Data privacy and security laws are very similar to traffic laws, only effective when adhered to and applied by all.
Various laws, regulations, and policies have been hot topics around the world for quite some time. Still, so many are of the mindset that 'it will never happen to us'. Until it happens to you.
Considering that it is estimated that Cybercrime will cost the world $10.5 trillion annually by 2025, we need to act now by changing the behaviour of every technology user. The questions remain, will they be willing to adapt, will they be willing to take ownership of their role and/or contribution towards our collective data privacy and security.
Our last line of defense is you, and your attitude towards data privacy and security. More often than not, users will find ways to bypass privacy and security in exchange for productivity and efficiency rather than adopting and embracing these policies and procedures. A good example of this is using one password for private and work environments, and with most of us working in the cloud, this becomes a huge risk and Grade R playground-level for data predators.
In the ISACA - Assessing the State of Cybersecurity in 2021 and Preparing for 2022 report by Dustin Brewer, it is clear that cybercriminals have the upper hand and is working harder than before to bring about business disruption and ultimately business outage.
In the same report, information security professionals reported that the top five forms of cyberattacks experienced this year so far are social engineering (14%), advanced persistent threats (10%), ransomware (9%), unpatched systems (8%), and DDoS (8%).
In conjunction with the above, ISACA published the paper by Larry G. Wlosinski on Understanding the Information System Contingency Plan, which plays a major role in our overall data privacy and security strategy.
This brings me to my opening statement in the title of this article: Data privacy and security - whose responsibility is it?
The C-Suite, the custodians of business decision making, typically would refer trusted technology advisors, experts, and providers down the ranks to their ICT function, as it is typically still believed that ICT infrastructure, security and data belong to the IT department, same as creditors and debtors belong to the finance department.
Truth be told, like cash flow is to the bank balance, data and the related technology turning data into actionable insight, accelerating innovation, and creating innovative product offerings, is to the business. Since the turn of the 19th century, industrialisation, consumerism, consumption, and capitalism have put profit before safety and security. In the same way, for a long time, most of us have put using data to drive business results before securing data, not understanding that data has now become the most valuable asset of a company, for both the business, as well as for cybercriminals.
It is time for IT's own modernity, it has been so for a while. IT's a seat at the boardroom table as the custodians of data and data security is more crucial now than ever before. Data is at the heart of the business strategy, and as any other critical business function should be empowered by the dedicated CAPEX and OPEX budgets that accelerate the value that business will drive and drive growth, securely. Global trends suggest that as much as 60% should be put towards an expertly planned, designed, and refined ICT environment that is well protected and secured while enabling and empowering employees, partners, and other stakeholders to attain the company's core business goals and objectives in a timeous fashion.
The Art of War, written by Sun Tzu in 500 B.C, is the oldest known military dissertation in the world. The Art of War has remained relevant over the years because it is about strategy and tactics rather than specific warfare technology. It has influenced leaders all over the world, not only in warfare but in many areas of life, including business, and indeed, information security, which should not be focused on technology, but rather strategy and tactics again.
This translates into the human element through training and awareness campaigns. In our ‘new normal, we need to cater for an employee workforce that needs to use any device (such as notebooks, mobile devices, tablets, web browsers), to access any application (whether it be on the web, in the cloud, on-premise in the corporate data center), from anywhere (in the office, at home, or on the go), and this is complex as we need to ensure maximum productivity. This expands the attack surface tremendously with organizational data being anywhere and everywhere, and inconsistent security policies and fragmented visibility result in an ever-evolving threat landscape.
But while employees can be a weak link in the chain, they are not the only route inside an organization. When it comes to cybersecurity breaches, the rule is always ‘when,’ not ‘if.’ When breaches occur, organisations should focus on the lessons they can learn and improvements they can make as a result. The root cause should be identified, and changes should be swiftly implemented to address this, with the lessons learned shared with all relevant staff, partners, vendors, and regulatory authorities.
How do we respond? In the words of Sun Tzu – “When we are weak, we must appear strong!” It comes down to laying plans. As a business, you need to consider the following, where and who are your enemies? Your ability to counteract against these bad actors, and the motivation of the attacker. Once you have a clear understanding of these things, make plans to "evade" the enemies.
You may lose a battle but never lose the war. The reality is cybercriminals don’t care, not where you are from, or what industry you are…
So, in closing, in 2021, companies face several major cyber security challenges. However, this year also presents opportunities for significant security growth. 2020 demonstrated how businesses need to adapt to the modern world, and 2021 provides an opportunity to design and build security for the future.
When the C-Suite fully understands that data is no longer an enabling tool of the business but rather at the heart of the business success, and in many cases the business itself, they will treat data privacy and security differently. With data being moving away from a commodity to an extremely valuable business asset, we need to protect it, and we need to do so now.
Co-Author: PJ Kotze
Review Editor: Arno Delport