Executive Q&A: Enterprise Security in the Post-Pandemic Era
The past year has seen major changes in business from the growth of the virtual company with employees working from home to an accelerated move to the cloud. How can enterprises secure their data in this rapidly changing environment? HelpSystems' Kate Bolseth answers our questions.
- By James E. Powell
- June 25, 2021
Malware purveyors never seem to rest even in the midst of a global pandemic. In fact, the bad guys were working to exploit the vulnerabilities created when millions of employees were forced to flee outside the corporate firewall, working from home with a hodgepodge of Wi-Fi connections.
That's just one of the security issues Kate Bolseth, CEO of HelpSystems, sees looming as businesses transition to the new normal. In this Q&A, Bolseth explains what enterprises need to do to manage growing demands for data access, up their security game, and cope with an evolving regulatory environment.
Upside: What's the biggest security challenge enterprises face today?
Kate Bolseth: I'd say it's the pervasiveness of the data that needs to be protected.
Cybersecurity and data security have been a priority for business leaders for many years. Yet, despite investments in security controls, cyberattacks keep coming. The provision of an adequate data security backbone and a robust enterprisewide security culture have become central concerns for CISOs as a result of the pandemic, with new business demands, changing working environments, the extended network, and an ever-evolving data footprint.
With the remote workforce here to stay, more data than ever before will now be generated outside of traditional, secure work environments. Enabling safe user and data access will be critical. The sheer volumes involved will make it more difficult to protect sensitive information and will drive an urgent need for more inclusive and automated forms of data protection to offset this. Also, business today means sharing more information than ever before with customers and partners. Each share is a risk point.
What's driving this trend?
COVID-19 accelerated digital transformations: the move to the cloud, the move to remote working, and the extension of the enterprise network. The result has been the disappearance of infrastructure perimeters with multiple data vulnerabilities exposed across extended enterprise networks, an explosion in data, and fresh challenges in managing data security across these networks.
The acceleration of enterprise cloud has led to the development of new, sophisticated, and complex cloud ecosystems, and it's a challenge for businesses to grasp the full range of choices and implications that moving into this environment brings.
Increasing compliance and regulatory demands have also been a catalyst for data security changes within organizations worldwide. If you haven't been subject to data privacy and compliance, it's not a matter of if but when -- and having trusted advisors to consult in the face of deadlines is key to success here.
How have enterprises tried to solve this problem?
There's no shortage of challenges keeping security leaders up at night related to data security. Many organizations have invested in their data security by adding point solutions where needed, but the pace of digital transformation has left many organizations realizing their current technology cannot meet their business requirements as they grow and scale.
How well have these approaches worked (and why?)
At a foundational level, we've seen enterprises lack the centralized visibility and control over their data that is needed to handle, protect, and share it appropriately. Sometimes their technology is getting in the way of efficiency; other times homegrown solutions cannot meet secure requirements for storing and sharing data safely with everyone who needs access to it.
What better approach can you suggest?
You need people, processes, and technology.
A robust data protection protocol is critical for all organizations, particularly as we move beyond COVID-19 into the new normal. Keeping data secure while maintaining business efficiency under post-pandemic budget constraints will be an ongoing business-critical challenge. Data leaders must be selective and identify the combination of technologies, processes, and people investments that will deliver the greatest security controls.
People, process, and technology all play a key role when it comes to how data security is applied. To reduce risk and meet data protection and privacy regulations, safeguarding methods need to include a combination of access, security, and organizational controls. Access to sensitive data needs to be restricted both physically and online. Systems, networks, and applications need the appropriate administrative and security controls, and employees need policies and tools that allow them to understand and implement industry best practices.
Regular security awareness training and a companywide inclusive security culture will ensure that data security becomes a part of everyday working practice, embedded into all actions and the very heart of the business.
Organizations should implement a secure approach to the entire life cycle of their data. From understanding what data you have to securely sharing it and controlling its access, your organization needs a method to ensure policies are implemented and your most sensitive data is handled with confidence that it will stay in the right hands.
Does your solution still keep governance and privacy regulations in mind (such as GDPR)?
HelpSystems helps support compliance efforts with sophisticated security features, reporting, and auditing. We have customers across regulated industries that trust us to help them comply with the GDPR, PCI DSS, HIPAA, and more.
Maintaining a focus on business context and the ability to comply with regulations will be critical in 2021, as well as ensuring enterprisewide understanding around data and risk. Further, prioritization must be given to delivering smart data protection to make the right decisions on data access and availability -- to deliver technology-based efficiency and automation to adequately support the ever-increasing data volumes of remote workforces.
Governance will need to change to manage the challenges of this new landscape, focusing on a range of factors, from unexpected costs to poor cloud network architecture and access control. Data only becomes valuable insight if it can be collected, collated, shared, and distributed.
This new phase in privacy regulation will be complex. Enforcement will demand changes in people, process, and technology. Companies will require proper corporate data governance programs, employee training, and solid data management systems to counter reputational risk and hefty fines.
What's the best way for an enterprise to implement the approach you're suggesting? What pitfalls should they avoid (and what best practices can you suggest for doing so)?
An approach that combines technology and people is essential.
Now more than ever, strong data usage and protection are required to give employees appropriate and safe access to information and also inform and educate them sufficiently around sensitive data.
The security culture of the organization must include all employees. It must make sure they are continually trained so their approach to security becomes part of their everyday working practice. Regardless of their location, it ensures security becomes embedded into their actions and the ethos of the business.
By combining people, process, and technology, CISOs can deliver on all key data protection and control requirements; not only in ensuring understanding and appropriate management of data, but in delivering the breadth of security coverage required on a local and remote basis and ensuring its suitability for all stakeholders.
Where are security issues headed? What's the next security challenge you expect enterprises to face?
I think there are four key challenges ahead.
Challenge #1: Ongoing growth in remote working will create data security threats
The far-reaching impact of COVID-19 has seen an intensified threat of malicious cyberattacks. The rapid shift to remote working during the pandemic left many employers exposed to hackers and has highlighted multiple examples of serious network and data vulnerabilities.
Infosecurity Magazine quotes research finding that attacks on the biotech and pharmaceutical industry alone rose by 50 percent in 2020 compared to 2019. In the defense sector, The Pentagon is seeing a huge rise in cyberattacks through the pandemic. One cause is the unprecedented numbers of employees forced to communicate through their own devices.
"Insider threat" will be categorized as the most prominent tier 1 data security risk in 2021. It will necessitate stricter corporate guidelines and protocols in data classification. In fact HelpSystems' recent research interviewed 250 CISOs and CIOs in financial institutions and found that insider threat was cited by more than a third (35 percent) of survey respondents. It is a threat with the potential to cause the most damage in the next 12 months.
Challenge #2: A security culture must be embedded into organizations, especially as insider breach risk continues to grow.
In 2021, data governance will take center stage in data security and privacy strategies. Companies will create centers of excellence (COE) to embed a solid data security culture across teams and corporate divisions. It will enable them to formalize in-house data management processes. It means rolling out divisional best practices and placing data classification at the foundation of their data security strategy.
Employees play a vital role in ensuring the organization maintains a strong data privacy posture. For this to be effective, organizations need to ensure they provide regular security awareness training to protect sensitive information. To achieve this, they must invest in user training and education programs.
Challenge #3: Supply chain ecosystem risk will get bigger
Sharing information with suppliers is essential for the supply chain to function. Most organizations go to great lengths to secure intellectual property (IP), personally identifiable information (PII), and other sensitive data internally. However, when this information is shared across the supply chain, it doesn't get the same robust attention.
Accenture reports that 94 percent of Fortune 100 companies experienced supply chain disruptions from COVID-19. As much as 40 percent of cyber threats are now occurring indirectly through the supply chain.
Advanced data classification capabilities will deliver assurance and control to numerous industries including finance, defense, and government. HelpSystems advises organizations to ensure their suppliers have a robust security and information risk approach. It ensures they have security frameworks such as ISO 27001 and Cyber Essentials in place.
Challenge #4: Data privacy regulation set to increase
There is an increased focus on data privacy and protection of personal data. The continuing shift in privacy law, as reflected in the EU's landmark GDPR in 2018 and, this year, the U.S.'s CCPA, and the CPRA set to take effect in 2023, has changed the data regulatory landscape. We can expect to see similar U.S. compliance regulations come into force beyond California through 2021. In addition to individual state privacy laws, we can expect to see federal regulations come into force.
Data automation will also be a priority. Companies will continue to struggle to deliver relevant data protection strategies for every level of business and its users, across all platforms and infrastructures to conform with individual state and international laws.