Experts are increasingly recognising that data protection and cyber-security must be integrated to be effective.
Specifically, focusing on IT security alone does not address data protection requirements. For example, a marketing employee working on a secure, encrypted system protected by two-factor authentication might still cause a data breach by accidentally sending subscribers’ personal details to an entire distribution list.
Likewise, data protection policies and procedures alone are not sufficient controls for cyber-resilience. For example, a data breach can be caused by an organisation storing or sending personal data without robust encryption measures.
Breaches of personal and non-personal data are on the rise, and according to the Verizon Data Breach Investigations Report (2019):
- 71% of cyberattacks are motivated by financial gain;
- Personal data were disclosed or accessed in >30% of breaches;
- Small business (43%), public sector entities (16%) and healthcare organisations (15%) were the most common types of victims.
The findings of this annual report (and its previous volumes) underscore that all organisations processing personal and non-personal data need to assess their vulnerability to and protect themselves from:
- Internal threats (e.g., employees, partners)
- External threats (e.g., hackers, criminal organisations, corporate espionage)
- Intentional intrusions (e.g., theft, unauthorised access)
- Accidental errors (e.g., loss, erasure)
Each of these threats can result in personal data breaches. Given these statistics, it is essential for all organisations to ensure adequate security measures for personal data as an organisational asset, to avoid liability or other negative financial impacts on their organisation and protect their customers’ data.
Our work in this area has already identified four common challenges in relation to effective cyber-security for data protection compliance.
- Effective technical security measures
While many organisations are aware of relevant technical security measures, it is difficult for them to keep pace with the rate of change in the threat landscape.
Many organisations invest in technical security measures as a one-off or use third-party software tools which means they have little control over the security measures implemented.
All technical security measures fail if they become dated. As such, technical security measures should be regularly assessed through vulnerability scanning and penetration testing across the data life cycle.
- Effective policies, procedures and verification processes
Where organisations have put relevant, and even robust, policies in place, these can also fail to protect personal data if they are not being followed. For example, many organisations advise employees not to use personal devices for data access, transfer or storage. However, accessing emails, files and other communication services “on-the-go” is essential in many organisations, which can result in contravention of personal device policies.
Frequent training and assessments that verify that policy is being followed can mitigate these risks.
- Sufficient documentation
Organisations whose IT Departments are taking effective steps to ensure sufficient technical security measures often find that they have insufficient documentation to demonstrate these measures.
IT Specialists are well versed in evaluating and implementing technical security measures but are not habitually encouraged to create documentation around the decisions made, measures implemented and verification timelines and processes.
Improving this documentation is beneficial in providing a better understanding of the organisations’ vulnerabilities and protection measures.
- Sufficient confidence in third-parties’ data security measures
It is essential for organisations to broaden their view outside their own internal processes. Where organisations have data-sharing agreements with third parties and/or engage third parties to supply software or other services, it is the responsibility of that organisation to verify the technical and organisational measures being used for data security by the third party. In our experience, this is a major gap in data protection compliance which must be filled to protect organisations from liability.
Trilateral’s Data Protection and Cyber-Risk services are specifically designed to tackle the interconnection between data protection requirements and data security requirements. Our team of data protection advisors and data protection technology advisors includes legal experts, technical specialists and compliance experts.
Our service combines organisational compliance support measures (e.g., Policy evaluation, DPIAs, Gap Analyses and Records of Processing Activities) alongside technical support measures such as our IT Security Review Service, Vulnerability Scanning and Penetration Testing.
Visit our services page or contact one of our advisors to ensure your organisation is effectively addressing its cyber-security challenges.