Most business leaders today would agree that innovation is a business imperative. In this new digital climate, “Industry 4.0” technologies such as machine learning, robotics and the IoT are racing forward, underpinned by data drawn from a vast array of sources.
This creates an important dilemma for information security (InfoSec) teams. As gatekeepers for data entering and leaving the business, they can be highly risk-averse to sharing data between departments or organizations, or introducing new data technology into the business. Their concern is understandable, with the average financial impact of a data breach having risen to $3.92 million in 2018/19, according to latest figures from IBM.
So, how can InfoSec maintain robust data security, while still facilitating the information sharing and collaboration the business needs to remain competitive? Here are the top considerations to keep in mind when writing the rules for data sharing in your organization.
More consumers now exchange their data for improved service, with the goal that both sides benefit from the transaction. For any such exchange, it’s crucial that customer privacy is maintained in order to avoid the risk of regulatory penalties or other business losses.
Consider the “creepiness factor” – that is, ensuring that data customers have willingly disclosed for things like customer retention programs or that programmatic advertising isn’t being used beyond its intended purpose. Removing personally identifiable information (PII) from datasets being exchanged or analyzed can help remove the risk of customer data being misused.
The success of a data-sharing initiative depends on the right data being available to the right individuals and teams, at the right time. It means InfoSec teams must be able to retain full oversight and control over users’ data access, visibility, and approved use cases.
A data sharing solution with integrated governance controls allows InfoSec to set these parameters based on the associated project risks, rather than simply hoping that people adhere to the right processes and policies. Additionally, all data held within a corporate data sharing environment should be able to be encrypted as per industry standards, such as the Advanced Encryption Standard (AES).
The borderless nature of data opens up huge opportunities for commercial innovation, but also equally big risks. Such risks can be mitigated with measures to protect the privacy and security of any sensitive and personal information being shared.
Applying strong encryption to data when it’s both in transit and at rest is vital, as is how you manage encryption keys. Will you use multiple keys for the same data? How will key backup and recovery occur? Will you opt for a physical, virtual, or software-as-a-service (SaaS)-based key management system?
One of the most common data encryption techniques is hashing, which is used to mask sensitive fields before sharing data. However, it’s important to keep in mind that hashing is susceptible to brute force attacks that allow hackers to reidentify PII. Combining hashing with other methods such as salting and blockchain can reduce this risk significantly.
As mentioned, it’s critically important that sensitive shared data is not utilized outside its original purpose. An important piece of this picture is ensuring that once a data sharing project is finished, user permissions can be rescinded quickly and easily, along with the data sharing environments themselves.
Data Republic’s Senate Platform ensures constant data integrity with project-based license agreements before any access to data is enabled, and quarantined analytics environments where all interactions with datasets are audited. A single data sharing process, platform and audit trail ensures compliance, while allowing teams to focus on innovation.
In any data project, InfoSec teams will want to ensure that every flow of data is compliant with the intended use of that data, along with any other special conditions. That includes any outputs extracted from the project, such as important customer insights. Depending on the level of risk involved in the project, outputs may need to be checked against the intended use.
Recent data sharing crackdowns, such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), have implications stretching across the globe. The GDPR recommends “data protection by design”, wherein data safeguards are baked into products and services.
Good data governance processes can help InfoSec teams stay compliant with these new laws. Adopting what Forrester Research has referred to as the ‘data governance 2.0’ approach – where the governance platform serves as an enabler, not a roadblock – will allow your team to reduce the risks of data sharing, while ensuring competitive advantage isn’t compromised.
These six considerations are necessary for InfoSec teams and the wider organization to ensure data security is maintained without stifling innovation and collaboration. With the right strategy, processes and technology, data collaboration does not have to be an InfoSec concern.