Often the hardest part about doing anything is just getting started. When I talk to our clients about issues like data protection they always agree that it is important and that they should be doing something about it. Sadly, data protection is also where a lot of confusion exists and where we see legacy processes tend to creep in. I think it is fair to say that most people think of firewalls, antivirus and sharing permissions when they are asked how they are going to protect their data. But how businesses operate and collaborate has moved on and left these legacy security approaches behind. Securing your data behind firewalls and user permissions is no longer enough to protect it from bad actors and breaches. So what can your business do to modernise its approach to data protection?
The evolution of modern work environments has meant that businesses now need to take a more proactive approach to not just how they secure their data but also how this data is being used and eventually disposed of. New Zealand’s Privacy Act 2020 has led to more organisations being held accountable for data breaches and mismanagement. The growing importance people are placing on their personal information and their privacy is also magnifying the negative impact businesses can face if they are caught mishandling or failing to adequately protect data. Ultimately though, your organisation should prioritise data protection and people’s privacy simply because it is the right thing to do.
The 2014 hack on Sony Pictures Entertainment saw a data breach that went much further than just impacting Sony’s finances as a result of intellectual property, like unreleased films and scripts, being leaked. Hackers also released confidential and personal information on Sony’s employees and their families which undoubtedly caused great personal harm. This type of data breach cannot be fixed. Once this information is out there, the damage is irreparable.
Businesses also need to be aware and prepared to protect themselves from breaches that originate from within. Two recent examples come to mind. Orcon was ordered to pay $25,000 after being found in breach of the Privacy Act due to their staff failing to comply with their obligations under the Act. And more recently, ACC stood down twelve staff after discovering that call centre staff were sharing personal details about people’s injuries in private messages.
This Microsoft article on data, compliance and governance provides a great summary of why and how data should be protected:
“Data is the lifeblood and intrinsic value of many organisations, even for those whose business primarily relies on material goods and services, instead of information, and that data needs protecting. That data needs to be:
Microsoft goes on to describe data governance should focus on four key areas:
There are so many aspects to data protection and, so many more acronyms! Understandably, many organisations don’t know where to start and IT professionals can feel overwhelmed when they first look at data protection. To help, here are eight key focus areas:
If you’re thinking about document labelling, check out this article on What’s the Difference Between AIP and Retention Labels? and this one on Simple Sensitivity Label Design for the SMB to get started.
Many of the above issues are resolved or mitigated with a Zero Trust approach so if you’re interested in what Zero Trust is and how it can elevate your business’s security and data protection, read this article explaining what Zero Trust is as well as Microsoft’s Zero Trust Guidance Center for more information.
If you have any questions on the above content or if you’re looking for someone to do all the above for you, please don’t hesitate to reach out to us.