Rating your organization for data security means looking out, as well as in
During the last few years, many publications have addressed the topic of GDPR and its effect on businesses. To a certain extent, we seem to have reached “peak GDPR”, by which any mention of the legislation causes a certain ennui.
There remain, however, some details of the most far-reaching of legislative rafts that have yet to be taken fully on board by many businesses. These are in the area of data management, and by proxy, risk management, that is being ignored even by many large enterprises.
Measuring and quantifying your cyber risk in terms of data security is a highly complex affair and the factors alter daily.
Hackers are using increasingly complex code and methods from the dark web, where, effectively,hacking as a service (HaaS) is readily available. The focus of attacks at present seems to have shifted away from perimeter incursion, towards personalized attacks aimed at individuals; these are often approached by phishing communications that lead to malware infection, or the misappropriation of online credentials.
While most companies operating globally are affected by GDPR, even the few that aren’t will soon be under legislative oversight of some description: the California Transparency in Supply Chains Act, for example, is probably the herald of similar laws coming soon to a territory near you. Threats of fines from the EU may be one issue that companies clearly wish to avoid, but there’s also fallout in terms of PR damage to companies’ images, loss of valuable intellectual property and, on a personal level, staff up to the most senior level potentially losing their positions.
Like any other business metric, measuring data protection is therefore important to the larger picture of oversight of its own affairs that every company must undertake. Companies have been building security programs for years, but now putting empirical figures against data protection efficiency is necessary: how else can companies ensure that the steps they are taking are improving matters and lowering risk?
If we return to GDPR, we need to consider the role of a data controller. Under the legislation, a company’s data controller is responsible for every aspect of its information, irrespective of where that data might be right across the business’s reach. Because businesses work digitally with suppliers, vendors and outsourcing partners, the data controller is also responsible for the data hygiene practices, effectively, of other companies with whom the organization does business. And significantly, that responsibility often extends from those third parties to so-called fourth parties: suppliers of digital suppliers, if you will. A company with a complex digital supply chain may have many thousands of third-party interactions alone, each of which represents at least the possibility of a data breach.
The significant cost of data compliance protection and oversight threatens, therefore, to be as overwhelming as the changing complexity of the security landscape. Luckily there are suppliers of software that creates the necessary oversight right along every business function, from finance to operations, logistics, and so on, but also along the data “trails” formed by companies operating today.
Managing this scenario without such a platform would be too complicated and costly, but not having the framework in place that such a platform delivers will not be considered a mitigating factor by any legislative body baring its teeth.
The platform we’re featuring in this article, BitSight, addresses the need for an aggregated cyber risk management framework. However, proper implementation also brings other positives, over and above regulatory alignment. As part of a broader data protection policy, the security ratings platform provides the metrics necessary for effective oversight up to and including at board level. Like any business data, results need measuring in a standardized framework for comparisons to be made, goals to be set, and KPIs achieved.
Those same metrics also serve as a comparator: with the competition or as actuarial data for insurance purposes, but also when considering a change in a business partnership, a merger, or the selection of a new digital supplier, for example.
Data controllers in any organization suddenly must be transparent— legislation demands it. That’s not an easy attitude to have to take, and may not come naturally, especially for professionals versed in cybersecurity and data management throughout their careers. Similarly, quizzing potential outsourcing contractors about their data practices may also go against the grain. But the BitSight platform makes the data hygiene audit of new and existing third parties (and their cloud and email provider choices, for example) a standardized part of the process of business. That, in combination with a process for managing security performance means that companies protect themselves better and satisfy local legislators.
There’s plenty more to learn about BitSight’s offerings and how best to manage the changing face of data responsibility, safety, and benchmarking— you can read more by clicking here.