With pressure to ensure consumer data is protected mounting, Gemalto has recently released the results of a global study which reveals that two in three companies globally (65%) are unable to analyze all the data they collect and only half (54%) of companies know where all of their sensitive data is stored. Compounding this uncertainty, more than two thirds of organizations (68%) admit they don’t carry out all the procedures in line with data protection laws such as GDPR. In an exclusive conversation with Dataquest, Rana Gupta, Vice President of Asia Pacific, Gemalto Identity’s and Data Protection business, talks about the latest report findings, what challenges the company is facing while handling data and ways to protect data. Excerpts:
Q. Can you please brief us about the latest report findings – Businesses collect more data than they can handle?
Gemalto’s fifth annual Data Security Confidence Index explores the views of more than 1000 IT decision makers and 10,500 consumers worldwide whether organizations are confident in their ability to handle the large amounts of data they collect on a daily basis.
The research found that businesses’ ability to analyze the data they collect varies worldwide with India (55%) and Australia (47%) best at using the data they collect. More than two-thirds of organizations (68%) also admitted that they don’t carry out all the procedures in line with data protection laws such as GDPR.
Also, growing awareness of data breaches around GDPR has led to the majority (90%) of consumers believing that it is important for organizations to comply with data regulations. In fact, over half (54%) consumers are now aware of what encryption is, showing an understanding of how their data should be protected.
Some of the India specific key findings as per the report:
- 45% of Indian organizations can’t analyze or categorize all the consumer data they store
- 48% of IT professionals in India believe their organizations are failing to carry out all procedures in line with data protection laws
- Only 52% of Indian companies know where all of their sensitive data is stored
- Only 57% of consumers are not aware of the term encryption, showing that they don’t have the understanding to protect their data
Q. What challenges are businesses facing while handling data? And how can they handle their data or monetize them?
Digital transformation is opening the doors to completely new business models and practices. The evolving digital space with increasing reliance on cloud applications occurring across all industries poses various challenges of privacy of information, non-repudiation of actions in the digital world, the integrity of information in the digital world, and confidence in digital identities. Every data breach incident has the potential of causing long-term reputational damage to the breached organization.
While storing data is easier, there should never be an assumption that information thus, stored is automatically secured even if basic security checks are implied. No matter where data is, the appropriate controls like encryption and tokenization need to be placed at the source of the data. Companies need to realize a breach is inevitable and key stakeholders, their customers, expect them to take reasonable measures to prevent breaches in the first place, and when that fails, to ensure that their personal data is encrypted and of no use to unauthorized users.
Having said that, if there is a Security Breach inflicted on their systems that lead to the leakage of existing inventory of data then not only does it create challenges around the sanctity of existing data (and possible obligations towards the data subjects) but it also impacts the fresh supply of data as new data subjects will be wary of leaving their data with them…..and hence impacting the data monetization altogether. Data being the raw material for the purpose of Data Monetization or Data being the New Oil in that sense…..and in order to sustain one’s data monetization capability one needs to secure its supply chain (of data) as well as its current inventory (of data)
Q. What are your views on data breach prevention as it is important for customer retention?
Trust is essential in building relationships, and for organizations that hold vast quantities of customer data, this is especially the case. I would like to quote here Customer Loyalty report published by Gemalto last year that a majority (70%) of consumers out of 10,000+ surveyed consumers, would stop doing business with a company if it experienced a data breach. In addition, six in ten Indian consumers (59%) feel businesses don’t take the security of customer data very seriously. With brewing conversations around data privacy and protection everywhere, consumer’s concerns are obvious that they might become victims of data breaches which may come to their attention or not. Consequently, countries including India are introducing various privacy laws holding businesses accountable for secure storage and usage of customers’ data. If the customers feel that your organisation places the security of their personal information at the top of the priority list, he/she would not just be loyal to your brand but also work as a powerful brand ambassador.
Q. What is perimeter security; why it is still the primary defence and equally ineffective against data breaches?
Perimeter security incorporates an extensive set of systems – from firewalls to content filtering and anomaly detection. While these measures may seem robust, in isolation they aren’t enough and an exclusive focus on securing the corporate boundary is ineffective. Businesses must evaluate their position in case if their business is breached, will their data be secure.
It is noteworthy to highlight major cybercriminal trends over the past year revealed by Gemalto’s recent Data Security Confidence Index. When it comes to how data is being secured, the report found that more than half (57%) of IT professionals in India say perimeter security is effective at keeping unauthorized users out of their networks. Even though there is still faith in how they’re securing their networks, one third (27%) of Indian companies reported that their perimeter security had been breached in the past 12 months. Of those that had suffered a breach at some point, only 6% of that compromised data was protected by encryption, leaving the rest exposed.
Therefore, the need is for multiple layered defences with a ‘secure the breach’ approach in the hyper-connected world. Incorporating encryption into every stage of the organization across networks and the cloud, and a complete solution must be implemented that protects the data, is essential. Encrypting the data without having strong key management would be equivalent to locking your house but leaving the keys under the front doormat.
Q. According to you, what are the three ways to secure the breach strategy?
Doing things as they have always been done’ is no longer workable as there are simply too many gaps in the periphery to make this approach viable. An end-to-end security strategy for the protection of data so that even if the data is lost in a breach, it still is rendered useless for an unauthorized user.
- ENCRYPT YOUR SENSITIVE DATA- Locate your sensitive data and encrypt it. Whether your data resides on-premises, in virtual environments, the cloud or is in motion, encryption will render it useless to attackers.
- SECURE AND OWN YOUR ENCRYPTION KEYS- Store encryption keys securely and separately from encrypted data. By centrally managing the key lifecycle, you ensure you maintain ownership and control of your data at all times
- MANAGE AND CONTROL USER ACCESS- Manage and control access to your corporate resources and apps by verifying a user’s identity, assessing and applying the right access policy, and enforcing the appropriate access controls using single sign-in.
Q. What is the scope of human error in a data breach and how can it be avoided?
As networks shift towards hybrid, elastic, and borderless ecosystems, expand across cloud environments, and become meshed with other networked environments such as OT and critical infrastructures, security will have to continue to adapt. Gemalto Breach Level Index 2017 revealed that identity theft was the leading type of data breach, accounting for 77% of all incidents in 2017. Therefore, if we are to progress towards more secure and convenient authentication solutions, we have to start thinking beyond passwords. It is imperative for any company with the security of its customers and employees in mind to understand this by now. The password and its many flaws are already losing support from the biggest players.
Businesses can protect access to company data with strong and multiple layers of authentication. Multi-factor authentication uses two or more different forms of verification—usually something you know (password or PIN) in combination with something you have (smart card or token). It’s an access strategy that provides users with secure access to enterprise data anytime, anywhere.
Q. What are the best data security practices especially in India?
India cannot develop an appropriate digitally secured environment without the backing of requisite talent, infrastructure, and best practices. Security and Privacy is an evolving subject. While India is ahead in its adaption of relevant security practices in certain areas, it is not far behind in the others. Security by design is quickly becoming the essential data security approach for enterprises. The adoption of 3-Step Secure The Breach pillars (Encryption, Secure Key Management, and Secure Authentication security), practice helps organizations to build privacy by design rather than thinking of it as an after-thought.
Mandatory breach notification should also be mandated so that we all start to understand the severity of the problem. One cannot address a problem if one doesn’t understand the extent of the problem itself. We also anticipate that the upcoming Indian Data Privacy bill will emphasis on the addressing the data-driven security needs and introduce the concept of protection of data through encryption and implementing strong authentication of users and things and following the other steps identified in Gemalto’s Secure the Breach Manifesto. Enterprises should articulate the value of privacy/security by design and what it means for the business to all employees and executives.