Prevent Data Loss
Over the past two years, companies and individuals have relied on the Internet to continue running their operations or stay connected with loved ones. In fact, there were 64.2 zettabytes (ZB) of data created, captured, copied and consumed globally in 2020, up from 41ZB in 2019. According to Statista, data creation could grow to more than 180ZB by 2025.
While data is essential for organisations to create better customer experiences and make more informed decisions, they are constantly challenged to secure it. The surge in data introduces a host of cyber vulnerabilities–from data loss in breaches to the sheer numbers of cyber attacks. To top it off, threats have become more sophisticated with time, and hacker groups are already forming alliances to steal data in exchange for money.
That said, companies need to beef up their cybersecurity efforts to prevent further loss of data in the evolving digital landscape. This is where Data Loss Prevention comes in, and everyone within the organisation has a role to play in preventing hackers from stealing company data.
Smaller organisations often do not have the necessary tools to secure their sensitive data and shore up their defences against data breaches. Countries have recognised the threat data breaches pose; therefore, governments have taken action to safeguard data.
For instance, Singapore has the Personal Data Protection (Amendment) Act (PDPA), which took effect in February 2021. It is meant to strengthen regulations on the collection, use, and disclosure of personal data.
It tackles four areas: bolstering consumer trust through organisational accountability; ensuring effectiveness of enforcement; enhancing consumer autonomy; and supporting data use for innovation.
Furthermore, organisations must follow new sets of directives, like the Mandatory Data Breach Notification, which requires them to report breaches within 72 hours upon discovering the incident. Should companies fail to mitigate the breach, they may face penalties, amounting to 10% of the organisation’s annual turnover in Singapore or up to S$1 million, whichever is higher.
In Malaysia, the Personal Data Protection Act 2010 covers personal data and the regulation of personal data processing in commercial transactions. It pertains to information related directly or indirectly to a subject whose identity can be known from that data. However, any information processed for credit reporting purposes by a credit reporting agency is exempted. Simply put, the law aims to guard individuals’ data from being abused by those who have control over that data. This includes information such as names, addresses and contact details. Sensitive pieces of information such as a person’s physical or mental fitness, religious beliefs and political views are also included.
Meanwhile in Korea, the Personal Information Protection Act prescribes how personal data should be processed to protect the rights and interests of its citizens. It protects against the collection, unauthorised use, abuse and disclosure of personal data.
In Hong Kong, the Personal Data (Privacy) Ordinance, which applies to both private and public sectors, requires that personal data only be collected for a lawful purpose directly connected to the data user’s function or activity. It does not allow the use of personal data for any other purposes unrelated to the original purpose of collection, unless allowed by the owner.
But as measures have evolved to protect personal data, so have cyber criminals’ methods. Just last year, cybercrime had skyrocketed by 600% during the COVID-19 pandemic.
Cybercrime comes in many different forms, but they all target a computer, a network or a network-connected device. Often, the culprits’ goal is to make money. Some forms of cybercrime include:
- Email or internet fraud
- Identity fraud
- Theft of card payment data or corporate data
- Cyberextortion (such as ransomware attacks)
- Theft of cryptocurrency
- Cyberespionage
These potentially cause great damage, not just to companies, but to entire economies. Just last year, the United States White House issued a statement declaring that ransomware attackers had disrupted services, businesses, banks, government offices, hospitals and energy companies, among other industries. The global economic losses breached $400 million in ransom in 2020, and over $81 million in just the first quarter of 2021.
Cyber criminals have teamed up to take advantage of security weaknesses. US oil supplier Colonial Pipeline was targeted by Russian group DarkSide by providing Ransomware-as-a-Service (RaaS) to an unidentified criminal group to execute the attack.
JBS Foods, the National Basketball Association (NBA), Acer, AXA, Kaseya and Brenntag were also victims of ransomware attacks last year.
Cybercrime occurs more often than those instances illustrated above, and hackers have branched out in terms of ways to do so. The techniques have become more sophisticated, and many criminals have even teamed up to launch attacks.
Data classification
This refers to organising data into relevant categories for easier use and protection. Classification makes data easier to search and track as well as reduces storage and backup costs. For data security purposes, this process facilitates proper security responses depending on what type of data is being retrieved, transmitted or copied.
Data protection
This shields sensitive data from corruption, compromise or loss. More than that, it gives the organisation the ability to restore data to a functional state.
Data visibility
This helps businesses see what data they have, where it is located, who is authorised to access it, and what protection method is needed to remove risk. Without this, an organisation may use a solution that does not comply with security requirements, or even negatively impacts the business.
However, to successfully implement this, a company must undergo a broad mindset change. They must communicate and garner support from its stakeholders, as well as provide training and continuous guidance for employees. They must also identify reporting metrics and indicators of success with business leaders.
Employers or managers must value transparency in how they are using personal data within and outside of the organisation. Under Singapore’s PDPA, they must meet the following considerations:
- Accountability: Data protection policies, practices and complaints process must be made available upon request. To this end, they must assign a data protection officer and make business contact information readily accessible to the public. Employers must likewise initiate policies and foster a culture of responsibility through training and awareness programmes.
- Notification: Organisations must inform Individuals of the purposes for which their data is being collected, used and disclosed.
- Consent: Individuals must give their consent to the collection, use, and disclosure of their data. They must also be allowed to withdraw their consent and be informed of the consequences of withdrawal.
Managers must also heed obligations with regards to: purpose limitation, accuracy, protection, retention limitation, transfer limitation, access and correction, data breach notification and data portability of personal information.
An organisation’s security leaders must take on a holistic approach to their responsibilities. It transcends traditional IT, legal and security roles, and covers data privacy, security education and even opportunity within the organisation.
Data protection officers (DPO) help organisations comply with privacy provisions and best practices. They oversee the company’s data protection strategies and implementation. They serve as the link between the company and authorities that supervise data privacy-related activities.
DPOs must also educate leadership and employees on compliance with data privacy rules and regulations. This involves training the staff to follow these rules. They too have the job of determining what can be deemed personally identifiable information. But most of all, they have to ensure that the organisation is continuously updating their data protection.
Data loss is not only perpetrated by criminal organisations or ill-meaning entities. In some instances, employees are tricked by malware and spoofing. As a result, they send out sensitive information to a seemingly trusted party.
As such, employees need to undergo training regarding data security, upholding a culture based on security best practices. They must also avoid doing work on personal devices. Some of the ways to do this is to provide employees with a company device, or ask employees to choose a device on which to work and stick to it.
Today’s digital scene requires the cooperation of every department in the organisation for Data Loss Protection (DLP) to work. To successfully implement DLP, there needs to be a shift in the company's mindset.
To effectively implement DLP, stakeholders must be first identified and informed about why this needs to take place. Stakeholders influence the security policy and implementation of a company.
Every employee must be educated about policies and correspondent changes. This applies to new workers as well.
It’s important to communicate key performance indicators (KPI) with business leaders so they know what they should be looking at to determine the programme’s success. These metrics must demonstrate DLP’s positive effect and the value it brings to the business.
Ensign’s Data Loss Prevention Suite allows organisations to secure data in-use, data in-motion, and data at-rest across endpoint, network, storage and in the Cloud. It can help see and shield against serious data exposure or breaches.
The Data Loss Prevention Programme has four stages:
Preparation
This phase involves scoping out the hardware and software the organisation uses. Stakeholders must be identified to keep them abreast of the whole process. Existing DLP techniques are to be evaluated, and the environment should be tested to catch any issues early on.
Prioritisation
After establishing the information on hand, organisations must prioritise its protection. It is advisable to start out small and expand coverage when kinks in the process are ironed out. Knowing the most important things to protect can help your security leaders focus on what should be monitored and what can be left alone. To this end, this stage also tackles defining KPIs.
Communications
Communication with stakeholders and users must be consistent. Department points of contacts should be established to help them go through the requirements and obstacles that may arise. This also covers keeping key stakeholders informed through CISO and compliance, as well as training and education initiatives.
Understanding Data and Rules
The organisation’s privacy rules must be reviewed next. In this stage, data used by the company should also be identified. Here, implications of the chain of custody in collecting evidence in a DLP solution must be explained.
The programme is aligned to five functions of the NIST cybersecurity framework: Identify, Protect, Detect, Respond and Recover. This process ensures that the programme is continuously improving to address the evolving threat landscape.
The Ensign Data Loss Prevention Programme improves compliance to regulations, particularly that of PDPA and GDPR requirements. It enables protection of sensitive data like intellectual property, client personal details as well as company financial information. Finally, it lessens the risk of cyber breaches and financial penalties.
The DLP is a programme. Therefore, it needs unity among all members of the organisation for it to be effective. Ensign InfoSecurity can help companies implement this programme to shore up their cybersecurity while still growing the business.
Ensign Data Loss Prevention Programme Factsheet
Fortify your cyber defences today. Let's talk.
We provide bespoke cyber solutions that suit your needs.
