Data Breaches are Just The Tip of The Iceberg For Data Privacy

The average time to identify a data breach is 212 days, and one in three Singaporean organizations have suffered losses of up to $1.348 million as a result of these incidents. RedMart is one of the latest victims to fall prey to such attacks. To combat the increasing threat of data breaches, Singapore has increased the financial penalties for such incidents. However, is this enough? The truth is, most companies lack internal policies and frameworks for managing personal data and have inadequate cybersecurity practices. These shortcomings make them vulnerable to data loss. Coupled with poor data visibility, lack of interoperability, excessive data retention, and new regulations, cyber fatigue has set in, and some companies have given up on proactively defending against attacks. This article explores the current state of data privacy and cybersecurity in Singapore and examines how companies can better protect themselves from data breaches.

CIO World Asia spoke with Daniel Tan, Head of Solution Engineering, Japan, Korea, Southeast Asia, Taiwan, and Hong Kong at Commvault about data privacy and how companies can further secure it.

---

Strategies for Businesses to Enhance Data Protection through Encryption

With the rise of remote work, cloud computing, and an increase in digital data, organisations face a growing risk of cyberattacks. The hybrid and multi-cloud model, although efficient and productive, exposes companies to potential vulnerabilities and security risks. As both customers and organisations pay more attention to data protection, it is crucial for businesses to create a reliable data protection strategy.

To start, businesses need to understand the types of data they collect and where they reside. A risk assessment can help identify potential threats and vulnerabilities, and allow companies to prioritize security measures to protect sensitive data. Implementing a multi-layered security strategy, which includes anti-malware, firewalls, data encryption, and data loss prevention software, is also crucial.

However, not all companies have the internal security team to prevent and handle threats. Software-as-a-Service (SaaS) is a flexible cloud-delivered solution that can help effectively protect and secure data with no backup infrastructure to manage. For example, Commvault launched Metallic ThreatWise, an SaaS-based data management solution that leverages cyber deception technology to insert more friction into an attacker’s modus operandi.

It is also essential for organisations to have a “when, not if” mentality when it comes to data protection. All companies, regardless of size, need a Zero Loss Strategy built on Zero Trust Principles and applied through a multi-layered security framework. This approach can help provide data integrity and visibility to better plan, manage, and reduce the impact of attacks.

In Singapore, where data protection is of great concern, the government has increased the financial penalty cap for breaches under the Personal Data Protection Act. Customers also want more control of their data, with eight out of ten consumers wanting the option to control their data and not leave it to the discretion of the company or government. By implementing a reliable data protection strategy, businesses can protect their customers’ data and their own reputation, safeguarding themselves from potential losses due to security breaches.

Leveraging Multi-Person Authentication and Strong Passwords for Confidential Documents

In today’s digital age, organisations face a constant threat of cyber attacks on their confidential data. To strengthen data protection systems, organisations should consider leveraging multi-person authentication (MPA) to add an extra layer of security to sensitive information. MPA requires two or more individuals to authenticate themselves before accessing critical data, commonly using a combination of biometric and traditional authentication methods such as passwords.

Apart from MPA, organisations should implement basic security processes to enhance their data protection systems. It is essential to enforce the use of strong passwords, which should be at least 12 characters long and include a mix of upper and lower cases, numbers, and special characters. To maintain good cyber hygiene, it is also crucial to change passwords regularly and avoid using passwords that are inspired by personal information such as names, phone numbers, or birthdays. By following these measures, organisations can significantly reduce the risk of unauthorised access to their confidential information.

Importance of Understanding Data and Regulations for Effective Prioritisation and Protection

As more organisations adopt cloud-based solutions, data has become the core of every company. However, businesses must understand the types of data they possess, collect, and share to ensure that each classification has its unique security needs met. Governments worldwide are now placing more emphasis on data privacy and protection, such as the newly enacted Data Protection Act in Indonesia and Singapore’s hefty fine for breaches.

With cyberattacks on the rise, data protection is now a top priority for business leaders. To ensure data resiliency, adaptiveness, and security, organisations need to understand how to protect critical data and adhere to regulations. An ideal solution should be simplified, providing security across hybrid cloud environments and workloads, and include multi-layer ransomware protection and immutable backup copies in the cloud. By prioritising data protection and understanding the latest regulations, organisations can make informed plans to ensure the security and resiliency of their data

Determining the Retention Period and Lifespan of Data

Understanding how long to keep data and what factors determine its lifespan is essential for any organization. The retention of data is dependent on various factors such as legal requirements, business needs, and storage capacity. For instance, financial records may need to be retained for several years while customer preferences may only need to be kept for a shorter period. The lifespan of data is also affected by the type of data, storage medium, and usage. Storage mediums such as hard drives, solid-state drives, and magnetic tapes have different lifespans, and it’s essential to have systems in place to manage and set retention policies.

Data lifespan can also be affected by natural disasters, physical damage, and technology obsolescence. Therefore, organizations need to have proper data backup and disaster recovery plans in place to restore lost or damaged data. By automating the process of data retention, classification, and recovery, organizations can reduce the chances of data sprawl, minimize costs, and recover data more efficiently. Proper data management helps organizations to meet their legal requirements, reduce risks, and secure sensitive data, ensuring business continuity in case of data loss or damage.

Responsibilities of a CIO in Data Protection and Ensure Their Organisation’s Data is Adequately Protected

As the digital world becomes increasingly complex, CIOs are taking on more responsibility for managing and protecting their organisation’s data. One of their primary roles is to develop and implement data strategies, governance frameworks, policies, and procedures that ensure the security, privacy, and integrity of data assets. They must also ensure that the organisation complies with relevant data protection regulations, such as the GDPR and PDPA.

However, complying with regulations can be a challenge, especially for multinational organisations with operations in multiple countries. Partnering with an experienced data protection provider can help streamline this process and reduce costs. Disaster recovery plans are also the responsibility of the CIO, who must outline procedures for recovering data in the event of a cyberattack, such as ransomware. A Zero Loss security strategy and early warning and threat detection systems can minimise compromised data and its business impact.

Even smaller organisations with limited resources can take steps to protect themselves. For example, employee awareness of phishing campaigns and suspicious websites is crucial. Software and applications should also be kept up to date to reduce the risk of ransomware exploiting common or recently discovered vulnerabilities.

SMEs with limited cybersecurity expertise and resources can leverage public resources, such as CSA’s Cyber Essentials mark, a certification programme designed to help enterprises safeguard their systems and operations from cyber-attacks. Alternatively, SaaS-based data solutions can handle everything from protection to governance and optimisation, enabling organisations to focus on their core business activities.

---