Businessman standing in conference interior with city view showing data protection in a security-first future

Data Protection in a Post-COVID World: How Organizations Can Prepare For a Security-First Future

While data protection and privacy have long been an ongoing concern, it has become impossible to ignore over the past year as the pandemic catapulted digital transformation among enterprises that needed to support remote work and collaboration. For enterprise employees, the pandemic also brought on decisions to leave expensive cities for more affordable areas. In response, many enterprises are now deciding to implement flexible, hybrid approaches to work that support both in-office and remote employees for the foreseeable future.

IT and security decision-makers need to prepare for an expanding digital world and consider how increasing cloud usage, consumer distrust, new legislation, and a permanently distributed workforce impacts the ways in which they do business. Here we explore how these trends are influencing data privacy, the reasons these factors are gaining ground and the ways organizations can begin to address them.

Increasing cloud usage creates expanded opportunities for hackers

As of 2020, approximately 50% of all corporate data is stored in the cloud, increasing 20% over the last five years. This continued shift to the cloud puts more pressure on CIOs and CSOs to understand the full scope of a transition to the platform, what type to consider (public, private, hybrid or multi) and security prioritization. It is also a sweeping and complex change for traditional security practitioners because protecting, detecting, and responding to security threats in the cloud is vastly different than traditional IT, on-premises and architecture models. This requires a substantial undertaking for IT professionals to learn an entirely new and expansive network. Consequently, this transition often leads to system misconfigurations and gaps in the security strategy around securing cloud assets. Adding further pressure to the security team, the cloud is also a very public forum where leaks, breaches and attacks are seen in real-time.

Although cloud adoption is now a mainstream option, the global cloud computing market is still expected to double between 2020 and 2025. Operating in the cloud will become an increasingly essential element for enterprises in a hybrid work model, making it even more important to robustly defend operating systems.

To ensure that a cloud network is properly configured and secured, security leaders and analysts need to regularly monitor services to ensure that data is not exposed or vulnerable. It is further important to note that monitoring needs to be inclusive of both operational and security monitoring because security breaches could be an operational misconfiguration or an actual attacker doing something to the system.  This process has become increasingly critical as enterprises have widely adopted collaboration technologies like Zoom, Webex, Microsoft Teams and SharePoint. Baselining network traffic also helps detect exfiltration; especially as remote work has given hackers more accessible points to exploit networks. Further, ensuring that you are collecting and monitoring from active directory, endpoint security, virtual private network (VPN), multi-factor authentication, SSO and email will cover the principal areas where sensitive information can be accessed or leaked.

Growing distrust among consumers means enterprises need a proactive security approach

While many internet users do not rigorously vet data privacy protocols — only one-in-five consumers regularly read a company’s privacy policy before agreeing to it — they are acutely skeptical of how organizations handle data and protect it. In fact, 79% of Americans are concerned about how their data is being used by companies.

Data breaches are already known to be expensive events to recover from, with an average price tag of $8.64 million. That does not take into consideration the impact of losing customer trust and loyalty as the result of a breach. Taking measures to actively protect consumer data is the first step towards rebuilding customer rapport and re-establishing trust that has been damaged by the countless reports of breaches and data loss seen in the news.

To start, organizations need to make certain they are compliant with all relevant industry regulations and show consumers they are adhering to privacy rules to ensure corporate interests, employees and customers are protected.

Communicating with customers is a critical, commonly forgotten next step that can have significant impact. Oftentimes, the technical assessment and resolution efforts occur immediately while communication about the incident to customers is an afterthought. Proactively sharing the appropriate details of the incident, the next steps customers need to take, and the ways in which the organization will prevent incidents like this in the future is equally as important as solving the incident in the first place.

Upcoming legislative measures will put a stronger emphasis on privacy protection

Changes on the horizon in legislative privacy policy will create more challenges for organizations that lag. The European Union’s GDPR set a new precedent for how governments protect their citizens’ privacy, especially in the United States, which lacks a similar data protection law.

Because of this, several states took matters into their own hands, enacting statutes to protect consumers rights over their personal information. Most notably, the California Consumer Privacy Act (CCPA) requires that businesses operating within state borders provide California residents with the right to access, know and opt-out of personal data collection as of 2020. And more recently in March 2021, Virginia signed the Consumer Data Protection Act to allow residents to view, correct, delete or opt out of data that companies have collected about them.

These new regulations are setting new security standards. Organizations may find it difficult to keep up because adherence in one state may not constitute adherence in another. If states continue to create their own unique privacy laws, companies might have to ensure compliance with 50 different sets of regulations, forcing a need for a discussion at the federal level around a nation-wide privacy act.

In the meantime, enterprises need to familiarize themselves with current state data security laws and future proposals. The National Conference of State Legislatures provides a helpful state-by-state overview that outlines current laws and regulations. Existing consumer privacy laws are often an indicator of what is to come.

Expanding digital world requires consideration of increasing #cloud usage, consumer distrust, new legislation, and a permanently distributed workforce. #cybersecurity #respectdataClick to Tweet

Prioritizing preparations for a security-first future

Given the heightened occurrence of cyberattacks and focus on data protection, enterprises need to make sure platforms are structured to fit future work environments. This must be top of mind when investing in security platforms, threat detections, trainings and maintenance to help prevent major breaches and hacks. By prioritizing security infrastructure, organizations will be better equipped to accommodate future digital transformations and policy shifts, as well as to rebuild consumer trust. Creating a security-first future means organization are in the best structural position possible for whatever the future may hold.

 

CSO and VP of Labs at LogRhythm