Despite heavy increases in fines and reputational damage, even well-funded organizations are still falling victim to data breaches. What gives?
Despite tightened regulatory frameworks on cybersecurity and data privacy, huge and high-profile data breaches have continued to occur.
While this is a sign that the cyber crooks (especially state-sponsored threat actors) are progressing way beyond the rate of improvement in global cyber vigilance, skeptics are claiming that organizations are simply not treating data privacy as a fundamental business priority.
Why is this so, are their excuses legitimate, and what else can be done to prod organizations into not just complying with regulations but actually aspiring to be proactive and preemptive in the handling of personal data?
Daniel Tan, Head of Solution Engineering (Japan, Korea, Southeast Asia, Taiwan, and Hong Kong), Commvault, offered some industry insights in an email interview with Cybersecasia.net
CybersecAsia: Why is data privacy still not a fundamental priority in many organizations? Will heavier regulatory penalties be enough to cause firms to prioritize cybersecurity?
Daniel Tan (DT): There are several reasons.
- For one, firms remain unaware of the importance of data privacy and the vicious impact of breaches, which takes months or even years before an organization can recover. This not only encompasses the effects on productivity and reputation, but also the possibility of bad actors stealing data, leaving them vulnerable to ransomware attacks – a menace with no assurance of data retrieval, even if the ransom is paid.
- Insufficient resources are also a growing concern, with some organizations lacking the finances and the skills to ensure data privacy. Across Asia, firms are facing a shortage of workers that can fill the growing number of tech roles. This shortage can exacerbate the lack of investment in data privacy measures and a reliance on outdated or ineffective technologies.
- A lesser-known reason may be that organizations can find themselves in an acute need of new data protection capabilities but are in lack of the vision to anticipate innovations and changing business needs while incorporating them into their solutions. This means that they may make too many mistakes trying to catch up or be left behind. They then either give up on addressing that need, or search for bolt-on functionalities from third parties.
As such, while regulatory penalties can be a motivating factor for organizations to prioritize cybersecurity, it is not sufficient. Organizations will need to take a proactive approach to cybersecurity and implement robust security measures and cultivate a culture of cybersecurity awareness, such as continual training on data privacy protection best practices, and how to respond to data breaches.
CybersecAsia: Numerous data encryption and protection solutions are already available. Are the large scale breaches still occurring in organizations because they did not proactively try to stop hackings? Or are the solutions they employed insufficient or underutilized/misconfigured in any way?
DT: In our region, Singapore is ranked sixth for having the most number of databases exposed, with organizations suffering up to S$1.34million in damages due to data breaches. Malaysians have also been hit with data breaches involving different institutions and organizations — with consequences leading to millions of people’s personal information being exposed and sold online.
Some organizations have definitely proactively stepped up on their cybersecurity measures. However, the effectiveness of these solutions could have depended on how well the processes were implemented, how they were being integrated, and the cyber hygiene of those that had access to the organization’s systems.
Many large-scale breaches, for instance, have occurred because of human error and the failure to implement adequate security measures — for example, weak passwords, unpatched systems, and the lack of employee training on cybersecurity measures.
CybersecAsia: In managing data sovereignty and governance, what can organizations improve on, to reduce business/cost challenges while complying with regulatory guidelines?
DT: Organizations can improve data sovereignty and governance while reducing costs through a strategic and comprehensive data audit, in which they understand the types of data they possess, and then implement tailored security measures based on the sensitivity of the data.
To ensure that the data is protected from unauthorized access, misuse, and theft, organizations need to implement strong access controls, encryption, and any other security measures, and protocols. And since there is no fool-proof data security strategy, it is important for each security plan to be regularly updated and evaluated to reduce the risk of a breach.
Organizations can also work with third-party service providers to manage their data, and ensure that the latest security practices are implemented. These experienced providers will be able to provide their expertise in data management and compliance, which can help to reduce costs associated with in-house data management. For instance, an internet service provider based in Beijing had turned to third party consultants to help them meet regulatory requirements for GDPR legislation and China’s Cyber Security Law, and also to reduce complexity and cost of data protection across multiple cloud environments and streamline its disparate and complicated IT infrastructure. With the specialized guidance, the firm was able to streamline backup and recovery processes via a centralized management platform and increase utilization of cloud-based services, with 100% of the channel applications of their parent company now being accessed via the cloud.
CybersecAsia: With quantum cyber risks looming, what can organizations that are lagging in cybersecurity resilience and compliance do to plug the gap before reputational and trust problems cause major problems?
DT: Organizations that are lagging in cybersecurity resilience and compliance need to act immediately to protect themselves from quantum cyber risks.
Before cybersecurity resilience and compliance problems snowball into major reputational and trust issues, organizations need to assess their cybersecurity risks to comprehensively identify vulnerabilities in their systems and applications. This will give a bird’s eye view of how to prioritize their resources for better resilience. They must then develop a cybersecurity strategy that includes policies, standard protocols, and technologies that can help them mitigate cyber risks.
As quantum cyber risks are ever-evolving and may impact various organizations’ systems differently, we must identify all the systems that utilize traditional cryptography and upgrade them to become quantum-resistant. This, in addition to the ongoing need for cyber hygiene training for employees to stamp out human error risks from within, would enable organizations to break free from the never-ending war with cybercriminals, and to adopt a truly a proactive approach in formulating their security strategy.
CybersecAsia thanks Daniel Tan for his insights on data privacy trends.