Are Data Protection Standards Slipping in the Cloud Era?

Businesses are storing far more data than they need to, putting them at risk of breach and fines. Fredrik Forslund considers how organisations can embrace the cloud’s advantages without falling foul of its security downfalls

 This summer, the ICO reprimanded staff at NHS Lanarkshire for sharing data via WhatsApp and not having appropriate policies, guidance, or processes in place for data protection. Information Commissioner, John Edwards, stated that despite staff “being innovative” in their use of WhatsApp to optimise communication and information sharing while coping with “huge pressure during the pandemic”, there is “no excuse for letting data protection standards slip”.

Yet this isn’t the first time we’ve seen insecure practices resulting from rapid digital transformation during the pandemic. The mass shift from offices to home working led to an explosion of devices being added to corporate networks. One study in 2020 found that one in five UK employees downloaded company data onto their personal devices when working from home – many of which had no password protection.

93% of IT and security decision-makers see cloud-based attacks increasing in the next 18 months

Rapidly shifting to the cloud created risk. Blancco released a report earlier this year finding that while 65% of healthcare and financial services organisations say the switch to the cloud has increased the volume of redundant, obsolete, or trivial data they collect, 36% are only just beginning to implement a policy for data classification and minimisation.

It begs the question of whether organisations are doing enough to sanitise and secure their data. In the age of cloud complexity – with increasingly sophisticated, cloud-based cyber attacks – better data protection processes and policies around managing the entire information lifecycle will be essential to avoid penalisation from the ICO. It’s also necessary to avoid the significant reputational and financial damages that go hand in hand with a data breach.

Digital transformation requires better data management

The public, private or multi-cloud provides plenty of benefits for business agility. As a result, migrating workloads to the cloud has been a top priority for enterprises and the public sector. The aforementioned Blancco report found evidence of extensive cloud adoption across healthcare and financial services industries. Yet, since this rapid digital transformation began, many have discovered that the cloud also has drawbacks. This virtual environment creates more digital complexity as the data deluge continues and the attack surface widens, meaning 93% of IT and security decision-makers see cloud-based attacks increasing in the next 18 months.

65% of healthcare and financial services organisations say the switch to the cloud has increased the volume of redundant, obsolete, or trivial data they collect

To change this, organisations must embrace better practices for working in the cloud and protecting their information. A good starting point is to ensure teams have developed a plan for managing data: how it is collected, processed, securely stored, and then eventually erased. Too often, organisations keep data for longer than they should in case they need it in the future or simply because they don’t have policies for how it should be destroyed. Yet disposing of trivial data drastically limits breach exposure and ensures an organisation complies with data protection regulations.

It’s also important to regularly audit IT equipment and its information. We found that just over half of organisations (55%) can boast a mature data classification model determining when data has reached end-of-life, meaning many businesses still have a long way to go. Frequent audits should allow teams to proactively assess data from start to finish across the information lifecycle, not just at end-of-life, to ensure their organisation has complete control over their data in the cloud age.

Why the Board should care

It’s easy to assume that the ownership over securing cloud data falls to the cybersecurity department, although responsibility for data management is less clear-cut. Is it the role of IT teams, the data protection officer, or perhaps the head of compliance or governance? Ultimately, data security and management need to be the responsibility of everyone across an organisation. They must also become talking points in the boardroom, considering the average data breach cost now sits at $4.45m (£3.63m).

There is also the ongoing cost of a damaged reputation. A recent study found businesses lose 73% of their income in the year following a cyber incident – a collection of the erosion of customer and partner trust, remediation processes and regulatory fines.

We’ve seen the ICO intervene with the NHS when they got it wrong, and they won’t hesitate to fine those in the private sector if they make the same mistakes. The cloud undoubtedly comes with many positives, but it has also led to businesses storing far more data than they need to. This data will cost companies financially – putting them at risk of destructive breaches or hefty noncompliance fines. To avoid severe financial damage, business leaders need to understand the risks associated with trivial data in the cloud and ensure a strategy is in place to protect their organisation.

Fredrik Forslund serves as vice president of enterprise and cloud erasure solutions for Blancco, a division of Blancco Technology Group. Bringing close to 20 years of experience in the data erasure industry, he previously founded SafeIT Security, a security software company focusing on encryption and selective data erasure.