TechBeat: Data protection and compliance
Despite the complex nature of threats and a changing compliance landscape, there are rays of hope in how Irish organisations are facing data challenges, writes PAUL HEARNSPrint
20 June 2016 | 0
With the increasing data volumes being handled by organisations, and the relentless focus on regulation, the need for awareness of data protection issues has never been higher. Added to this are the compliance requirements of the new general data protection legislation (GDPR) which will come into force in May of 2018, and others such as EU-US Privacy shield, not to mention the potential problems that may arise from Brexit, and the landscape suddenly becomes one of danger and difficulty.
TechBeat, in association with Ward Solutions, asked 133 IT professionals in May to answer questions relating to these issues and difficulties, to share their experiences and insights on how Irish organisations are coping with this highly fluid situation.
The survey asked first whether respondents were felt data was more or less secure when held in the cloud or with a third party, as opposed to retained on-premises. In what could be interpreted as an endorsement for cloud, the largest proportion (42%) said that they believed data was equally safe whether on-premises or in the cloud/with a third party. However, almost the same proportion (39%) said that they believed data was safer on-premises. Further evidence of the cloud gaining trust was nearly a fifth (18%) who said that they believed data was safer in the cloud or with a third party.
“The fact that 42% of respondents believe that on-premises and cloud solutions are equally safe reflects our experience of an increasing acceptance and adoption among our customers of storing data in the cloud as a viable alternative to on-premises storage,” said Pat Larkin, CEO, Ward Solutions.
“We have identified an increasingly systemic approach to risk assessment/due diligence of cloud versus on-premises solutions and the fact that appropriately secured cloud services are at least as secure as on premise and, in a significant number of cases, more secure.”
Respondents were asked if, in the past 12 months, they had noticed a change in the number of security incidents in their organisation. Somewhat surprisingly, more than half (52%) said the rates were unchanged, but nearly a third (31%) said that security incidents had increased in the 25-49% range. A very small proportion (3%) collectively, said that such incidents had fallen by up to 49%. Less than one in 10 (8%) said that such incidents had risen by 50-75% while just 3% indicated a higher rate of growth.
“The fact that 45% of respondents have noticed an increase in the number of security incidents is representative of the current threat landscape, and serves to illustrate the importance of implementing a robust information security strategy,” said Larkin.
When asked about the balance between security and compliance, the majority respondents (79%) said that with respect to investments in IT security, reducing security risks is more important than achieving compliance (21%).
“Organisations should focus primarily on minimising overall business risk,” said Larkin, “to ensure that they survive, and then apply an appropriate framework such as ISO27001 to ensure that compliance is also taken care of as part of overall business risk management.”
As the supply chain for data processing grows ever more complex, the survey asked how confident organisations were with knowing specifically where, and with whom, data was located. A reassuring one in four (38%) were very confident, while slightly more (44%) were somewhat confident. One in 10 (11%) were not at all confident, and a worrying 7% simply did not know.
Larkin confirmed that this is what was being seen in due diligence investigations of data processing supply chains.
“Despite assurances by organisations at the higher levels in the supply chain as to data location and handling, this is not always borne out in our subsequent audits due either to the weak application of process and controls or lack of visibility and understanding of data processing and handling by sub suppliers in the data processing supply chain,” he said.
Staff competency and trustworthiness is a key element in data protection, and the survey asked about confidence in same. The vast majority (90%) were either somewhat or very confident in staff knowledge and trustworthiness to handle data. Less than one in 10 (9%) were not at all confident and only 1% did not know.