The unique crisis we are battling has forced organizations globally to reassess their data protection strategies. We have seen supply chains disrupted, employees working from home in unprecedented numbers and analog systems forced online. The combination of these factors makes keeping track of sensitive data challenging.
If that wasn’t enough, we’re also weathering a storm of cyber-attacks, online fraud and phishing scams, from criminals enticed by the public’s increased online presence and shift to remote working. It’s clear that data management strategies have to evolve and quickly.
Maintaining data security has historically been an issue for the IT department, tasked with enforcing a data management policy and being responsible for communicating it across the business.
Just think, is every employee within your organization aware of the GDPR requirements and your data privacy policy? Even if the answer is yes, zero-day exploits, insider threats, and targeted phishing attacks can still happen, even if best practice is followed. So, how effectively are data management policies currently being communicated and enforced? Who is ultimately responsible for data security?
Where does your data go?
Data privacy regulations and the subsequent penalties have forced businesses to put data management at the top of the boardroom agenda. While this is an excellent step forward for many, there is a big difference between talking the talk and effectively implementing a data management and protection strategy.
One essential component of data management to consider is how IT equipment is handled at end-of-life, and if there is an auditable data sanitization process in place to ensure no sensitive data is recoverable. However, even if an organization has an effective policy in place, it’s useless unless communicated effectively and understood by all employees.
Our research from February 2020 showed that although 96 percent of the senior enterprise leaders surveyed have a data sanitization policy in place, 31 percent have yet to communicate it across the business. It’s encouraging to see that so many enterprises understand the importance of a data sanitization policy.
However, the disparity between what is being implemented at a management and IT level, and what is actually being carried out by employees is a threat to data security. Given the current pandemic where teams are more spread than ever, not enough is being done to communicate data protection policies.
One for all and all for one
As we are at the second anniversary of GDPR, and safe to say we are in the most challenging time for data protection since its implementation. Hiring a Data Protection Officer (DPO) is a requirement for some under GDPR and a great decision for security-concerned organizations.
Data security must be understood as a companywide objective – the consequences of a data leak or breach are likewise felt collectively. An organization’s data security policy and practices are not the responsibility of one individual. Considering the most common cause of a data breach is human error, anyone can be the weak link.
What a DPO can do is coordinate the data management policy and the data sanitization best practices across an organization. This information is often siloed to IT teams, and a DPO can help bridge that gap. While this is certainly helpful, the risk remains if data security is not understood collectively.
The key here is education, and making sure you use the appropriate time and resources to ensure all employees understand how one handles sensitive data. For example, since the coronavirus lock-down, has your company reiterated its data security policy to your new remote workforce? This is important, as the same research found that a third of enterprises (31 percent) surveyed felt flexible workers were the least likely to comply with data sanitization policies. It’s clear that constant communication and updates are essential, especially in times of crisis.
Closing the gap between policy and reality
So, for the 96 percent of enterprises that have a data management policy including data sanitization, what can be done to ensure this is communicated and implemented effectively? The best approach is to give a senior member of the compliance, data protection or information security team the responsibility to ensure the policy is understood and upheld.
Importantly, this will prevent operations-led organizations from taking shortcuts, for example choosing the quickest, most cost-effective methods of data sanitization which might not be secure or compliant. Concurrently, employee training should be baked into a data management policy. Business leaders should consider how the policy will be communicated across the company and reiterated at regular intervals.
While organizations are clearly making an effort when it comes to data management and following guidelines to remain compliant, more needs to be done to close the gap between policy and reality. Enterprises must reassess their existing policy, including the requirements for remote working, and communicate it effectively to all employees. For this to be achieved, data security must be management-led, and followed by everyone.