Personal data protection in 2018 and beyond: Q&A with Doug Snow

August 2nd, 2018


Recently, TITUS hosted an ISACA webinar, where Doug Snow, vice president of customer success discussed how to achieve sustained GDPR compliance. Doug provided a number of ways organizations can get executive buy-in and sponsorship, engage and empower end users through change management, and tips for data discovery and mapping.

The audience asked so many great questions that we didn’t have time to answer them all, so we sat down with Doug to address some of the most common questions here.

Do you foresee a GDPR-like regulation being put into place in the US?

Yes, you can count on it. We’re already seeing increased data privacy and protection regulations coming into play in the US: The New York Department of Financial Services (NYDFS) Cybersecurity regulation, and the California Consumer Privacy Act (CCPA) have been introduced and the CCPA went through the legislature in record time. Although we may not see things move as quickly at the national level, there is certainly discussion around the importance of personal data protection.

GDPR set the standard for personal data protection regulations, and the emerging regulations globally reflect the same functional requirements.

With the increasing presence of automation, what are some of the core concerns for data security?

Automation plays an important role in all information security practices, including classification, so its entirely possible to categorize metadata objects based on context, such as your directory or information about the type of file. However, it’s important to involve end users because there are many instances where a machine cannot accurately determine the sensitivity of the material.

You will absolutely be putting more automation into your data security programs, but you can’t take the human element out of the picture completely. As I discussed in the webinar, humans will be integral to refining the algorithms being used as people make decisions about sensitivity of data and lead to fewer false positives.

Why can’t an organization encrypt everything? Would that not lead to GDPR compliance?

If we could encrypt everything and still get work done, it would have been done already. We can’t do it yet. During the webinar, I mentioned a great paper, “Why Johnny Still, Still Can’t Encrypt: Evaluating the Usability of a Modern PGP Client”, that outlines the challenge in sharing the key to encrypted data.

Usability of encryption across systems is still challenging and, given that we invested in information security to enable business to move faster, the last thing you want is to introduce the frustrations with trying to handle encrypted or locked documents. You’ve lost the value of electronic information, the speed of information technology and you’ve impaired the business. So, while encryption is the first thing that comes to mind for a lot of folks, it’s not a practical solution to solve the whole problem. You must encrypt the sensitive material, but only the sensitive material and you need to know the classification first to accomplish that action.

Is there a trust badge for companies that can be shared on their platforms or websites to state that they are GDPR compliant?

I think that’s a brilliant idea to be able to have a third-party authority that can measure your trustworthiness. After all, it’s a competitive differentiator. But the exact definition of GDPR compliance is still evolving so it might not be possible to achieve that badge yet in today’s world.

Perhaps in the future there will be auditors that can validate that you’ve implemented classification, controls, and cultural change (all reportable), that can be tidily displayed in a scorecard or some attestation of your organization’s level of trustworthiness.  I would start with a maturity model. There are many emerging around privacy, including the CMMI Cybersecurity Maturity Model. As you advance in maturity, you can earn badges.

How do I commence the process of effective data classification in my organization?

The most important thing to do is to have all end users start classifying newly created and recently accessed content from this day forward. It isn’t practical or physically achievable to freeze frame an organization and try to discover all its content, the meaning of the content, and apply a classification level to it. The grounds will be shifting under your feet as users are creating new content 24/7 around the globe.

Deploying a tool like TITUS Data Classification is done in conjunction with a few other steps:

You need to have an agreed-upon classification schema that’s been accepted as policy inside the organization and shared across business units. This should be part of an information security policy that addresses the handling procedures and provides guidance on the controls you can put in place.

Most importantly, though, is communication with your user base. Let them know the importance of classification, how you’ll be using it, and what the benefits are to them and the business. This really is a change management initiative – driving a security culture, with privacy built in by design and default.

Based on your experience, what is the duration of a data-mapping classification program, and what are the pitfalls?

Like any project, the speed a project gets deployed depends on the ability to make decisions. Once you have your decisions made, you know what you want your classification schema to look like, and you have the right approvals, deploying a tool can be as fast as you can physically get it out there.

In terms of pitfalls, one of the most important things to watch for is the dependency on default classifications. It’s tempting not to involve end users so many organizations move to a default classification. The challenge with that is that you’ll end up classifying all of your content with that same default value. Going this route means missing many opportunities: Culture change, education, and accurately mapping the content to the right categories to ensure appropriate protection.

The second biggest pitfall is not having an executive sponsor and failing to leverage a change management program. You need both so your organization can make the important cultural and behavioural changes to protect personal data and comply with GDPR, leveraging whatever technology you choose.

Data protection doesn’t have to be complicated

But it does need a thoughtful approach that involves taking the right steps at the right time. If you missed the ISACA webinar, you can watch the recording here. And be sure to leave us a comment if you have any questions we didn’t cover.

 

GDPR compliance is an ongoing concern for affected organizations

July 16th, 2018

Image: GDPR blocks with silhouettes of people as building blocks for compliance success

by Doug Snow

It’s been six weeks since the General Data Protection Regulation (GDPR) went into full effect in the EU. But it’s still top of mind for most organizations. Why? Because so many aren’t yet ready. In fact, according to an ISACA research paper, only 29% of organizations were on track to be fully compliant by the deadline. Respondents indicated only 39% of staff have had adequate training to maintain GDPR compliance.

Even organizations that were ready on May 25 this year are already struggling to maintain compliance.

What are the biggest challenges to GDPR compliance?

Clearly, there are significant roadblocks to getting ready for GDPR that organizations have to address. Here are the top three identified by respondents in ISACA’s 2018 GDPR Readiness Survey:

Data discovery and mapping

You can’t adequately protect data you don’t know you have. That’s why it’s critical for businesses to get a solid handle on the handling of personal data. Clearly identifying sensitive personal information is not easy, and it requires all hands on deck. Organizations will need to push for a culture change through strategic deployment of information security policies as change enablers.

Prioritizing GDPR compliance among business priorities

Every business has competing priorities, but GDPR’s risk factor (up to 20 million pounds or 4% of annual global revenue – whichever is greater) is high stakes for any business. The EU has sent a loud and clear message that personal data protection matters enough that breaches should have big consequences. But it’s not an easy shift to make to operations.

Organizational education and change programs

Anyone who’s ever led a large-scale change initiative can appreciate the difficulty of getting buy-in across the organization and rolling out education programs. GDPR requires an unprecedented level of collaboration and commitment to know what data is impacted, how it should be handled and helping employees get up-to-speed on new processes and procedures.

How do you take effective action and maintain GDPR compliance over time?

Join me on July 19 at 12:00pm EDT for an ISACA webinar where I’ll talk about:

  • Getting organizational buy in to ensure data protection is built in, not bolted on, to your business processes
  • Designing an effective and inclusive change management process to support privacy by design and by default
  • How to educate and empower employees to identify and protect personal data, without disrupting your business

GDPR isn’t going away and similar regulations in other jurisdictions will come before we know it. The key to ongoing compliance is designing operations with data protection in mind.

Doug Snow is vice president, Customer Success at TITUS, where his 30 years of IT industry experience and project management expertise make him ideal to lead the team that ensures our customers’ needs are taken care of every step of the way.

 

TITUS Illuminate: Identify, classify and analyze files with a Wave contender

June 13th, 2018

Identify, classify, and analyze files with TITUS Illuminate

by Mark Cassetta

When I joined TITUS in 2012, we had already set the standard for data classification. We were growing as a business and had developed a data protection solution that’s scalable, flexible, and ready to support different cloud platforms.

In 2015, we put a plan in place to solve a different problem: helping customers identify and protect data that already exists.

New data is created at incredible rates, which means the volume of data is growing. When you take into account that people work cross-functionally and collaborate with external resources all the time, it means files are stored in numerous network and cloud locations. Clearly, the combination of data discovery and classification would be increasingly important moving forward.

That’s when we began the design process for TITUS Illuminate, which helps identify the business value of data stored on-premise and in the cloud, such as Microsoft OneDrive and SharePoint Online, Dropbox and Box. It gives organizations the ability to know what data they have and how to protect it.

The power of classification and file analytics

It’s been a great journey for TITUS so far and I’m proud that TITUS was among the select companies that Forrester invited to participate in The Forrester Wave™: File Analytics Providers, Q2 2018. In this evaluation, TITUS received three of its highest scores in the criteria of security and governance, technology strategy, and customers and markets.

lluminate enhances the ability of data loss prevention, enterprise rights management and other security solutions to apply the proper security controls based on classification policies. Illuminate also leverages its file inventory capabilities to identify and dispose of redundant, obsolete or non-business related data, decreasing the risk exposure and improving organizational efficiency by reducing storage cost.

In addition, TITUS Illuminate:

  • automatically classifies files based on content and context;
  • protects files with encryption and remediation options; and
  • provides a user-friendly reporting capability so organizations can analyze and monitor results to better understand your data.

Next generation file analytics

The strength of our current approach with TITUS Illuminate is based on embedding classification metadata and policy actions to protect data. I’m really excited to see the next evolution of TITUS’ file analytics capabilities. We’re making great progress on a next-generation solution driven by machine learning. We’re also going to extend our platform with open APIs for policy actions, rules, and metadata services.

The best part of all this?

TITUS Illuminate was quite literally developed hand-in-hand with some of our customers. We were fortunate to have people from outside of the company help shape the current and future direction of our file analytics capabilities. It’s a really special experience for our developers and product managers to get real-time insights on how their ideas and solutions can make a positive impact for customers.

Building products beyond data classification with the ability to protect, track, and control data presents a great opportunity for TITUS and I can’t wait to see where we go from here!

Download The Forrester Wave™: File Analytics Providers, Q2 2018 to learn more about how TITUS Illuminate can help you classify and secure your sensitive data.

Mark Cassetta, senior vice president of product management and strategy, is responsible for the execution of product strategy at TITUS. His diverse background, including roles in marketing, business development, corporate strategy, applications development, and enterprise software, helps to inform his approach.

 

ISACA Research Shows Companies Still Aren’t Ready for GDPR

May 17th, 2018

ISACA Research Shows Companies Still Aren’t Ready for GDPR deadline May 25th

The GDPR deadline is just over a week away and results from ISACA’s GDPR Readiness survey show that most organizations are still not fully prepared to meet compliance requirements. ISACA surveyed more than 6,000 professionals globally to find out how prepared organizations are for GDPR, what the top barriers to compliance are and the expected timeframe for readiness.

Check out this infographic that shows some of the highlights from the survey:

Infographic: Are you ready for the GDPR deadline?

Click to view PDF.

Perhaps the biggest surprise is the level of employee education on GDPR and their role in compliance. Only 39% of respondents said employees have been educated to a satisfactory level about their responsibilities to maintain GDPR compliance.

People and tools are the drivers to GDPR compliance

ISACA’s research about GDPR-readiness makes it clear: companies will be expected to do more to protect personal data because the old way of doing things just won’t cut it anymore. And this includes providing employees with the right resources and tools to help them understand what they can do to protect personal data within the flow of work. As a result, information ownership and data protection “by design and by default” will continue to be primary drivers of successful compliance for GDPR and other regulations.

The best solution to help with GDPR compliance will enable people, process, and technology to work together without grinding things to a halt. Because people need the freedom to work just as much as organizations need to protect sensitive data. This is why employees need to understand the business value of the data they work with regularly, so they can protect it in the day-to-day flow of work.

Get employees involved in your GDPR compliance journey

Educating employees about information security and data protection is important because the amount of data generated is constantly growing and the way employees work and share information is evolving. The roles and responsibilities for each business unit must be defined to help meet GDPR and other compliance requirements.

Click here to download ISACA’s report to learn more about the biggest compliance challenges facing organizations today, the level of executive buy-in, and the top benefits expected from GDPR compliance.

 

GDPR isn’t a checkbox exercise, it’s an opportunity to differentiate

April 12th, 2018


by Tim Upton

The ramifications and awareness of corporations getting access to and using personal data came to the forefront recently with the news that personal data of 50 million Facebook users was used to influence various political processes in the UK and US.

No doubt the leaders at Facebook wish they took a different approach to protecting data. At the same time, users likely wish they took more caution and control with the information they shared.

The reality is most regulations come about as a result of some unanticipated consequence. We have tools that allow us to easily collect, distill, and use data to inform our business practices. But awareness of these tactics has built up among consumers and they’re understandably concerned about how their personal information and data about their habits and activities are being used.

According to PwC’s 2017 Consumer Intelligence Series report, 25% of consumers believe most companies handle their sensitive personal data responsibly. What’s worse is that only 10% of consumers feel like they have complete control over their personal information. This awareness and concern have only grown as the size and frequency of data breaches increase.

So, how do you protect data?

Organizations are accustomed to using data without prescriptive rules, but new regulations are forcing them to make changes. While it’s not the first compliance regulation out there, the EU’s General Data Protection Regulation (GDPR) is the one that’s forcing organizations to wake up to how they’re handling data. After all, with potential fines of the larger amount – €20 million, or up to 4% of the previous fiscal year’s worldwide turnover – there’s a lot at stake for businesses.

Some organizations are looking at GDPR as a checkbox exercise, making sure they meet the requirements and then going back to regularly scheduled activities. It’s good to know you’ve done what’s required to be compliant, but what if there was a better way?

Treat GDPR as an opportunity to differentiate your business

We all know GDPR isn’t the last word on data compliance. It’s only a matter of time before a new compliance regulation comes along in a new country with even more restrictive rules. Can any organization really afford to stay in a position of constantly catching up?

Instead, why not build a security mindset in your organization by educating employees, helping them stay vigilant about the data around them, and the need to protect it? Doing this distributes the responsibility and accountability for keeping data secure across your entire organization, making it easier to be successful. It makes the security of all types of data – physical and digital – part of everyday work.

After all, if business leaders can get ahead of compliance regulations, it’s an opportunity to build lasting trust with customers by targeting a higher standard for data protection.

Data protection: People and tools are the drivers

Establishing a culture of security empowers individuals at all levels. When they understand the kinds of data being used throughout the organization and the expectations of how each type of data should be handled, they can help make proper data identification.

Data classification tools make identifying data easier by applying markings and triggering policies for how data can be accessed by internal and external users.

The best part of these tools? They make it easier to know what data you have. Because you can’t adequately protect data if you don’t know you have it.

Don’t just check the boxes on GDPR compliance

Technological advancements have accelerated our ability to generate, collect and use large amounts of data. And lawmakers are taking action in response to the demands of consumers. Regulations like GDPR make protecting it essential, just like you lock up the office at the end of the day to secure equipment and other physical assets. Data is a significant asset for organizations. It’s time to start acting like it because there’s a lot more than fines at stake.

Tim Upton is the CEO and one of the founders of TITUS. Tim has an extensive background as a technology consultant in the security and large infrastructure spaces that helps inform company direction.

 

You Had Me at Hackathon: How one TITUS employee builds his skills

April 5th, 2018

Image: MLH London Hackathon

by Farhan Ahmed

Ever since I can remember, I’ve been curious about the impact technology has on people. And I’ve always wondered, “What’s next?” This curiosity and interest inspired me to pursue a degree in computer engineering at Western University. I realized something else during the course of my studies: I want to help others see what’s possible with technology. For example, I developed a computer science curriculum for kids aged 9-15. I taught HTML, Scratch, Python and we worked with Lego MINDSTORM Robots.

Learning at the drop of a hack

I’ve also been encouraged to step outside my comfort zone to push the boundaries of my own learning. So, I started attending hackathons. And let me tell you, I’ve gained so much experience from these events that have helped my studies and my time as a co-op student at TITUS. I was asked to share my experience with hackathons here on the TITUS blog, so I want to take this opportunity to pass along some key lessons I’ve learned.

Get a view of the big picture

When you’re working on an idea during a hackathon, you get a glimpse of the full product cycle. You pitch the idea knowing the importance and value it adds to solving a problem and how it’s going to be used. As developers, we need to see things through the eyes of actual users because that perspective helps us understand how our solutions work.

I honestly can’t describe the feeling of pride and the sense of accomplishment when you get to see the final product of your hack. You get to reflect on what you’re capable of learning and the boundaries you’ve surpassed.

Approach problems from new angles and learn new skills

I recently attended a hackathon in London, Ontario, which was hosted by Major League Hacking. The challenge my team wanted to solve was to provide better photodynamic light therapy for skin cancer patients. Currently, photodynamic light therapy uses one standardized wavelength. Our approach was to feed the machine learning algorithm information about each individual’s physiology so the wavelength delivered would be more effective for the treatment. I was initially worried about my lack of experience with databases. But I was quickly able to overcome that fear by collaborating with my team members.

That’s what it’s about – people working together on a solution that will help others.

The hackathon mindset at work

I joined TITUS in September 2017. Since then, I’ve been working with the machine learning team to help our customers combine user-driven and automatic classification of their data. Machine learning is a hot topic in information security these days, so you can imagine my surprise when I learned about our own internal hackathon at TITUS. The goal of my first hackathon at TITUS was to come up with new ways to visualize the results that come from our policy engine. It was a lot of fun being an entrepreneur and seeing real business implications from the solutions you work on.

Hackathons are an important part of the high-performance culture we embrace at TITUS. With new technology comes innovation and new possibilities. Seeing how hackathon ideas are integrated into our products allows us to understand the end-user experience and truly appreciate the value of our efforts.

Get out of your comfort zone

By definition, lifelong learning is, “the ongoing, voluntary, and self-motivated pursuit of knowledge.” Growing as a person involves learning and stepping outside your comfort zone. A hackathon is designed to promote this kind of learning. We’re challenged to learn and implement skills within a short period of time. I strongly encourage everyone to attend a hackathon and stretch your boundaries to learn!

Farhan Ahmed is a co-op student at TITUS, specializing in machine learning. He’s responsible for delighting customers by making it easier to classify data.

 

Protect sensitive data in the cloud with Netskope and TITUS

March 22nd, 2018

Concept Image: protect sensitive data in the cloudBy Corey Markell

The amount of information created these days is staggering. We’re doubling the volume of data every two years. That’s a lot for organizations to filter through to protect sensitive data. Not only is the amount of data increasing, but the way people work and share information is changing, too.

Companies aren’t confined to strict physical locations anymore. And collaboration with remote full-time employees, contractors, and contingent workers is the new normal. But that means the traditional corporate network perimeter is gone.

Build data protection into the workflow – everywhere

We can’t roll back the clock to a carefully contained data container in organizations. Besides, we all know employees will scale those walls or punch a hole right through them to get their work done. Since productivity is the main driver behind the use of shadow IT, organizations need to address the needs of workers so they can continue to get their work done as easily as possible. That’s where cloud sharing and storage apps come into play.

They’re essential to business operations, but they’re changing the urgency and need for tools that protect sensitive data beyond the traditional firewall because of the amount of data that now moves in and out of the cloud. Not to mention the pressure that’s coming from compliance regulations, such as GDPR.

Reduce the risks of data loss, breaches or leaks with controlled cloud usage

The biggest challenge with cloud apps is the ease with which large amounts of data can be shared – even from mobile devices. IT departments and CISOs have limited visibility into what information is being uploaded, downloaded and shared. This makes it easy for users to inadvertently share sensitive data or use unsanctioned applications. Establishing sanctioned apps with Netskope and ongoing coaching on appropriate use is a critical step in protecting data in the cloud.

Establish shared responsibility and accountability for data security

Take the time to create an awareness and education program that covers the basics so you can protect sensitive data at all levels of your organization. When people know how to handle data and the implications of a data breach, they’ll be the best first defense for securing information. After all, it’s in the best interests of the entire organization to keep data secure.

Use the right tools to protect sensitive data – everywhere

Data classification is the foundation of data security – within the corporate firewall and in the cloud. Because you can’t protect data you don’t know you have. TITUS Classification provides automated, system-suggested, and user-driven classification to clearly identify to people and technology how information should be secured. And Netskope cloud enablement solutions enables enterprises to embrace the cloud while ensuring sensitive information is not at risk.

By clearly identifying data, TITUS Classification empowers Netskope to make dynamic, fine-grained policy decisions before information is uploaded to the cloud. Together, TITUS and Netskope provide organizations with the confidence to embrace the cloud.

Want to learn more about how TITUS and Netskope work together to keep your data secure in the cloud? Check out our Netskope technology partner page.

Corey Markell is the strategic partner manager for TITUS. He’s responsible for creating and maintaining meaningful technology partnerships that create new opportunities and value for TITUS customers.

 

Want to boost your GDPR compliance effort? Get your people involved.

March 15th, 2018

Image: People putting together puzzle - we can all help with GDPR

With the GDPR compliance deadline right around the corner, many organizations are working through various stages of preparation. According to Forrester Research’s report, The State of GDPR Readiness, about 30% of companies globally are fully GDPR compliant.

However, the report also notes that only a fraction of these organizations includes data classification and data discovery as part of their preparation for GDPR. Instead, many have focused their efforts on IT to meet compliance requirements.

But is this the right move?

GDPR compliance is everyone’s responsibility

We partnered with SC Magazine to host a webcast on March 20th at 2:00 p.m. ET with our VP of Customer Success, Doug Snow, and featured guest Enza Iannopollo, a research analyst with Forrester. Doug and Enza will discuss why collaboration across the organization is important to achieve GDPR compliance.

We sat down with Doug to get some insight on what GDPR compliance means for organizations today and to learn what role employees must play.

It seems like GDPR is putting a microscope on the way personal information from customers and employees is treated. What’s your take on that?

Doug: GDPR outlines some important information about security process and data protection by design and by default. The last two words really stand out to me – by design and by default.

Organizations don’t always know what data they have and where it came from, but with GDPR they will have to take a close look at all the ways they gather, classify, protect, and share information across the business.

What do you think will change the most when it comes to data protection “by design and by default”?

Doug: I think we’ll see security and risk professionals familiarize themselves with the design processes and systems in marketing, finance, legal, consulting services, HR, and any other group that handles personal information.

The first step is for people to come together and provide insight into the type of information they deal with on a regular basis. Transparency helps people adopt a culture of security that values collaboration across the business to properly protect information.

You mentioned the potential need for security and risk professionals to get involved in process design from the beginning. What else is their to-do list for GDPR at this point?

Doug: I’ve spoken with quite a few S&R pros lately and they’ve all mentioned a few things. First, they’ve been working with people from across the organization to understand what kind of data they have and where it is.

Second, they’re working through a risk assessment that specifically talks about information ownership. I think educating employees about information security and data protection is very much part of the prep work for GDPR because the way we create and share information is constantly changing. It’s good for employees to stop, think, and consider the business value of the information they are creating and handling.

Finally, they’re making sure reporting capabilities are in top shape because data breaches must be reported to the proper supervisory authorities within 72 hours.

What do you think GDPR means moving forward?

Doug: GDPR is a great opportunity for organizations to demonstrate the thoroughness and care they take in handling personal data. It’s about being a responsible organization, through and through.

Because, at the end of the day, we’re all responsible for information security. So, I look at it as an opportunity for people within an organization to mature their secure information handling practices – all to earn new business, improve customer retention, and boost employee engagement around information security.

GDPR compliance takes a village

Want to know how a culture of security can help you meet GDPR compliance? Tune in to our webcast with SC Magazine and Forrester Research, “GDPR Takes A Village: Practical Advice to Help You Achieve Compliance.” Click here to watch!

 

GDPR makes employee data security education essential

February 9th, 2018


by Doug Snow

The compliance regulation du jour is the EU’s General Data Protection Regulation (GDPR). But many companies aren’t ready for the May 25th deadline and many don’t even know they need to pay attention. Of course, knowing whether your organization is subject to GDPR is only the beginning. You have to take steps to ensure you comply.

As more and more compliance regulations come into effect, it’s creating a lot of work for businesses as they shift, evolve or completely overhaul business processes and deploy tools to meet the requirements. The effort is worth it, though: This is an opportunity to show your customers how committed you are to building a solid relationship of trust – starting with protecting their data. And you can avoid massive fines at the same time.

Of course, no tool or process will ever be effective if people aren’t on board. A security education program can help you build that solid foundation with people to encourage shared ownership of data security across your organization. That classic annual security training video everyone watches for half an hour (to pass a quiz that proves they recalled the information for five minutes) is no longer enough.

Every employee in the world signs an employment agreement that obligates them to follow corporate information handling policies. Even an accidental leak/disclosure can result in termination of employment but what tools do we give them to be compliant?

Today, the consequences are far-reaching, and people have long memories (and search engines). The fines levied and goodwill lost can lead to the failure of the business and countless lost jobs. That’s why it’s imperative to help employees be part of the solution.

So, how do you get people to use effective, secure data handling practices? Here are three ways you can focus your efforts to build a program that will win them over.

1) Build awareness of the data and data protection policies of the organization

This doesn’t mean you need to give everyone an in-depth overview of GDPR or any other compliance legislation. Instead, they need to know the kinds of data that need to be protected across the organization – even when it’s not part of their job.

As they learn about the types of data, they need to know what level of sensitivity should be applied and why. When people understand the policies and reasoning, it’s easier to make decisions about what to do with the data their handling.

The education shouldn’t end as people leave the training, though. You’ll want to keep promoting awareness in various ways:

  • Posters with reminders throughout your facilities
  • Ongoing training sessions to keep people sharp
  • Sharing stories about how people are mindful of security

Without a foundation of awareness, people won’t be able to take the next step of being mindful of information sensitivity as they go about their day-to-day work.

2) Encourage mindfulness about data security

When awareness resonates in a lasting way, it can lead to a more intentional focus on protecting the data they’re handling. With GDPR looming, that’s an important goal! Your organization will benefit from people who go through their workday mindful of data that’s being passed around. They become your first line of defense against data breaches.

Your awareness efforts can help bolster mindfulness by providing reminders to consider the sensitivity of data.

Having mindful people makes the use of technology for data protection more effective. Introducing tools that apply markings and trigger data protection policies can serve as one more way to build mindfulness right into the workflow. When every document has the sensitivity level clearly marked, it’s easier for employees to see at a glance how the material should be handled.

The technology takes this a step further by preventing inadvertent data breaches, disclosures or losses by blocking the most sensitive documents from being sent to unauthorized recipients.

How many times have you been rushing to the next meeting or trying to leave at the end of the day? You fire off an email and realize it went to the wrong person or group right after you hit send. There’s no calling it back, so having a tool that prevents those errors is invaluable.

3) Empower people to take appropriate action and be accountable

Knowledge is power. Putting knowledge into action reinforces what they’ve learned. When there’s only a handful of people in your entire organization who have the responsibility to train, monitor, audit, and maintain all data security efforts, they’ll be more successful if they can build an army of champions for good data security practices.

When awareness and mindfulness lead to reputation-saving preventative action, reward those instances and share the stories to continue the cycle.

Education is key to building a culture of security

The result of all this work is a culture of security where security mindfulness is the status quo of your organization. And when you have the whole company working together to protect sensitive data across your organization, it doesn’t matter what the next data protection regulation is – your entire organization will be ready, willing and able to meet it head on together.

Doug Snow is vice president, Customer Success at TITUS, where his 30 years of IT industry experience and project management expertise make him ideal to lead the team that ensures our customers’ needs are taken care of every step of the way.

 

Protect private data by building a culture of security

January 25th, 2018

By Steph Charbonneau

This Sunday, January 28th is Data Privacy Day. The recognition of this day by governments and other organizations has been a reason for people and businesses to talk about data privacy and security. But first, we have to talk about what those words mean.

What is data privacy?

Countries around the world have passed legislation acknowledging that individuals have a right to privacy, meaning we should have the ability to control when and to whom access is given to our personal information. This type of legislation is more important than ever as technological advances have increased the amount of data we share.

Why should businesses care about data privacy?

Because it’s good for business. After all, we need consumers to trust us. Today’s businesses and many other organizations rely on data assets to support, sustain and fuel operations. When you look at the large-scale data breaches that have made the news, it’s clear that organizations have to step it up when it comes to protecting the data that keeps them going.

It’s easy and even instinctual to try to fix breaches by building a technological fortress, but that’s not a true long-term solution. Technology is only as strong as the weakest user password or passcode on a lost device. And let’s not forget the surge of shadow IT that circumvents the fortress. The connected nature of our world combined with the human nature of people means technology is an incomplete solution.

Organizations need to build a culture of security

When you actively seek to make security a part of the culture in your organization, you make education, awareness, and accountability an integral part of day-to-day work. It becomes habitual to look for and notify management about vulnerabilities.

  • The door that doesn’t quite close all the way
  • Visitors being admitted without signing in
  • Confidential information left in public areas
  • Badges branded with the company logo
  • Laptops not secured to desks

These examples don’t necessarily relate to technology but ensuring the protection of data means addressing every access point – both physical and virtual.

How do you build a culture of security?

The responsibility for security can’t be shouldered by one person or even one department. And changing culture and behaviors isn’t easy, but the investment will pay off in protecting your business and the data you collect and generate. Here are some steps you can take to get started.

1) Educate employees about data

The security policy new hires sign during orientation isn’t enough. Make ongoing education about data and data handling a priority. People need to understand what data is sensitive so they know to take appropriate steps to protect it. But you can’t guarantee that people will just know your policies and practices. Only when people know how to identify and handle data appropriately can they be accountable for doing so.

2) Promote ongoing awareness

Establishing a shared responsibility for security only works when people are aware. Make awareness an ongoing effort. Hang posters that grab attention and share tips. Send emails with stories and examples of people raising concerns. Make it a community effort and encourage peer recognition. Get help from security advocates or champions who speak up and help the cause.

3) Use technology to enhance and enable security

A tight culture of security is the first and best line of defense against data breaches. But mistakes happen and vulnerabilities get exposed. Providing tools that help users identify the type of data they’re using so they use, share, store, and dispose of it appropriately makes it easier to prevent and/or contain breaches. These tools are like a seatbelt for your data: Once you’re in the habit of using them, you don’t feel as safe handling data without them.

Data privacy is an ongoing concern

The conversations about data that start around Data Privacy Day each year are important to have, but just like the ongoing effort of building a culture of security, we have to keep the conversation going throughout the year.

Steph Charbonneau is one of the founders and chief technology officer for TITUS. His background as an IT security architect helps bridge the gap between customer requirements and TITUS products.