Very few companies in SE Asia are at the highest level of data life cycle management maturity, says this expert.
With the introduction of increasing national data privacy legislations globally, many people had hoped that new regulations would shed more light upon the mysterious world of data utilization amongst businesses. Sadly, this is not yet clear and understood.
A few months ago, a colleague of mine approached both a prominent bank and a popular e-commerce platform to enquire about the type of data they have collected from her, a long-time customer, over the years. The former responded within a matter of days, but no word from the latter till today.
This showcases that some organizations have not fully figured out how to approach privacy and information security. Business and IT leaders need to take a step back and assess how their data is captured, stored and used, in order to be able to clearly outline the flow of data. They should not be “praying” that their data will not be targeted—this is just a matter of time; instead, they should be “believing” in their data management model and ability to stay resilient in the face of cyber threats due to the increasing value of personal information to cybercriminals.
Maturity in the data life cycle
When data enters an organization, it typically goes through five stages: collection, categorization, policy execution, protection and retention, and governance—each representing a level of maturity in data lifecycle management.
In Southeast Asia (SE Asia), very few organizations have managed to reach the governance stage—most exhibit signs of struggle even as early as the collection and categorization phases. Data is gathered in all forms: paper, electronic forms and files, images and video files; and it includes personal information such as national identity numbers, address, credit card numbers and health records. Companies in SE Asia that experienced breaches in the last 18 months (including hotels, airlines and healthcare providers) have all demonstrated a lack of ability to understand the data affected and to communicate that to all affected customers. This would indicate a lack of understanding of why, where and how data is collected, used, stored and protected.
Depending on where a company is in terms of data maturity, we place it in one of the three modes: “pray”, “hope” and “believe”, which reflect its respective confidence level regarding data security and protection.
- Data collection
The life cycle begins with data collection, a task that has been made easier than ever before. However, collecting vast amounts of unnecessary data can create challenges.
Firstly, organizations may end up spending resources on storing data that they can neither identify nor analyze. More importantly, regulators are recognizing that the “collect first, ask questions later” approach may put users’ privacy interests at a lower priority level. Referenced in the EU’s general data protection regulations, it is now compulsory for many companies to protect data by design and by default. This means applying data protection principles right from the start of the data lifecycle.
Organizations should also limit personal data collection to what is necessary to enhance the business. A discerning approach not only reduces associated risks but also aids cost-saving efforts. It costs organizations money and presents ongoing unnecessary risk if they continue to store data that they no longer need, typically defined as data that is redundant, obsolete or trivial (ROT).
At this stage, organizations have in their hands critical customer information, but without knowing exactly what it is, or how it can be protected, they can only “pray” that they will not be targeted by bad actors.
- Data categorization and policy execution
The second level of data maturity involves data classification, which includes data tagging to make it easily searchable and trackable. It also eliminates multiple duplications of data, which can reduce storage and backup costs while speeding up the search process. Once data is appropriately categorized, organizations can apply policies—these can be adopted based on law, regulation or a corporate rule. A policy could also identify who can access the data. Poorly protected data sets with loose restrictions on access permissions create a desirable target for attackers.
We refer to this as the “hope” level. An organization that has incorporated policies and levels of protection to secure the data sets can only hope that potential attackers will be deterred from digging deeper.
- Retention and governance
The initial stages of the data lifecycle described above take care of the “logistics” of data. Appropriate retention and governance become the “strategy” of data.
Regarding data retention, the rule is simple—if you do not need data, delete it. The less data is stored, the less damaging a potential attack or breach will be. Data retention is in fact covered under data protection regulations that explain that data should only be retained if it is still serving legal or business purposes.
Governance is an important business strategy and should be reached by consensus across the company. Determining an organization’s data governance can include a wide range of processes and practices. It may overlap many data areas such as security, compliance, privacy, and usability. The result may be a system that determines which data processes are used when and by whom, and which people can take certain actions under specific circumstances.
The ultimate goal of governance is to create a holistic way to control data assets so that the company can extract absolute value from the data, while keeping it safe.
In this stage, organizations are able to manage and optimize the data. We refer to this as the “believe” level—an organization is confident about how the data is managed and protected. Businesses that have reached this stage believe they possess the tools and protocols necessary to successfully defend against a potential attack.
Organizations that can protect data at every stage of the data lifecycle can confidently say that they are able to deter attackers and prevent a potential breach. Data should ultimately be placed in what is known as a defensible disposition, and this includes destruction. Data is the new currency and a critical asset to the organization, so it makes sense to treat, manage and protect it as such, adopting robust security measures and management systems.
If you do not know what you have got, how will you know when it is gone? The worst way to find out is when your CEO and board read about it in the media headlines.