Nick Hutson-Alvarez, Exertis Group Head of Cyber Security & Compliance discuses some important factors to consider to keep data secure.
There are varying degrees of online security that can be driven by some very complex systems which are designed around industry standards, such as PCI DSS (Payment Card Industry Data Security Standards) to protect against credit card theft; then, on the other side of the scale, an individual having antivirus software to protect their device from malware and viruses.
As the world of technology rapidly changes with enriched websites and IoT, it becomes increasingly challenging for businesses to keep their personal and customer information on the web secure. Web/online security is important to prevent threat actors/hackers from accessing sensitive information. Without a functional security strategy, it could lead to businesses having a higher risk of malware and data breaches. Even if a business decides to transfer the risk by using an established shopping platform with a WYSIWYG approach, this still requires Privacy and Security by design to be applied i.e. a functional security strategy as the data is still the responsibility of the business, no matter where it is located.
Businesses have taken years to establish a reputation, but a single event could lose that standing. Due to global events, many businesses have been driven from a traditional B-to-B model and to adapt their trading position to a D-to-C by operating an online presence direct to consumers. This brings new challenges to a business, to ensure that the data has the appropriate security in place to ensure that they meet the regulatory requirements.
Data security is important for a business, as it is the core of sustaining and growing the business, whether it is a small takeaway to a Fintech organisation to large global company. However, with great power comes great responsibility: data regulations such as GDPR and CCPA can make or mar a business. The data gathered allows a business to take orders and control their stock levels, as well as marketing (with consent).
There are lots of considerations to take into account when looking at how to store and protect data. However, the fundamental starting point is to have privacy and security by design as the founding principle of all projects and implementations that use/store data – as this is now a legal requirement of GDPR (General Data Protection Regulation).
The core principles are: encrypt your data at rest and in transit; ensure the data is backed up with the appropriate RTO and RPO; make sure anti-malware and access controls are in place; and ensure appropriate web application architecture is utilised.
Having all sections of the business invested and upholding data privacy, with the core teams ensuring privacy and security is embedded in the project. Proliferation of IoT devices connecting to applications can cause security concerns. Scaling of data and understanding the labelling and flow of the data is key. Also, less-is-more: keeping compliant by removing data when it’s no longer required is always the balance that needs to be met.
Security process automation is a way to protect data by computer-centric security, but needs to be balanced against ROI. Centralisation and normalisation of data helps improve detection by lower level input, to detect events that may have been missed. Lastly, using threat detection using AI with combined global threat feeds, to detect and block attacks and compromises to data.
In relation to online security, this is always a challenge. There needs to be a balance between ease of use for the customer/client and keeping their data secure. There are some basic things we can do such as enforce secure passwords within minimum length and complexity, ensure you use a Captcha to limit brute forcing, but for belt-and-braces, 2-Factor Authentication is the safer way to go. Clients/Customers are becoming more accustomed to this technology as they use it with their online banking and other online applications such as Google accounts and Amazon. SSO can have some benefits, but the underlining concern is if one account is compromised then the rest of the accounts can be compromised.
Read the latest edition of PCR’s monthly magazine below: