At a glance
Following the controversy in which political analytics firm Cambridge Analytica reportedly acquired data on an estimated 87 million Facebook users without their knowledge, data security is firmly back on the agenda.
Unlike previous high-profile data scandals, this wasn’t a breach – no systems were hacked. Instead, a University of Cambridge academic gained access to the information “in a legitimate way” but then passed it on to Cambridge Analytica, violating Facebook’s policies, according to Facebook.
However, the impact has been no less significant: Facebook’s share price fell after the scandal broke, and Cambridge Analytica announced its bankrupcy in May 2018. While the scale of the data involved won’t be as high for most businesses, the damage could still be very serious, particularly in professions where trust is an imperative.
As a result, many professionals and business owners will be – or should be – asking: how secure is my client data?
Mandatory breach notification
There’s another reason why businesses should have data security high on their agenda: compliance. Australia’s Notifiable Data Breaches (NDB) legislation came into force in February this year, and firms that do business in Europe may be affected by the European Union’s General Data Protection Regulation (GDPR), which came into effect in May 2018.
Australia’s new NDB scheme makes it mandatory for certain organisations to disclose data breaches.
“Data breaches involving personal information that are likely to result in serious harm to any individual” must be reported to the Office of the Australian Information Commissioner (OAIC) and to the individuals affected, according to the OAIC.
The NDB law applies to organisations with an annual turnover of more than A$3 million, as well as specific types of businesses such as those that trade in personal information. However, even where the law doesn’t apply, adopting best practice in data security will enable firms to detect and respond quickly to data breaches, minimising potential damage to the business and its clients.
Identifying sensitive data
Securing data isn’t easy, however. The first challenge is identifying the sensitive data your business has and where it’s located.
How many spreadsheets in your organisation contain sensitive business or customer data? If you don’t know, you’re certainly not alone – many firms are in the same boat.
Every spreadsheet is a potential source of a serious data beach if, for example, you lose a laptop containing the file or an employee sends that file to a third party, as happened in 2015 when a New Zealand Ministry of Health official accidentally emailed a spreadsheet containing medical information on 24,000 Kiwis.
How can you identify the sensitive data in your organisation? There’s no easy solution, although technology can help.
The Covata CipherPoint Data Discovery tool, for example, will search files across your business to find credit card numbers, patient information, personally identifiable information and custom data, such as intellectual property.
The growing use of cloud services can also make it difficult to locate sensitive data. As we discussed in INTHEBLACK’s February 2018 issue, cloud access security broker (CASB) software from the likes of Cisco and Skyhigh can help identify who’s using what cloud services across larger organisations.
As useful as these tools are, however, they not the whole solution; merely enablers for a comprehensive data audit of every computer and device used by everyone in your organisation.
How to make your firm's data secure
Once you’ve located your firm’s sensitive data, you can make an informed decision about how to secure it – and that’s not easy when there are so many sources of potential breaches. As well as malware and other external threats, laptops and other devices can be lost or stolen. Emails, and particularly long email chains, are another common source of data leaks.
Again, technology can help. Antivirus software and firewalls are a good starting point, but many organisations are looking beyond traditional solutions. Endpoint Detection and Response (EDR) software from the likes of FireEye and Cybereason, for example, uses sophisticated techniques such as machine learning to monitor devices.
For larger organisations, a data loss prevention (DLP) solution from software providers such as Symantec and Trustwave offers tools and techniques that can inspect network data and traffic and help prevent sensitive information from leaving an organisation.
Choosing from the huge range of security solutions can be tough, but covering off the Australian Signals Directorate’s highly regarded Essential Eight cybersecurity strategies will go a long way towards protecting your organisation’s data. For micro businesses and sole traders, our guide to protecting privacy will also help keep you and your clients’ data safe.
Once again, however, technology is not the whole solution. As every cybersecurity expert will now advise, data security is no longer just an IT function. It should be an ongoing program of strategies, processes, policies and staff education across the organisation that minimises the risk of data leaks and breaches, and maximises ability to rapidly respond to a breach.
Data: a question of trust
The Facebook-Cambridge Analytica scandal may or may not have a lasting impact on the social media giant, but as most businesses don’t have the size and market presence to absorb such a hit, it’s a good lesson on how not to use (or allow the use of) customer data. As for your own privacy, it’s worth checking your Facebook privacy settings, and the company has recently updated its settings to make this easier.
It’s tempting to get caught up with the power of data analytics as a business tool, forgetting much of that data may belong to people who trust your firm. And once lost, trust can be hard to win back.