Prioritizing Data Security in 2022: Where Should You Start?
This blog was originally published by PKWARE here.
The start of a new year is always rife with resolutions, both personal and professional. Many of us begin to take stock of what we deem most important to focus on, and businesses are no exception. It’s the perfect time to determine what will take priority—and why.
Privacy and Protection Mandates
In 2021, we saw an increase in state-level privacy regulations in the US—such as Virginia and Colorado—as well as growth in several other countries with GDPR maturing, POPIA passing in South Africa, and PRIMER going into effect in China. We also learned what might potentially help a state-level data privacy bill pass in the US where others fail: Once the Attorney General gets involved and backs a state bill, it tends to pass soon after. For example, Colorado had Attorney General support, whereas several Washington bills did not.
This rapidly changing landscape must come into consideration when determining where your Legal and IT business units are going to spend their money and efforts in 2022. Privacy laws encompass huge security and data awareness challenges and are not something you want to have to scramble to achieve compliance. While all data privacy laws are data centric, not all of these laws map up one to one for requirements technically or legally. Still, they share a common theme of knowing and protecting the organization’s most sensitive data, which is any data that involves a person, whether they are an employee, vendor, consumer, customer, or data subject. Ensuring your organization has properly thought out compliance efforts, utilizing existing tool sets and strategically adding new tools to their toolkits where needed is more vital than ever.
Prepare for What’s Here and What’s Next
All this to say: When you’re sitting down and analyzing potential spend and budget allocation, make sure to involve both security and data engineers. These teams typically know the most about what they have and what is truly at risk. Once you’ve engaged these teams, ask the hard questions to find out where the gaps are in your compliance. If you’re meeting an existing law such as HIPAA, or regulation/guideline such as PCI DSS, you likely have a whole slew of security, networking, logging, and other tools at your disposal. This may mean that the future focus will go toward implementing those pre-existing solutions into other parts of the IT business, which could include additional staffing, increased training, or potentially outsourcing.
The last thing to look at here is whether there’s anything your existing tools do not or cannot cover. While no one can tell exactly what laws will pass in 2022 and what those laws will have in them, we can look at are the trends of recently passed data privacy laws, as well as some of the talks we’ve heard about PIPEDA and HIPAA modernizing and PCI DSS releasing version 4.0. Most companies I’ve seen are also still vastly unaware of what data is where, whose data it is, and even how they received or generated the data. And this is only on the IT side.
The communication gap between IT, the business as a whole, and legal is often still broken. For some organizations, even getting IT security to speak with data governance or the data science groups is a challenge.
Single Solution, Multiple Benefits
This is where mature and proven data discovery solutions can help, providing a single tool that is able to tell you what data you have where across your data landscape. This empowers the business with information and frees up IT and Legal groups to focus more on IT or Legal policy changes, procedure changes, or IT process or development changes. A single solution approach ensures that the right teams are more aware of what data is where, enabling them to better leverage security controls based on the context of the data and the environment it lives in.
This approach is also vital in keeping data safe for the new normal of a hybrid and/or fully remote workforce. In 2021, the largest threats have been ransomware and email phishing. If employees are disconnected from the VPN while not working in the office, and are working with large amounts of the organization’s data on their laptop, how protected is that system and most importantly: How protected is the data on it? Does the IT team even know what data is stored on that laptop?
Some of the more comprehensive discovery solutions in the market also offer endpoint protection, enabling end point data discovery along with file classification, data encryption, and data redaction. This ensures that even if those endpoints do have sensitive, confidential, or restricted data on them, it’s always protected even when disconnected from the VPN. Furthermore, this solution will address any files that may be misclassified or files that might change classification as they are worked on by your staff.
As we celebrate the new year and all that is to come in 2022, let’s make sure data awareness remains front and center and begin treating all organizational data as if it were our own personal data. After all, you wouldn’t want another company protecting your data any less than you protect theirs. Get the best protection available for the widest array of platforms.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.