Data governance and privacy: better prepare for cyber attacks

The recent OAIC’s Notifiable Data Breaches report revealed that phishing and compromised or stolen credentials account for more than 50% of the cyber incidents reported.

In fact, many research studies in recent years have highlighted insider threats as the key reason for data breaches. The majority of them actually originated from employees or contractors and associates that have access to the corporate network.

Even OAIC has stressed the importance of having the relevant internal practices, from educating staff on how they should handle secure information to putting adequate procedures and systems in place.

Sensitive and private data is the lifeblood of business. The ease of access to particular data can be worrisome and devastating to an organisation’s state of business, if not managed well. Here I would like to share a few best practices on how organisations can operationalise data governance and privacy to help lower risk exposure as they speed up their digital transformation agenda.

Know your data

With the exponential growth of data and wide usage across many organisations today, it’s important that organisations have a clear visibility into all data sources — where they are located and how data proliferates. However, most companies today cannot accurately identify where all their sensitive data is located within the organisation and who has access to that data as such data continues to propagate. The lack of such visibility in turn increases an organisation’s risk to data breaches.

One way to mitigate such risk exposure is to automate the discovery and classification of sensitive and personal data across the organisation. By automation, organisations can avoid running into issues of getting inaccurate and out-of-date data, while eliminating time-consuming, associated manual tasks. At the same time, systems containing the sensitive data can be mapped to individual identities, all in support of privacy requests.

With proper data governance in place, organisations can continuously monitor and track data movement, user access and activities, thus protecting that data in high-risk areas. Any suspicious or unauthorised data can be monitored and an appropriate protection technique can be orchestrated to safeguard the data.

By understanding and classifying the types of data that exists in organisations, organisations can constantly track data risks and remediate data misuse and privacy violations, while remaining compliant to privacy policies and regulation requirements.

Protect your data

In a highly competitive marketplace, data no longer can be regarded as a commodity but a valuable asset that should be leveraged across enterprises for value creation. As organisations move to data democratisation across enterprise to open up data for use in creating new business value, the level of data security cannot be overlooked.

Organisations should prioritise the most critical data that are vulnerable to data misuse or breaches. Instead of relying on historical server access controls, firewalls or cybersecurity tools to protect data, organisations should look into data-centric controls including masking, identity-based controls and encryption.

To minimise risk of data exposure, data anonymisation is one technique that masks sensitive attributes to keep PII (personally identifiable information) such as contact information, health records or financial details private. As PII records are encrypted, the remaining data cannot be linked to an individual. In an event of data misuse or data breaches, individual privacy will not be compromised as any sensitive data that is linked to a particular individual cannot be read or accessed.

As such, it is important to ensure data discovery and classification processes are established, as an organisation grows and more sensitive data proliferates across the environment. Then the organisation would be able protect the sensitive data and keep up with stringent data privacy laws, while maintaining the flexibility required in the business environment, along with retaining context and referential integrity of the data the organisation has.

Futureproof your investment

As organisations fast-track their digital transformation to build resilience beyond the current pandemic, data will continue to grow in volume and variety across the enterprise. Many organisations may continue to struggle to identify, monitor and remediate data risks to protect their data, while trying to stay abreast with ever-changing and complex data privacy regulations.

To remain agile and responsive to constant market changes and regulatory requirements, consider adopting an intelligent data platform that allows you to start small and add capabilities over time as your needs change. Leveraging a modular, interoperable and scalable platform that is capable of governing data at any volume where it exists. Lean on artificial intelligence (AI) for automated, accelerated data discovery, cataloguing and reporting as well as metadata management that give you the competitive edge to harness the value of data at enterprise scale.

Once you have data privacy governance with AI at the centre of the implementation, common and repetitive tasks can be managed easily through automation and more accurate governance can be achieved in less time and with fewer errors. AI is invaluable for detecting outliers and anomalies in near real time for risk assessment, sensitive data management and comprehensive reporting for controls, and even for audit readiness and regulatory compliance efforts.

Ultimately, what organisations have is a scalable, repeatable and adaptable approach to protecting data privacy to reduce risk exposure and increase transparency for data use and reporting. They will gain clean, high-quality data that can be optimised for use in the next generation of innovation, while maintaining trust from key stakeholders including customers and regulators.

Image credit: ©stock.adobe.com/au/Sikov