Organisations around the world continue to put more and more of their information in the cloud. This is fundamentally a good thing, as the cloud is almost always more secure than the local office or enterprise data centre. Unfortunately, security does not always keep pace with the growth of data in the cloud. For example, not everyone encrypts data ‘at rest’, has full visibility into what data is actually in their cloud applications, or uses data loss prevention (DLP) features to protect against various types of data loss. In addition, many companies allow access to company-approved cloud services from personal devices, which can lead to the downloading of sensitive information from the cloud to an uncontrolled personal device.
For anyone handling sensitive information - not least personal and customer data - it's vital that everything is set up correctly, that you have the right security procedures in place (and that they are followed) and full visibility of where and how data is stored and protected.
Your cloud services may be in breach of the GDPR
The regulatory framework for handling personal data has been in place for a few years, and so far the major US cloud service providers have relied on the so-called Privacy Shield agreement. However, since the European Court of Justice invalidated the Privacy Shield, it is no longer permissible to rely solely on this agreement to demonstrate EU compatibility. Instead, it is now up to each individual organisation to assess whether sufficient protection is in place to ensure compliance with the requirements of the GDPR.
Encryption of data can be such a protection for the organisation, but it is important to note that the burden of proof is on the individual business here. In other words, it is the individual organisation that must be able to guarantee that no external organisation (such as the US NSA) has cracked the current encryption levels, a guarantee that is extremely difficult, if not impossible, for individual organisations to provide.
All in all, we have a situation where there is an increased risk of sensitive data falling into the wrong hands - something that can ultimately also have a financial impact on the companies handling the data.
Here are some key things that anyone handling personal data (such as customer data) needs to ensure and consider.
5 tips on how to protect sensitive data
Gaining visibility into the cloud and protecting sensitive data is not as difficult as it may seem. But it is, of course, about knowing where to start and what to focus on. And it's about technical solutions, policies and procedures, and raising awareness among all employees.
1. Choose a cloud service that ensures regulatory compliance.
Get a good understanding of the data protection laws that apply in the country where your data will be stored, such as the GDPR in the EU, as well as whether there are other laws that risk trumping national laws, such as the US CLOUD Act. Remember that it is the domicile of the cloud provider that determines the regulatory framework to which data and applications are subject, not the geographical location of the data centre.
2. encryption is a must.
When moving to the cloud, or changing clouds, you need to ensure that your platform and cloud solutions offer the ability to encrypt data - both when data is stored in the cloud and when data is transferred or shared with business partners. Also, stay up to date on encryption - encryption technologies and processes evolve very quickly. Organisations that have not reviewed and, where necessary, updated their encryption practices are often vulnerable to attack.
3. control, control, control.
Create a device control strategy to identify and control the use of all devices that can store or download data. Not only does this reduce the risk of bad things getting into your network - it can also help prevent sensitive information from being leaked, accidentally or deliberately. Use application control to keep track of and limit unnecessary or risky software.
Also consider restricting access to customer information - not everyone in an organisation needs to be able to see customers' personal information. The fewer people with a real need for access, the fewer opportunities there are for attackers to find a weak spot and steal data.
It might also be a good idea to separate your networks. Today's cybercriminals want to access more than just a user's password and a few files - they want access to your back-end databases, your PoS network and your test network. Therefore, consider separating your networks with powerful firewalls that treat your internal departments as potentially hostile to each other, rather than having one big ‘inside’ barrier to the dreaded ‘outside’.
4. don't forget the basic security features.
There are a number of things that you should always have in your security toolbox - whether we're talking about protecting personal data in the cloud or elsewhere. For example, make sure you have effective endpoint, network and email protection that filters out most spam, malware and files. Teach your employees to be suspicious of emails, especially those containing attachments, and to always report any unusual emails or attachments to the IT department. Unfortunately, too many company employees still accidentally download malware by clicking on links or attachments in emails.
In addition, you should of course have rigorous password practices, do not allow pet names, birthdays or favourite teams to log in to cloud platforms where sensitive data is stored. If offered, always implement multi-factor authentication - in fact, many have started talking about ditching passwords altogether in favour of biometric solutions, for example.
So-called ‘shadow IT’ is a situation that arises when employees use countless cloud services without your knowledge. Try to get an overview of which services are actually used in your organisation and how they are used. Inform your employees of the highly inappropriate nature of moving sensitive company data to a private Dropbox or similar. While it may be ‘easier’ in the moment, it can greatly increase the risks of the information getting into the wrong hands (especially if the password to the Dropbox account is weak or has never been changed).
Patching quickly and continuously is another very important part of your security efforts. Known, but unpatched, security holes are one of the most common attack vectors that criminals exploit. Unfortunately, despite this, patching is often very neglected and low-prioritised. Therefore, consider purchasing tools or services that take care of patching for you. This way you can ensure that your operating system and applications are always updated with the latest security patches.
5. Only save what is absolutely necessary.
Collecting unnecessary customer data not only wastes energy and resources, but also provides a larger vault for attackers to target. It can also easily make customers worry and wonder why you need to collect so much information in the first place. So only collect and store what you really need for business purposes. You can also take it a step further and offer customers the opportunity to choose whether or not to share personal information with you.
Instead of always trying to get as much of your customer's data out as possible (many companies still automatically make their customers subscribers to mailings right after a deal) after your company has finished communicating with them, consider destroying all data after you have used it. That kind of security mindset builds customer trust in your privacy efforts.
In conclusion - make customer privacy everyone's priority
Protecting personal data is everyone's business. Customer security is far too critical to be handled by a select few. Once you have comprehensive security procedures and policies in place, make sure that everyone in your organisation understands them and - above all - follows them. For example, you should put extra emphasis on ensuring that your employees understand the potential risks of using their own devices or networks outside the office.
