability of their organisation. How important is data protection for companies today? Does the size of the company matter? Data protection is vital for all companies in all industries no matter what the size of the business; with organisations becoming almost wholly dependent on their data and information security assets, managing confidentiality, integrity, availability and accountability for their data and information has never been more business critical. How has COVID-19 and the subsequent economic crises affected data security? COVID-19 and the subsequent economic crisis has thrown the importance of data security right into the corporate spotlight, although there is evidence to suggest that investment in information security and data governance has been significantly cut as hard-pressed businesses of all sizes seek to reduce costs quickly. The information security industry is bracing itself for the consequences of this lack of investment in the form of increased information security incidents and data breaches, which will be much more costly to resolve and far more disruptive to remedy than maintaining ongoing data security risk management, governance and strategies for keeping data and information secure. With the advent of COVID-19, and the subsequent forced acceleration of remote working, many organisations had to force through previously untested controls, or became over-reliant on policy and user awareness training, leaving their remote workforces vulnerable. Remote working went form around 10% to almost 90% almost overnight, and we saw two years of digital transformation happen within two months, but studies suggest that only 27% of staff forced to work form home were given additional training on how to use platforms like Zoom and Teams securely. It is estimated that 60% of remote workers have recently used their personal devices for work, and almost all believe their devices to be secure; use of personal devices with fewer security measures and controls makes users more attractive for malicious attackers and access to corporate services and resources, even from the end user’s own devices, makes the target more attractive as the probability of gaining unauthorised access is significantly increased. "Organisations must protect themselves against complacency" Organisations must protect themselves against complacency; during COVID-19 malicious threat actors have been anything but complacent and have been more active than ever, taking advantage of the uncertainty and confusion created by the global lockdown and enforced changes to working environments. With significantly increased internet traffic things like denial of service, phishing, inadvertent data leakage and fraud have all been seen to increase dramatically. If they haven’t already, organisations of all sizes should be reviewing everything implemented since lockdown in detail, ensuring that the right technology defence tools, processes and training have been implemented to facilitate ongoing secure home working, and that everything is working as designed and expected, and can be maintained. Where workforces are returning to offices slowly, devices returning to office environments must be re-included in effective endpoint security hygiene, to ensure they are not a threat to the corporate environment in any way. Without COVID-19 the global workforce was already making strides towards a remote working environment and this recent pandemic has accelerated this significantly. Therefore, keeping our remote workforces working securely is ‘here to stay’ and thus investment in better systemic software and application driven layered defences is an investment in any organisation’s viability for the future. "An effective, integrated information security awareness, education, and training programme, not as the first line of defence, but as an essential complementary element of a well thought out information security strategy and programme". All organisations should be taking the time now to learn the lessons of enforced remote working and to plan for the continued viability of their organisations through a layered defence for their workforce; reviewing their strategy and information security programme and making the necessary investment and changes. What areas of data protection do companies tend to overlook and why should they invest in protection? We’ve seen many start-ups ignore the need for information security by design when they build new websites and applications, ignoring the need for secure coding practices and techniques, leaving them with potential vulnerabilities inadvertently built in and more costly and disruptive to fix after go-live. Year after year we experience lack of basic controls often leading to information security incidents and breaches; default passwords not changed in new systems and applications, poor password management, patch management falling behind, policies and procedures not reviewed and updated frequently, incident management planning overlooked and regular education and awareness not being maintained. Ongoing investment is essential and many of the basics which get overlooked are the least expensive controls to maintain, so there really is no excuse, and as organisations of all sizes get used to working differently following COVID-19, and understand the significantly increased threat landscape, investment at this time is essential to avoid information security incidents and data breaches, in order to protect the viability of their organisations business.