Overconfidence and Under Education – Can Enterprises Ever be Secure?

From cybersecurity breaches to malicious malware and phishing scams - security threats are a way of life for senior security experts around the world. Gone are the days when all you had to protect were your employee’s desktops: today, there is a well-founded universal fear that cyber-criminals could be lurking on your network to get their hands on the real prize… your data!

Misplaced confidence

Despite the increasing number of data related security incidents, there are still discrepancies in how IT and security professionals perceive cybersecurity. While few fear an imminent attack, the majority display unrealistic confidence in their risk mitigation strategy. Now they need to question how far this strategy goes.

GDPR lit a fire under many security and IT executives who realized that insufficient practices were not only going to be identified as such but could now result in crippling fines. Many waited until the last minute to react, it seems like many are still reacting, yet there are some fundamental security practices that are still being overlooked.

Staying ahead of regulation is the solution. This involves a reconsideration of whether your confidence in your organization’s security is well-founded. An essential part of this is reviewing your data management processes and awareness of where and how sensitive data is being handled internally.

Do you have an auditable trail for every IT asset that may contain sensitive data across the whole organization? Do you have a comprehensive retention strategy where old or redundant IT assets are sanitized appropriately? Both are key to any enterprise managing sensitive data – which today is almost everyone.

Keeping up with data

Security professionals must get data management right, as a single mistake is all it takes to permanently affect brand equity. It’s arguable that the fallout of data breaches and fines pale in comparison to the lasting effect on the trust of customers, partners and shareholders alike.

Data management is an increasingly important and complex task. Not only have volumes of data risen, but the types and frequency of data are varied. This has made it difficult for any enterprise to have complete confidence in their data management, especially if their policy has not been revised recently.

One overlooked aspect of data management is the handling of redundant, obsolete or trivial data, often found on end-of-life IT assets. These assets are often stockpiled by enterprises, not only causing security concerns but costing some hundreds of thousands of pounds a year to maintain.

Last year, a research study found that 96% of the world’s largest enterprises have a data sanitization policy in place however, a worrying number of enterprise leaders also reported using inappropriate data sanitization methods on end-of-life IT equipment, that they believed to be secure.

Commonly there is misplaced confidence in data sanitization methods, which are exposing enterprises to unnecessary risk. The research found that one third of enterprises use what they believe to be the most secure and auditable methods of data sanitization to remove data at end-of-life.

Upon closer inspection these methods send alarm bells ringing. Enterprises are relying on data wiping methods such as formatting and freeware tools, that to not guarantee the complete and irreversible removal of data. Although taking action to remove data at end-of-life is an important first step, without proper education it is dangerous to feel confident with these highly unsecure methods.

Education is key

IT and security professionals face a continuous task, protecting their organization’s brand equity from evolving security threats. This task has only been exacerbated by the tidal wave of data found at the core of many business models today. There is simply a lack of education in how to remain secure when handling sensitive data.

One requirement of GDPR for certain organizations such as public authorities or organisations that carry out certain types of processing activities is to hire a Data Protection Officer (DPO). You should consider hiring a DPO as a trusted and educated source for data management best practice as not only can they assist in ensuring your policies track data throughout an IT asset lifecycle, through to data sanitization, but they can be key in communicating the enterprises data sanitization policy companywide.

It is important to remember that human error poses an immense risk to data security, which can only be mitigated through consistent up-to-date education.

Without more education, overconfidence will continue to manifest itself like a virus and end up overthrowing the entire security environment – unless this is reconciled, enterprises will always struggle. The security landscape has changed, so today data reigns supreme in the world of threats and risk.

Security and IT professionals need to question their confidence and reconsider their current data management processes. Data sanitization with an auditable trail is a necessity for any enterprise handling sensitive company or customer data. Combined with education, data sanitization best practices are the only way to reassure confidence in IT security today.

What’s Hot on Infosecurity Magazine?