With workforce mobility at an all-time high the biggest challenge to protecting sensitive data fields is when they are in use by remote users and federated business processes.
Traditional protection focused on the user and network components (IPS, firewalls, activity monitoring, etc.) and now with the transition to data-centric protection; the focus is on the data itself, protecting it wherever it is stored (at rest), moved or copied (in transit) and accessed or used (in use).
Some of the more popular data-centric protection methods include encryption, tokenization, dynamic data masking (DDM), data scrambling, format preserving encryption and a few more.
Guest profile
This week we spend time with Andrew Wilmot who is currently the Head of Data Protection at the Standard Bank Group. Andrew, previously an Executive in several of the Bank’s Commercial entities, is responsible for delivering the Standard Bank Group’s Data Protection Strategy and its integration into the Groups’ current Information Security capabilities.
AXZEL:
Most organisations have terabytes upon terabytes of sensitive data already floating around with employees and with 3rd parties. While new data can be subject to the latest protection methods, realistically what hope do we have of securing legacy data.
ANDREW:
It may seem tempting to focus on new data and new environments when deploying the latest protection methods given the significant efforts required to address legacy items.
However, data protection obligations are not so neatly divided, nor do Regulators make binary distinctions. As a financial institution, customers entrust us, not only with their financial assets, but also their data. It is our obligation to ensure that as much diligence is applied to protecting their data as that which goes with protecting their finances.
This is a material task, and so ensuring good data housekeeping is an absolute essential. In short – know what data you have, know where it goes, know who has access to it & on what basis, destroy what you don’t need. This goes for both new or old data and new or old environments. Naturally, a risk-based approach can always be implemented when determining where & how to start.
AXZEL:
A lot of businesses are struggling to recover from the ongoing effects of the global economic slowdown, and with the growing trend towards self-service data access and analytics; how can you still justify the performance impact of some of these protection methods?
ANDREW:
The Digital Age is with us and will accelerate at an increasing pace. As we all know, data is core to enabling businesses that want to survive and thrive in this era. Yes, the Pandemic has caused may businesses to re-assess their priorities, this is only natural.
However, it would be short-termism to view data as an opportunity only and not build in the safeguards that go with protecting it. Would a Board accept significant investment into creating valuable data driven assets and businesses if not done so in a sustainable, risk managed way?
The key is to identify and deploy practices and protocols that enable digital growth, while protecting customers & shareholders. These are not mutually exclusive outcomes, but rather simply two side of the proverbial digital coin.