The importance of securing critical data
The world has changed extensively since traditional cybersecurity tools were invented.
Gone are the days when critical data resided solely in a company-owned and managed data center protected by a bulletproof firewall, if such a utopia ever existed. Digital transformation, globalization and a free-floating workforce that is logged into the most convenient Wi-Fi connection can spread a company’s data to the four corners of the earth.
When critical data is everywhere, protecting that data is even more critical. The means and methods used to protect data and the credentialed users of data need to evolve as well—to meet the complex needs of today and tackle the challenges of tomorrow.
The location of customer data and the relevant regulations create a compliance challenge
Traditionally it would be easy to know where data is located, and hence, which government regulations apply. For example, if the data center is in the KSA, then the data is too. But the rise of virtual data centers, the growth of cloud storage and an increase in data shared across borders has led to complexities in data access, security and compliance.
A U.K.-based provider of card protection and phone insurance services, CPP Group, faced this exact challenge in recent years. While based in the U.K., it CPP generates a majority of its revenue from India and relies on the protection of customer personal and financial data to maintain its reputation. The combination of its global reach and its business model creates a regulatory compliance tangle.
As a U.K.-based company, it must adhere to geographic regulations such as the European Union’s General Data Protection Regulation (GDPR), industry standards like the Payment Card Industry Data Security Standard (PCI DSS), ISO 27001 guidelines and national data protection standards in the individual countries where it operates.
And India recently enacted laws that require financial data like people’s payment card information to be stored locally by financial services companies operating in-country. Other countries where it operates, such as Turkey, are in the process of creating similar rules for financial data.
Until recently, CPP Group maintained all of its card data at its U.K. data center and ran all its databases on its U.K. policy system. But now this data must be secured across an Amazon Web Services (AWS) cloud environment, as well as locally in the U.K., India, and other global locations, while database policy is still maintained and set in the U.K.
The challenge is to maintain smooth workflow while accommodating a “more complex data security policy as more countries start insisting on data residency within country,” Patrick Viner, the company’s IT operations manager said. “We’re in the middle of quite a big project to develop a new platform to accommodate the model so that all data is housed in-country in nations where the company operates payment card services.”
A mobile workforce can cause data security holes and risks
Data is not just moving out of data centers. It’s also moving with employees to coffee shops, airports, and even the street—today more remote workers than ever before are logging on from anywhere there’s an internet connection. In fact, a survey from Bayt.com showed that almost three quarters of Middle East professionals believe that telecommuting is a good idea for both the employer and employee.
While an increase in working outside the traditional office network and perimeter can lead to increased employee productivity and job satisfaction, it can cause headaches for companies trying to ensure that first, the network is safe, second, the sensitive data accessible within the network is safe, and third, that it’s in compliance with applicable privacy regulations.
A leading Turkish airline, Pegasus Airlines ran into this issue when it found that its mobile employees’ increased reliance on unsecured wireless connectivity to work remotely, from restaurants, hotels and the various airports the airline serves, created an opening for malicious plug-ins downloaded from the internet and introduced to the office and network environment. Private and valuable customer data was at risk without a solution that could shield personnel wherever they worked. Data thieves spoofing employees’ identities and credentials to access critical data was a threat the airline had to take seriously. Plus, regardless of where employees worked, the company was required to comply with GDPR and the Turkish Personal Data Protection Authority, which fines non-compliant companies up to one million Turkish liras.
In this case, a move to the cloud became the data protection solution, instead of the challenge. Pegasus Airlines migrated its web security to the cloud in order to reach remote and roaming users—both on and off the corporate network. This ensures that employees taking their laptops on the road to unsecured locations will not unintentionally introduce malicious software, with the potential to steal data, onto the company network.
At the same time, the Pegasus Airlines added data loss prevention (DLP) software to safeguard all of its data, wherever it resides. In just three months, the solution documented more than 400 terabytes of data throughout the airline’s data center systems, databases and cloud-based systems, including unstructured data found in email messages, documents and other types of files.
This DLP solution has also been successful at protecting the airline’s employees from impersonation attempts by malicious actors. The solution uses behavior analytics to provide deep insight into high-risk user and system activities and can flag unusual user or device behavior that might mean the theft or corruption of data is being attempted. Another pillar of the airline’s cybersecurity is a cloud access security broker (CASB), which provides visibility and control over cloud use within the enterprise.
Modern strategies required to address modern risks
While companies increasingly rely on the modern strategies of global growth, transition to the cloud and a flexible workforce to increase productivity and profits, these same efforts can spread sensitive and critical data in a way that opens the door to new threats and new challenges. It’s more important than ever for successful companies to rely on modern security strategies to keep critical data and employees safe in a risky and complex world.