Is your old business structure ready for your new security requirements?
Privacy protections have more teeth than ever – but will your data-protection tools and policies help you escape their bite?
Although the profile of cybersecurity risk has increased in recent years, many organisations are still struggling to decide whether responsibility for that risk should be managed by business executives, technology executives, both, or neither.
It’s a long-running conversation that became particularly pointed as 2018 set a watershed in terms of data privacy and governance, with legislation including Australia’s Notifiable Data Breach (NDB) scheme and the European Union’s general data protection regulation (GDPR) dramatically tightening expectations around the protection of data and the penalties for failures.
Often, those expectations only surface after a trigger event such as a cybersecurity breach, data loss, or breakdown of governance systems. When that happens, businesses need to be able to fall back on a clear plan for managing the risk it introduces – but the 2018 NTT Security Risk:Value Report suggested that only 51 percent of Australian respondents said their organisations even have such a plan.
Just 48 percent of companies consider their organisation’s critical data to be completely secure. And while 41 percent of 1800 surveyed respondents said they had suffered a data breach in the past, fully a third said they had not been breached and didn’t expect to.
Stunningly, 31 percent said they would rather pay a ransom to recover their data than invest properly in security now. Strangely, many businesses are prepared to wear the risk of reputational damage and lost customers that can result from a data breach.
Yet while paying a few thousand dollars to a ransomware extortionist might make sense in a spreadsheet, the prospect of fines of up to $2.1m under the DBR scheme – and 4 percent of global revenues for an egregious GDPR breach – can change anybody’s calculations.
Building a secure data ecosystem
Reforms to other governance, risk, and compliance (GRC) legislation – such as tightening of the payment cards industry data security standard (PCI DSS) and coming ‘open data’ frameworks that will introduce an Australian Consumer Data Right – will further increase pressure on executives to comply.
An early decision must be made about which part of the business wears that risk. Although many organisations used to assume that the IT department was exclusively responsible for cybersecurity, increasingly business-focused consequences have seen executive decision-makers taking over the function.
This has changed the nature of the conversation between companies and the security vendors they rely on, with inevitable questions about what appropriate GRC controls involve.
Elements such as identity and access management (IAM) play a role, as do appropriate use of encryption, cloud access controls, and ongoing audits of data holdings as well as penetration testing to evaluate protections.
Managed security services (MSS) providers support these capabilities, with extra value from capabilities such as real-time threat intelligence – which NTT Communications uniquely provides by leveraging its global IP network to provide live threat insights based on analysis of 40 percent of global Internet traffic.
Real-time threat analysis ensures that businesses can proactively deal with changing global threats, regardless of how risk responsibility is split between business and IT stakeholders. By blocking potential problems early, stakeholders can spend less time pointing fingers and more time lending a hand to strategic growth plans.
Data resources on demand
The network also plays a crucial role in ensuring compliance with changing GRC mandates – particularly as software-defined network (SDN) and software-defined WAN (SD-WAN) technologies allow more dynamic allocation and control of networked resources than ever before. SDN and SD-WAN paradigms are part of a broader effort known as SDx+M – software-defined everything and management – that is setting the pace for data management and protection as required by today’s broadening GRC mandates.
SDx+M – which also includes areas such as SDC (software-defined compute) and SDS (software-defined storage) – combines business process innovation and business model creation to deliver a big-picture approach to data protection.
Supporting its managed services capabilities, NTT Communications offers a broad range of SDx+M capabilities that leverage agile, secure ICT and one-stop management to securely manage virtual workloads across hybrid IT and cloud environments.
Intelligent, flexible networks enable dynamic management of networked devices and workloads as threat-intelligence analysis highlights changing threats and SDx+M links security infrastructure with data transmission services.
That means, for example, that a detected security fault can immediately trigger remediation efforts such as throttling the bandwidth available to a distributed denial of service (DDoS) attack, or disconnecting a malicious outsider who is discovered to be trying to brute-force their way into sensitive data.
The NTT Security 2018 Global Threat Intelligence Report found that brute-forcing data is the most commonly used attack technique used in the Asia-Pacific region, responsible for 26 percent of all attacks detected against regional targets (this increased to 80 percent of all attacks against retail targets and 53 percent against education targets).
Other common cybercriminal activity, including service-specific attacks, application-specific attacks, and network manipulation, can also be more readily detected and dealt with at the network layer in a software-defined environment. Backed by a proactive, real-time threat intelligence feed, businesses will be protected from cybersecurity risk no matter how they manage that risk internally.
The power of new network and security paradigms reinforces the need for businesses to stop trying to use 20th-century technologies to defend against 21st-century attacks. By first accepting the need for foundational change – and then investing appropriately in risk management processes and intelligent security tools – businesses can meet their evolving GRC obligations while protecting private data more effectively than ever.
Learn more about NTT Communications’ cybersecurity solutions and services: https://www.nttict.com/services/ict-security/