Often the hardest part about doing anything is just getting started. When I talk to our clients about issues like data protection they always agree that it is important and that they should be doing something about it. Sadly, data protection is also where a lot of confusion exists and where we see legacy processes tend to creep in. I think it is fair to say that most people think of firewalls, antivirus and sharing permissions when they are asked how they are going to protect their data. But how businesses operate and collaborate has moved on and left these legacy security approaches behind. Securing your data behind firewalls and user permissions is no longer enough to protect it from bad actors and breaches. So what can your business do to modernise its approach to data protection?
The evolution of modern work environments has meant that businesses now need to take a more proactive approach to not just how they secure their data but also how this data is being used and eventually disposed of. New Zealand’s Privacy Act 2020 has led to more organisations being held accountable for data breaches and mismanagement. The growing importance people are placing on their personal information and their privacy is also magnifying the negative impact businesses can face if they are caught mishandling or failing to adequately protect data. Ultimately though, your organisation should prioritise data protection and people’s privacy simply because it is the right thing to do.
The 2014 hack on Sony Pictures Entertainment saw a data breach that went much further than just impacting Sony’s finances as a result of intellectual property, like unreleased films and scripts, being leaked. Hackers also released confidential and personal information on Sony’s employees and their families which undoubtedly caused great personal harm. This type of data breach cannot be fixed. Once this information is out there, the damage is irreparable.
Businesses also need to be aware and prepared to protect themselves from breaches that originate from within. Two recent examples come to mind. Orcon was ordered to pay $25,000 after being found in breach of the Privacy Act due to their staff failing to comply with their obligations under the Act. And more recently, ACC stood down twelve staff after discovering that call centre staff were sharing personal details about people’s injuries in private messages.
This Microsoft article on data, compliance and governance provides a great summary of why and how data should be protected:
“Data is the lifeblood and intrinsic value of many organisations, even for those whose business primarily relies on material goods and services, instead of information, and that data needs protecting. That data needs to be:
- Protected from internal and external attackers who would profit from its content or the leveraging and extortion of its value (ransomware).
- Compliant with organization policies and governmental regulations.
- Governed over time to ensure its protection and compliance and for planned obsolescence.”
Microsoft goes on to describe data governance should focus on four key areas:
Where should you start with data protection?
There are so many aspects to data protection and, so many more acronyms! Understandably, many organisations don’t know where to start and IT professionals can feel overwhelmed when they first look at data protection. To help, here are eight key focus areas:
- Multifactor Authentication (MFA) is growing increasingly important and a great place to start. User identity is becoming the new security boundary and MFA provides confidence that any request for information is coming from who it claims to be.
- A privacy audit will help you gain a clear picture of how your current privacy practices stack up against the Privacy Act 2020 and your obligations. Privacy audits will help your organisation create a roadmap to improve your privacy practices and do not have to be a costly exercise.
- Mapping out your data will help to identify all the types of information your business collects and processes. It’s incredibly difficult to protect data that you’re unaware exists within your business.
- Implementing Microsoft Information Protection (MIP) sensitivity labels will help protect information as it circulates in and outside of your network. They are incredibly easy to set up, often incur no costs and have little impact on your users. Check out this PowerShell code I wrote that will create a simple MIP sensitivity scheme for a Microsoft 365 tenancy.
- Data Loss Prevention (DLP) policies can prevent the accidental sharing and misuse of sensitive information and also assist with training your employees with built-in warnings explaining that what they are about to do could be potentially dangerous.
- Data retention policies can ensure your organisation is only keeping personal information for as long as required to reduce risk and even the cost associated with storing information.
- Keep all your systems and applications updated and subscribe to vulnerability alerts to stay ahead of potential threats. Microsoft 365 Defender can offer enterprise-grade security visibility and management capabilities for most small organisations. Businesses with larger or more complex infrastructure may need more comprehensive security intelligence and technology.
- Last but not least is training your staff. A data breach is more likely to originate from one of your employees making a mistake, like sharing something they shouldn’t have or incorrectly handling information.
If you’re thinking about document labelling, check out this article on What’s the Difference Between AIP and Retention Labels? and this one on Simple Sensitivity Label Design for the SMB to get started.
Many of the above issues are resolved or mitigated with a Zero Trust approach so if you’re interested in what Zero Trust is and how it can elevate your business’s security and data protection, read this article explaining what Zero Trust is as well as Microsoft’s Zero Trust Guidance Center for more information.
If you have any questions on the above content or if you’re looking for someone to do all the above for you, please don’t hesitate to reach out to us.