The implementation of GDPR has made good data security an absolute priority for organisations – not only in Europe but worldwide. Kevin Isaac, CRO, Forcepoint, talks to Intelligent CISO about why adopting a risk adaptive model, coupled with a human-centric approach to cybersecurity, will better enable businesses to defend against any potential threats and keep their data safe.
The Cambridge Analytica data misuse scandal ignited the discussion about data privacy, data security and the responsibility we have to look after our digital selves.
Never before have businesses been so accountable for the use, storing and handling of data. And, now that GDPR has come into force, there is understandably far more demand from both consumers and businesses to manage personal data with the sensitivity and respect that it is entitled to.
It’s a complex process to fully understand exactly what data you have, where it is stored – and then find the best security systems to protect it. In a cloud-first, mobile-centric environment, cybersecurity professions require a flexible and adaptive approach – fixed perimeter security no longer works.
Many firms now realise that the adversary could already be inside your perimeter. All those perimeter defences and all the other points of protecting presence have driven the enemy to the place where compromise is easiest and where it matters most – inside the network.
The risk could come from a range of different intentions – there could be an external attacker who has compromised the security of the enterprise, who is lurking and operating inside your network using authorised credentials, or someone who’s actually permitted to be inside your network but with malicious intent. Or it could be an authorised user making a simple mistake.
Mitigating against these types of threat may mean introducing workforce monitoring programmes, which comes with a requirement to create a relationship of trust and awareness with employees. Balancing human behaviour against behaviour analytics is a complex process.
Educate, trust, inspire
Cybersecurity vendors, privacy groups and businesses themselves have a huge opportunity to educate consumers and employees on the role that they play in protecting their data and what might happen if individuals with malicious intent manage to take hold of their information.
But, what does this education look like? In order to make a real difference, any education tools need to engage, inspire and be ingrained in a company’s culture, going beyond just basic instructions.
Thankfully, workplace safety culture has evolved from the lengthy dry health and safety videos of the past. In contrast, we are now seeing a real emphasis placed on communicating the impact of user behaviours with organisations such as the National Cybersecurity Centre and CyberSecurity Challenge UK spearheading a diverse approach to cybersecurity education.
Here at Forcepoint, we’re working with Ataata for our internal cybersecurity training. These humorous videos cut through the security inertia which can set in if employees are required to click through screen after screen of training information.
By prioritising educating individuals on the impact of their behaviour and inspiring them to think carefully about their behaviours, rhythms and patterns of data movements, employers and their staff can become stewards of their own data, entering into a partnership and helping to mitigate the increasing risk of threats.
Workforce monitoring is a phrase that instantly drives fear into the hearts of many employees. However, in the wake of recent high-profile cyberbreaches from the likes of Ticketmaster, MyHeritage and Dixons Carphone, it is important that businesses have the processes and solutions in place to not only protect their customers but also employees and their brand as whole. This is where workforce monitoring can play a key role – not as a threat to privacy, but a force of good in the fight for data protection.
While the vast majority of employees want to do the right thing and have the best interests of their coworkers at heart, it has become painfully obvious that traditional security tools are failing to provide contextual information about malicious attackers – the ‘why’ behind the what.
Without this context, incidents cannot be properly examined and dealt with. In an era where breaches are common, and data is the new currency, both companies and employees can derive real benefit by understanding who is accessing data and whether that behaviour is putting the data at risk.
Whether it’s successfully identifying a malicious user or protecting an employee’s own personal ID and reputation, workplace monitoring is here to stay and a vital tool for cybersecurity professionals.
There is no denying that people’s attitudes and understanding of data privacy, cybersecurity and data protection are evolving and changing at rapid pace.
While cybercriminals will inevitably find stealing data far more difficult, the threat remains. It would be naïve to think that hackers will not evolve and become adept at thwarting the current security protections.
Forcepoint believe that by adopting a risk adaptive model coupled with a human centric approach to cybersecurity, businesses will be better able to defend against any potential threat. By focusing on the human, we can deliver individualised cybersecurity that is adaptive based on behaviours. Furthermore, with a better understanding of each person’s intent, we can give the context needed to make informed decisions and improve the efficiency of the protective solutions.
With these right processes in place and a culture of trust and transparency, companies can ensure that people are taking real ownership of their data and an active role in protecting their digital selves.
In doing so, we are on the way to becoming stewards of our own data and fundamentally becoming accountable for our own digital footprint. Only then will be able to build a culture where breaches are a rarity, not a regularity.