Technology is fast-paced, ever-evolving, fuelled by innovation and customer expectations, and driving the explosion of data not just in magnitude but also complexity. Data complexity and growth can raise further risks when it comes to complying with the latest regulations. Nowadays, software has a short life cycle, sustained by ongoing updates and upgrades. When a piece of software no longer has updates to sustain it, it becomes outdated, most of the times failing to include the latest GDPR considerations. At the same time, many organisations fail to realise that databases are a critical security risk especially from a data protection perspective. It might be obvious, and apart from Denial-of-Service threats, the main goal of many security breaches and the attackers is to gain access to databases to steal a large volume of sensitive information. According to the 2022 Cyber Security Breaches Survey, around four in ten UK businesses (39%) reported having any kind of cyber security breach or attack in the last 12 months, with phishing being the most prevalent.
Many attack techniques, such as SQL injection, are specially designed to compromise database systems. As support for older versions expires, new security updates will no longer be released. Database breaches are often disastrous for companies, potentially costing them millions. If the version no longer gets patches, then the organisation might be in serious risk. Older versions of Oracle database are susceptible to these attacks and are a genuine cyber risk from a compliance viewpoint. Much of the public’s knowledge of GDPR centres on consent to store and process Personal Identifiable Information but organisations will be keenly aware of Article 25 and Article 32. Article 25 relates to “secure by design”/ Data protection by design”. Article 32 requires Data Controllers and Data Processors to implement technical and organisational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data. If you are running old versions of databases that are susceptible to SQL injection attacks, these type of attacks and data breaches can result in significant financial penalties.
Industry specific regulation compliance is nothing new to aviation, medical devices, financial services, but newer operational resilience regulations are expanding into other key sectors to national economies. Network and Information Systems (NIS) and the future NIS 2.0 address Operators of Essential Services. These essential services include logistics and transportation, Energy and Drinking Water Utilities, Healthcare, Digital Infrastructure, Cloud Computing Services, even Search Engines. Although the NIS Directive is focused on cyber-risk mitigation, it also addresses security breaches such as data encryption measures to be taken.
The UK is not immune to new Operational Resilience regulations. The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) define operational resilience as the ability of financial services firms and the finance services sector to prevent, adapt, respond to, recover, and learn from operational disruptions. These new rules will require regulated firms to deeply assess their information security and cyber security defences beyond what is currently required by GDPR and what will be the UK’s successor (Data Protection and Digital Information Bill, amending the existing UK GDPR and Data Protection Act 2018). This should result in greater protection and safeguarding of the personal data of its account holders and other individuals, thereby satisfying the main pillar of financial regulation which is to protect consumers.
Regulatory compliance and the risk of punitive fines and reputational damage are forcing businesses to really understand and simplify the architecture of their data and the applications that use it. Organisations may have hundreds or thousands of data sources, and to get all this under complete control and comply with regulations is an impossible task without the appropriate tools and processes.
There are many risks and challenges connected with trying to reconcile the competing interests of data democratisation and regulatory compliance, which is causing a real headache for many companies. However, adopting a proactive approach by following the next three steps can place your organisation in a far better position than your competitors.
1. Establish Enterprise Architecture and Business Processes by creating an enterprise intelligence repository with integrated views into business strategy, KPIs, capabilities,
processes, applications, information and IT infrastructure, enabling business and IT stakeholders to collaborate and support the planning, analysis, design, risk mitigation and execution of transformation, optimisation and innovation initiatives.
2. Classify Sensitive Data and set Policy by leveraging the data glossary and assigning privacy regulation-specific templates to different business terms and data by creating and associating different tags that relate to specific privacy regulations.
3. Identify Sensitive Data through Data Models by assigning specific attributes in the data model with tags that were defined in the data catalogue. These tags will be implemented into the physical data model that is used to create the physical schemas ensuring the persistence of PII attributes.
Additionally, it is important to discover where sensitive data may be stored and identify sensitive or critical data to set strict policies around its access.
A 3-phased approach is required: Defining, Discovering and Defending against any risks associated with your sensitive and mission-critical data within a company. Firstly, based on the information in the metadata repository and business glossary, IT operations can quickly discover which servers are running databases that contain personal/sensitive information.Then, IT operations can automatically scan databases (Oracle/SQL Server) for personal/sensitive information based on data polling or metadata attributes. Finally, you need to defend your organisation to protect that sensitive data in particular, so putting in place encryption around that sensitive data, masking and redacting that sensitive data.
Furthermore, there a few more steps that a business can undertake to ensure a heightened level of protection of its sensitive data. For information in production, identified data can be encrypted to prevent unauthorised personnel from reading its original state. For non-production data, that can’t be encrypted (for testing, etc), identified data can be obfuscated or masked, hiding its original state. Auditing sensitive data transactions is also crucial, as a requirement of data privacy regulations like GDPR, to create a robust audit trail. Lastly, user endpoints across the enterprise need to be identified, hardened, and secured to reduce the likelihood of intruder access and protect sensitive data, while backups must be stored in a secure place with good retention policies that meet or exceed SLAs. In the end, these methods will bring added value to your data protection initiatives.
With data breaches making the news on a daily basis, data compliance shouldn’t be easily overlooked. In fact, successful companies are the ones that see GDPR and other data protection regulations as an integrated part of their processes and implement the right tools to automate workflows and reduce errors. The fact is, if you don’t get started soon, your organisation could become the next big ransomware headline which can be easily avoided by prioritising compliance in every day business processes and not just a paper based one-and-done exercise.