To meet public and governmental expectations in terms of handling an individual’s data, companies must observe cybersecurity concerns and national regulation. To address this requires careful planning and having available resources.
To explore the multifaceted topic of data privacy further, Digital Journal spoke with JP Perez-Etchegoyen, CTO of Onapsis.
Perez-Etchegoyen begins by considering the ideas behind a good data privacy policy, including what is set out by the annual Data Privacy Day: “There was one headline-grabbing data breach after another last year, as the value placed on data continued to rise. Data Privacy Day serves as an important reminder for organizations across industries to ensure they are taking a proactive approach to governance, risk and compliance to keep employee and customer data out of the hands of bad actors.”
Internal communications are also important, says Perez-Etchegoyen, pulling out: “This includes making certain security teams have complete visibility into business-critical application security, including apps delivered through SaaS, PaaS, and IaaS cloud service models.”
It is important to ensure that the standard business applications are compliant. Here Perez-Etchegoyen observes: “Business-critical applications, like those from SAP, Oracle, and Salesforce, contain vital data (customer, financial, product, employee, etc.) that keep organizations running. While these apps have revolutionized how businesses worldwide operate, they can introduce unnecessary risk if not properly managed and secured.”
In terms of the types of things that can go wrong, Perez-Etchegoyen identifies: “Misconfigurations, unauthorized or excessive privileges, and other vulnerabilities can lead to data breaches that take company operations offline, put employees and customers at risk for further compromise and tarnish a company’s reputation.”
The types of things that can go wrong and cause reputational damage are highlighted by Perez-Etchegoyen: “What’s more, a number of reasons are contributing to making these business-critical applications are more vulnerable than ever:. (a)Diverse stages of Digital transformation processes, These applications are in various stages of transformation,(b) Remote work and availability from anywhere made have become them more accessible from outside of the organization’s four walls, and (c) These applications are being increasingly connected to an increasing number of applications on-premises and in the cloud and finally (d), the new technologies that support these applications are increasingly complex and if not properly managed, could introduce additional risks.”
Outsourcing brings with it further complications. According to Perez-Etchegoyen: “As organizations continue to move applications to the cloud or third-party services, they must recognize their attack surface is expanding. These apps share sensitive information with other applications, which leads to interconnected risk. In an interconnected risk environment, one misconfigured system or security vulnerability can put the entire enterprise at risk.”
To address these various concerns, Perez-Etchegoyen says: “Companies should adopt a comprehensive vulnerability management solution to protect their business-critical applications by providing deeper visibility, automated assessments, detailed solutions, and descriptions of associated risk and business impact. Timely patching is critical for ensuring business applications and data aren’t compromised.”
Sanctions can come from different areas, both in terms of falling short in terms of cybersecurity – and hence losing clients – and breaching consumer privacy legislation. As Perez-Etchegoyen indicates: “It’s also important to note that the data stored in business-critical applications like SAP is heavily regulated, which means that we are not just talking about cyber risks, but compliance and legal risks, including potential fines and liability to the company and in some cases its executives.” This means spending time and putting in sufficient people to achieve such objectives: “Additionally, organizations traditionally must invest significant resources for audits to ensure they are protected and in compliance. Organizations should seek out automated solutions to streamline the auditing of IT controls. This process will reduce the overall risk profile of business-critical applications and, thereby, the organization, as well as free up valuable employee resources. It will also help organizations achieve more accurate risk reporting (eliminating human error) and avoid surprises by proactively assessing systems against regulatory requirements.”
