Keeping your data secure

Business owners need to know how to maintain the integrity of their information security systems, particularly in light of new privacy provisions.

With privacy breaches and security threats making headlines around the world, it’s becoming increasingly obvious to most enterprises that the personal information and sensitive data they hold is an extremely valuable commodity.

However, when shared inappropriately – whether by accident or breach – the disclosure of sensitive data can have dramatic financial impacts on an organisation and erode consumer trust.

In Australia, the revised Privacy Amendment Act has recently taken effect, giving Australian privacy commissioner Timothy Pilgrim more power at his disposal to enforce the 13 privacy principles he and his team are mandating.

Public and private organisations have expressed strong support for the Act, which aims to better protect Australians – and those whose data is stored in Australia – from inappropriate disclosure.

For business owners wondering whether they are meeting the revisions in the Privacy Amendment Act, here are a few tips for improving your privacy and data protection programs you can start implementing today.

• Know your business. Understand what kinds of data your business handles and uses, as well as how your co-workers are using your internal systems on a day-to-day basis. Grasping what a day in the life of your colleagues is like will help you determine why and how they need to handle this protected data in the course of their daily work.

• Identify the most important data. Many companies worry about ‘dark data’ existing across their different information repositories and enterprise systems. Understanding what and where this data is – and properly classifying it – will allow you to set the appropriate levels of protection necessary.

• Set enforceable policies. Understand your statutory and regulatory obligations and ensure your company complies accordingly. However, be sure that any policies you set internally can be measured, monitored, and enforced.

• Make it easier to do the right thing than the wrong thing. Create policies, rules, and IT controls that are sensible and make it easier for your end users to do their jobs effectively with the systems and controls that you want them to use.

• Build bridges instead of just walls. Traditional approaches to data security were designed to keep data ‘inside’ your walls and keep intruders out. However, walls become difficult to sustain and build, particularly when end users are accessing your data anywhere, anytime and from any device. Think about protecting the data itself wherever it resides – use your privacy and data controls to allow your end users to appropriately access data where it lives across these systems.

• Trust and verify. Trust your end users to appropriately identify and classify sensitive data they are handling and/or creating, but verify that they are doing so.

• Create a culture of compliance. Many companies conduct annual privacy and security training. However, try to think of ways in which you can build an ever-present sense of privacy and security awareness into your employees’ daily activities.

• Get to ‘yes’. Some IT and business professionals working outside of the compliance role believe (fairly or not) that privacy is where IT goes to die and that security leads with ‘no’. Most of their counterparts in privacy and security would like very much to change that perception. So, it’s important for security and privacy officers to take the steps we’ve discussed above to partner with their IT and business colleagues in order to gain the sponsorship and cooperation necessary to successfully implement privacy and data protection initiatives.

• Work with IT and the business from the start. By implementing a standardised and repeatable process with your IT and business colleagues so that they will engage you as a project begins – rather than when it is waiting for your sign off as the only obstacle to launch – you will be able to help provide advice, guidance and approval at every step of the process.

• Understand reality is perception. It’s not only your marketing team that needs to be thinking about building your company brand. Your IT/privacy/security team needs to be able to market its program as well. Work very hard to encourage your IT colleagues and business users to think of privacy and security controls in the same way.

A great way to start putting these tips into practice is by automating your privacy impact assessments (PIA), which are meant to help you understand and automate the process of evaluating, assessing, and reporting on the privacy implications of enterprise IT systems.

Traditionally a manual, labour-intensive process involving multiple templates and stakeholders, look for a comprehensive technology solution that can automate PIAs and consequently help you comply with the Privacy Amendment Act, better report on PIAs for executive review, and also extend to security and vulnerability assessments.

Dana Simberkoff is senior vice-president of risk management & compliance at AvePoint Inc.