A new year, a new regulation…and a new data breach
The year 2020 is upon us and with it the enforcement of the California Consumer Privacy Act (CCPA). And while the increase in regulations continues to ensure security is top-of-mind for enterprises doing business in California and worldwide, we continue to see significant and worrisome data breaches on a regular basis.
A prime example of this took place over the last week in the UK, where more than 1,000 notable figures had their home and work addresses posted on a government website. The point of the posting was to publicize the people highlighted on the new year honors list. Instead, sensitive personal information was made public for about an hour.
Though there will, no doubt, be a formal investigation into what went wrong here, this breach is an indication that we will continue to see breaches like this happen, even with robust legislation like CCPA or GDPR.
So…what can be done?
Repeat after me – regulations can’t solve it all
I’ve written at length about the fact that regulations are key to driving good security behavior – and that’s still true. We’ve seen a marked increase in enterprises making data security a priority, which is great and must continue. But regulations in and of themselves won’t stem the tide of data breaches. This breach occurred in the UK, a country that has had one of the most stringent data privacy regulations – GDPR – in place for more than two years.
Regulations focus on compliance, which is only one part of a robust data security and privacy stance in the enterprise. Regulatory compliance goes hand-in-hand with several other elements including technology tailored to meet specific organizational needs, end-to-end knowledge of where data travels throughout an organization, and a strong security culture. A failure in any of these areas can spell disaster, and many breaches are a result of failures in multiple areas. This was likely the case in the UK Cabinet Office breach, as analyst firm Ovum rightly points out.
Establishing a strong security culture while minimizing the chance for human error
We’ll continue to see nations worldwide enact stringent data privacy regulations in the years to come, and that’s necessary. But they don’t prevent user error, or ‘fat fingered mistakes,’ which happen when well-meaning employees or users inadvertently cause a breach. These mistakes are sadly not rarities when it comes to data breaches. According to one recent survey, almost two thirds of UK organizations experiencing a data breach attributed the cause to human error.
To say that is concerning is a gross understatement.
Mistakes will continue to happen as long as humans deal with organizational data because we’re, well…human. But there are ways to both minimize human error as well as promote a strong security culture within the enterprise.
1. Start with data classification
This may sound fairly obvious given Titus’ position as the expert in data classification, but it continues to be as true in 2020 as it was in 2005 when our company was founded. Properly classifying data prevents inadvertent errors including publishing personal or sensitive information publicly.
A good data classification solution will also work with other data security components (data loss prevention (DLP) solutions, cloud access security brokers (CASBs), encryption solutions, etc.) This gives enterprises a robust data security stance where data is exposed only to appropriate audiences.
The result? Personal or sensitive data doesn’t become public, even for an hour. Our Titus Classification Suite of products is an example of this type of solution, offering the industry’s most flexible and customizable classification metadata schema. This ensures data has context, so people and systems understand how to properly handle information.
2. Build a strong security culture
This is no easy task. Many enterprises try to implement a strong security culture by conducting quarterly or annual ‘check-ins’ with employees, testing their understanding of security policies.
That’s no longer enough.
Security polices need to be continually examined, particularly as more complex data regulations are introduced, alongside more sophisticated attacks from external sources or bad actors. A strong security culture must be an ongoing initiative that ensures employees are always aware of what they can do to keep sensitive data secure.
3. Make friends with machine learning
The amount of data created and consumed by enterprises will only continue to rise. Ensuring all that data remains safe and secured can become a great burden on employees. Enterprises need to look at implementing automated data security solutions that incorporate machine learning to take some of the burden away from employees. The key will be choosing solutions that maintain or exceed the accuracy of the average human user. The Titus Accelerator for Privacy is an example of this type of solution, which ensures that personal data – such as that exposed in the UK Cabinet Office – is accurately and quickly identified. With this solution in place, any user trying to share this type of information publicly would be automatically warned that it contains PII.
With the enforcement of CCPA upon us, you’ll see other security vendors touting this as a new era for data security, with enterprises knowing what they need to do when it comes to ensuring personal and sensitive data remains safe.
I’d argue that while enterprises certainly know that securing data is a priority, events like the UK Cabinet Office breach show there’s still a lot more work to be done.