Come together – stopping data breaches using people and systems
The EU’s General Data Protection Regulation (GDPR) will cross the two-year mark of being in effect this May. The sweeping EU law on data privacy protection has been a catalyst for larger companies because they could face fines of up to 4% of global revenue for not complying with the law.
That potential financial hit has prompted organizations to spend an average of $3 million to comply with the regulation, according to a report by EY and the International Association of Privacy Professionals.
But are regulations – even ones as potentially dire for a company’s bottom line like GDPR – enough to keep personally identifiable information protected?
Steph Charbonneau, Titus co-founder, CTO and CISO, doesn’t think so.
For one, significant confusion remains about the regulation. Some companies complain that it’s too vague, lacking comprehensive guidelines. Meanwhile, data breaches continue to rise, averaging 278 notifications a day, according to analysis by cyber and data protection law firm DLA Piper.
That puts the impetus on security service providers like Titus to provide the support to help organizations keep up with changing regulations.
“People don’t have the time, energy and money to decide what information is personal and what isn’t,” says Charbonneau. “We have to make it crystal clear.”
Security scanning as intuitive as spellcheck?
Charbonneau envisions that one day, the issue of “how do I handle the data?” will be answered as automatically and as seamlessly as how spellcheck operates in the background as a person drafts an email or other written communication.
“They can’t think about it – it has to be natural. Like today’s spellcheck, we have to make it almost seamless to how they go about their daily work,” he says.
Getting to that day will take more than regulations, he adds. It will take a strong security culture. It will take smart analytics better known today as Artificial Intelligence or machine learning. It will take seamless integration of security products acting cohesively and triggered by human engagement.
The technology path often starts with a foundational data classification system. Below, Charbonneau touches on all these drivers and where he sees the industry headed.
The people factor: building a security-driven culture
Titus CEO Jim Barkdoll, in his Jan. 2 blog post, “A new year, a new regulation…and a new data breach”, made the point that having a strong security culture can minimize human error that can cause a data breach.
Where do companies go wrong? “When they think a magic black box in the background will fix everything,” says Charbonneau, warning that not involving people in the process can be very costly. “In the end, people who are creating the information is what will get you in trouble,” he says.
That’s where a good data classification system can play a foundational role. But classification can mean different things to different people.
We must classify data up front, comprehensively
“For us, it means identifying the value of information and it may be multiple different perspectives of PII. What kind of PII? The more specific we can be when we apply the classification of that data up front, the better every downstream technology will be able to understand it and not guess,” he explains.
A key best practice is to understand data at the point of creation. Titus recommends whenever one is tagging a piece of data up or downstream to always ask the user questions if there is any uncertainty. Charbonneau admits that forcing people to classify data may not be for everyone but understanding a data’s context and sensitivities up front “will lead to better decisions downstream.”’
Classifying data is harder than it appears, he adds. A decade ago, employees signed employment agreements to protect company data, which was typically classified into four buckets. With the advent of the internet and sharing platforms, and companies’ teaming agreements, information that previously was strictly confidential may not be allowed to be shared with different people outside the organization.
“Turning that into a workflow process is a lot more complicated – you have to get into a lot more specificity and lot more different angles on the data that you need to identify,” Titus’s chief security officer says.
A phased approach to data classification
Typically, the company takes a phased approach with clients when it comes to classifying their data, starting with the Educate phase – showing employees why classifying data is both important and valuable; followed by Empower – giving employees an active role in classifying emails and document in real time, as they’re being created; and finally Enforce – where the classification system puts up guardrails to prevent employees from sending internal documents to outside recipients, automatically encrypts sensitive emails etc.
Another challenge with data classification systems is that they must play nice (integrate well) with other components of data security such as encryption, rights management, and data loss prevention (DLP).
“You can architect and deploy a large DLP, encryption, and rights management solutions for a company but that’s just plumbing. Until a user actually clicks on the protect button to drive the encryption, you’ve missed the mark,” Charbonneau says. “In all these examples if you don’t understand the data up front, you’ll have hard time implementing or getting value from other technologies you have in place.”
The next security frontier: machine learning
Finally, machine learning and AI will play a critical role in safeguarding information. The science of looking for patterns and identifying sensitive information based on context similar to how humans can “are just scratching the surface,” says Charbonneau, noting that that even search engine giant Google, well recognized by Forrester as a leading in streaming analytics, can understand a sentence, but hasn’t yet figured out how to analyze pages and pages of data.
“It’s exciting times for the next two to three years as we develop these AI systems – the more information we throw at it, the better we’re going to get over time,” concludes Charbonneau, who predicts that within five years, having a spellcheck-caliber security AI will be a normal part of doing business.
Discover your security prowess: take our quiz
In today’s environment of everyone being online and vulnerable to personal data breaches, it’s never been more important to have the right cybersecurity tools and policies in place.
Take a moment and take Titus’ Risk Assessment Quiz to find out how prepared you are from an overall data protection and regulatory compliance perspective.