In this week’s blog post, we’re sharing insights based on our latest interview with Glen Day, Founder & CEO of NVISIONx, the first data risk intelligence platform that fuses business data and cyber intelligence, empowering companies to gain complete control of their enterprise data and its risk.
Our topic for today is the importance of data risk intelligence and how organisations can be one step ahead of the risks and challenges of cybersecurity.
Actionable Tips to Prevent Cyber Attacks
Even companies with the best controls available in the market, or the best talent can be a victim of cyber attacks if they are struggling to be more proactive than reactive. If you know your data well, it is to protect it and control that data versus reacting to it. Based on some of the great technologies such as AI, a number of different solutions can make it easier for these companies to be much better data defenders versus data firefighters.
When it comes to the cyber attack control spectrum, data security still needs to have more advanced capabilities. Huge efforts have been made around vulnerability management, threat management, but when you get to the data protection controls, access management, data loss prevention, cloud, access, security, broker CASBY, and insider threat we need more improvements. When it comes to regulated data such as PCI or even privacy data, these technologies are somewhat aware of the data attributes between having an SSN or driver’s licence or medical record number.
However, when it comes to the more complex data sets, those are best defined by the visits. And the reason why it is crucial to focus on data security is because that’s the final objective of these hackers, when they break into your network is to get into your server and application because they want the data. If they take an organisation’s data it’s effectively game over as they’re able to monetize their data, or harm their brands. On this note, you need to look into these weak points, that controls may not be looked into effectively and take proactive measures.
Having an Effective Data Risk Intelligence Program
Data risk intelligence is essentially an evolution from data security. Unfortunately, the security control typically comes before understanding the data and those controls were meant to protect the data. However, when you now look at it from a data risk intelligence perspective, data comes first and then you take actions based on a risk management manner. Understanding your data and assets is the initial step of data risk intelligence. There is a priority for data assets for elevated controls amongst all the other data that you have to ensure you have a true risk-based program.
To ensure that you have the best initial stage, start with your assets and then align cyber data solutions with them. This is similar to when you buy an alarm, you need to know what you’re buying the alarm for so you know that that particular alarm is the best solution for what you are protecting. First you figure out where your data is, and then you identify which are the critical data. You should be looking at vulnerability management profiles, activity logs, access control lists. This will allow you to have a more focused view and a lot less false controls or loss of false alarms.
How to Organise Data Controls in Complex Organisations?
A lot of software solutions are focused primarily on the business data. The ability to connect to either cloud repositories or network followers or databases in your data centre, is becoming more of a normal practice for many companies. Typically, there won’t be a struggle to connect to where the data sits on the business side, but being able process that data at a massive enterprise scale, for example for a Fortune 100 company, things start to differ. At this larger scale, alongside identifying the most sensitive data, you’re not overly limited to regulate data because other aspects such as intellectual property, business strategies or communications matter a great deal.
On that note, looking into solution providers that do things differently is important. For example, they should be able to bring in the analytics of business data including the sensitive data, and apply controls based on comparing them to your organisation’s policies, procedures and standards. This allows your organisation to proactively identify anomalies where you’re not aligned with your own program and seeing risks before the risk gets out of your control and results in a breach.
Data Purging is a Necessity for Organisations
A big problem that people are not fully aware of is that most companies are data hoarders; they’re retaining data that may not be useful anymore. Some of that data is extremely sensitive, including expired patient data or expired customers or even expired employees. If you don’t purge these data, that respects the records, retention policies, as well as the value of what this data still holds, those assets become liabilities, and it requires you to protect and be exposed to more risks than you need to. As an example, a children’s hospital might be keeping the data of children decades ago in which these children are now grown. At this rate, the hospital isn’t really accessing this data or getting value from it but it increases their compliance scope, risks and costs. Many organisations might not realise that maintaining an enterprise storage is not cheap and companies might be spending millions more than they need to because they aren’t removing the unnecessary data.
The newer laws coming from the EU around GDPR and recent changes in US law on consumer privacy rights also make data purging a necessity. When you’ve got a customer, patient or employee that you no longer have to hold their data for any regulatory or, or illegal purpose, you have to purge this data in a timely manner. If not, there’s considerable fines and penalties that can apply.
In the concept, this again comes with the fact of knowing your data and being in full control of it. Once you’re in full control, you see so many other data-driven functions start to be improved, be more efficient and more liable.
Takeaway Points
Companies should be looking at security from both a cyber, a privacy and compliance perspective, as well as an overall data risk. Because of that, the vast majority of the controls that companies invest in are complex, so they need to actually know how they work, and instead of focusing on the control itself, focus on the business intelligence that these controls require and provide to give you better outcomes to reduce the risk.
Secondly, risk professionals and security professionals alike, should be working in a collaborative way. There’s a lot of silos that are putting companies at risk unnecessarily. With organisational silos in place, cyber professionals are struggling to better communicate and collaborate to see data risks in a uniform. Once you start to break down those silos, you’ll see your expectations and objectives of risk reduction come to life.
Closing Words
For now, this sums up the key points of our interview. As the Global Risk Community team, we once again thank Glen Day, for providing his insight on data risk intelligence.
More information about this topic is available in our original interview, which is accessible here.
#risk #privacy #cybersecurity #data #riskintelligence
Comments