by Carlos Rodrigues, vice president Latam at Varonis
Protecting data from attackers while complying with the General Data Protection Law is a major challenge for CISOs. In the last six months we have seen several companies suffer from data breaches. And the reason is easy to see. The problem that most companies face is having a traditionalist approach to information security, being flawed and outdated.
In this context, CISOs spend a lot of their time focusing on endpoints, perimeters and firewalls, leaving data security on the back burner until a breach happens.
These traditional security measures, while maintaining compliance and reassuring management, are masking the problems that are exposed when an incident happens or even when data protection law requires a change of focus.
At this point, getting data security in order can seem like an arduous task and difficult to know where to start. That’s why, in this article, we’ll show you why the traditional approach is flawed, and present an accurate cybersecurity roadmap and how to implement it.
Times have changed
When planning and defining a strategy for data protection, many companies tend towards the traditional playbook. This playbook approaches security from the outside in, focusing on external devices and tries to prevent them from accessing your data. This includes endpoint protection, SIEM and firewalls.
This approach worked for a while, when companies stored all their data on their own machines, locally managed servers or local data centers. But the way organizations create, store and access their data has changed. Especially with the rise of remote and hybrid working.
Today data is stored in different locations, cloud and SaaS. All housing and processing different versions of that data. So this traditional playbook is no longer effective.
A CISO cannot protect data without knowing that an accounting employee has enrolled staff in unprovisioned SaaS. This makes the data vulnerable and the traditional approach will not be able to do anything to protect that data.
More than a technology problem
Faced with a scenario like this, it’s not entirely the accounting employee’s fault.
The organization is made up of humans with their own priorities, responsibilities and failings. These people make choices about how they want to work and about the goals they should or want to achieve. Therefore, it is necessary to approach data security as more than a technology demand.
Most of the time, when we talk about cybersecurity, we focus on applications, databases and APIs. Which is a big part of it, but it doesn’t show the full picture. The people in your organization play an equally important role and can often pose even more risk than technology.
Privacy policies are a great example. Signing a document does not mean that the person will actually adhere to that policy.
Another problem is that large amounts of data are created daily in all departments of the company and it is necessary to stay on top of what everyone is creating, editing, storing and accessing.
For example, a file with sensitive data, how do you know who can access that document? On the first day, only one person can have access, being in compliance with the privacy policy.
Then that person shares that document with a different teammate, who then shares it with a larger group, unaware that that information is confidential. Then someone on the team uses that data in a sales presentation. At that point there is no longer compliance with the privacy policy.
Situations like this can arise easily and may seem impossible to prevent. The first step is to understand that there is no ready-made solution. The reality is that the company will continue to generate new data, add people and, unfortunately, also remove people from teams.
Therefore, the traditional playbook will not work. It is necessary to change tactics and adopt a data-first approach. That is, identify those that are already at risk to protect them and implement structures and tools that do this automatically.