Risky business – why sensitive company information is under greater threat than before
Mistakes that cost companies millions of dollars come in all shapes and forms. For one well-known credit agency, it was an unpatched framework in one of its databases. The oversite cost the agency around $575 million when personal information belonging to almost 150 million people was lost.
It’s a cautionary tale that highlights just how damaging compromised data can be. And with remote work now the norm, it’s more important than ever for businesses to take heed.
For many companies across the Middle East and Africa (MEA), the early part of year was spent focusing on the more immediate concerns surrounding business continuity. Priority number one was figuring out how the workforce would operate remotely without disruption.
But as 2020 unfolded, more insidious threats re-asserted themselves.
Though teams aren’t physically together for the time being, they are still collaborating on vital assets that contain sensitive data. Not only are they logging into enterprise environments and line-of-business applications, but also accessing, editing, and sharing sensitive data. While some of these activities might happen via a company-managed device, many professionals are working from their personal PCs or other shared devices.
Already companies are feeling the consequences. In a recent survey conducted by Microsoft, 73 percent of chief information security officers (CISOs) revealed their organisation had encountered leaks of sensitive data over the last 12 months.
Across the region, IT departments have been focused on managing the shift towards remote work and, in many cases, data management has taken a back seat. The result is that 75 percent of data stored by organisations in the UAE is still unclassified or obsolete.
One might say 2020 has created the perfect storm where regulatory compliance is concerned.
Businesses are rapidly increasing their risk of exposure
COVID-19 is having an extraordinary impact on the rate of digital transformation for businesses in all corners of the world. But for many organisations this has meant a race to rollout of new technologies before the necessary checks and balances were in place. In a survey conducted by global law firm, Baker McKenzie, over a third of businesses said their company was deploying new technology without thought of the potential regulatory risk.
Perhaps not surprisingly, the rapid pace of digitisation is greatly increasing risk of exposure. Already 41 percent of those surveyed by the law firm say their organisation has been subjected to enforcement investigations because of new technology that was not correctly implemented.
Although this number sits at just 26 percent in regions like Africa, it’s likely only because regulations are yet to come into force in many of these markets and the status quo across the MEA is changing rapidly.
It was just earlier this year that the Dubai International Financial Centre (DIFC) Data Protection Law came into effect, bringing with it new regulations around the processing of personal data. The law is a boost for data protection legislation in the Gulf region, where already Qatar has in place its Privacy and Protection of Personal Data Law and Bahrain its data privacy law.
Further south, the Protection of Personal Information (POPI) Act comes into force in South Africa from July 2021. It prescribes how businesses should collect, handle and delete data, and failure to comply with these regulations could incur a fine of up to R10 million ($652 609.50) or up to 10 years in jail.
To make matters more complicated, compliance officers are dealing with these issues on reduced budgets, with 2020 seeing most businesses under increased pressure to reduce costs.
Leveraging tech to help enforce policies
The right tools and processes can go a long way to easing this burden.
Microsoft Information Protection, for example, helps businesses manage the increasing risks to data brought about by remote work. The platform understands and classifies a company’s data, keeps it protected, and prevents data loss across Microsoft 365 Apps, services, third-party SaaS applications, and more—on premises or in the cloud. This unified data loss (DLP) prevention approach provides simplicity, enabling businesses to set a DLP policy once and have it enforced across services, devices, and first-and third-party apps.
Endpoint DLP then builds on the labeling and classification in Microsoft Information Protection and extends the existing DLP capabilities in Microsoft 365, helping organisations protect sensitive information on endpoints. It’s built into Windows 10, the Microsoft 365 Apps, and Microsoft Edge—without the need to deploy additional software on the device, which eliminates friction and makes it far easier to have visibility into company data. For users, it ensures security, without compromising productivity.
A key function of Endpoint DLP is providing policy tips to help educate users when they are about to violate a policy. It’s also integrated with Microsoft Defender for Endpoint, which can help businesses prioritse incident response based on additional factors.
Platforms like Conditional Access also help in securing access to cloud applications. Through an authentication process with sign-ins and security defaults, it helps companies enforce their organisational policies around access to information. Essentially, controls are applied on a contextual basis, blocking access when necessary, but also freeing access when needed.
When setting up their conditional access policies, businesses must strongly consider adopting multi-factor authentication (MFA). Because MFA asks users to provide multiple credentials to log onto the system, it helps prevent unauthorised users from gaining access to the network. For example, a policy might enforce MFA when a user logs in from a new device or location.
MFA is incredibly easy for IT teams to implement and can stop up to 99.9 percent of account compromise attacks. Another key benefit is that it allows IT teams to go beyond the use of passwords to implement any number of authentication steps – from fingerprints to iris scans and facial recognition to name a few. Not only are technologies like these much more difficult to exploit – it’s estimated that around 81 percent of hacking-related breaches are a result of weak or stolen passwords – but they also offer employees a far more seamless user experience.
Tools like these will go a long way in helping organisations remain compliant. But technology alone is not enough. To overcome a growing list of compliance challenges, businesses must ensure safe practices permeate throughout their remote working behaviours and solutions. As is the nature of things in today’s work environment, it takes the best of both man and machine to succeed.