7 Low-Cost Security Controls to Ensure Data Privacy Compliance
It’s been a couple of years since I last visited my home country, Nigeria. Since then, digital adoption there has accelerated. Today, for example, Nigeria arguably has one of the most sophisticated and secure financial systems in the world. The country now also has more pervasive remote point of sale (POS) systems. Taxis have become more accessible via ridesharing apps. The list goes on.
A lot has changed. Not just in Nigeria, but around the world.
While digitization is progressing, some businesses aren’t yet prepared to take on the cost of full transformation, including setting up the proper governance, tools and architecture; recruiting, training and retaining experts; and keeping pace with the volume and complexity of data security threats. This is resulting in some unique security and compliance concerns for companies operating in countries on the slower end of the digital adoption bell curve.
Regardless of where they are located, however, organizations face many challenges with data and privacy, including securing their assets, hiring and retaining security experts, utilizing various security tools, and keeping pace with the volume and complexity of modern threats. For context, once GDPR came into effect in the UK, a wave of regulations with similar frameworks emerged all over the globe — Nigeria included. The Nigerian Data Protection Regulation (NDPR), like many others, was established to regulate collection and processing of data. These regulations mandate that all organizations that process personal data must submit a data protection audit report to the National Information Technology Development Agency (NITDA) annually.
Focusing on foundational controls may, however, help protect businesses and lower security risks at a minimal cost. There are seven low-cost security controls that can be implemented without breaking a budget when scaled to the size of the enterprise.
- Implement actionable policy and procedure. Security policy and procedures outline expectations and rules for acceptable conduct from employees. Establishing internal governance helps leaders provide appropriate care to protect the organization.
- Identify and classify data. The organization needs to start by identifying and classifying the types of data that it's storing and align this with the business and regulatory requirements for the storage of data.
- Enforce least privilege. Employees should have only the minimum access required to perform their duties. Decisions to permit access to sensitive information, data, systems and applications should be based on need-to-know business cases.
- Separation of duties. Separating duties helps prevent an individual from maliciously damaging the organization without collusion. No one person should have full autonomy throughout the business.
- Securely destroy unneeded information and data. A fully implemented and enforced data retention policy lowers data breach risk. Sensitive data that is not required to meet a specific business purpose has the potential to be compromised if not properly destroyed.
- Implement a disaster recovery (DR) and incident response plan (IRP). Organizations should plan and test both a DR and IRP that cover detection, response and recovery.
- Security awareness training. Employees are a critical line of defense against threats. It is important that they understand the risks that the organization faces, how to prevent them, how to respond and who to notify should they occur.
All the above recommendations are pillars of most privacy regulations. Organizations everywhere will also need to consider any further action that might be necessary to ensure data protection compliance, such as architecting security into systems, identifying legal basis for processing, working closely with regulators to help ensure compliance, training staff on data handling practices and keeping informed on changes in law and technology.
In addition to this list of low-cost controls, the cloud also offers significant advantages for solving long-standing information security challenges. By purchasing a software-as-a-service (SaaS) application license, organizations can move work and regulated data into the cloud to address specific risk, regulatory and compliance requirements. Depending on the specific technology selection and SaaS your organization deploys, a wide range of security protections will be built directly into the service. With a cloud-enabled approach, you can shift many of your organization’s day-to-day security responsibilities to your cloud provider and reallocate existing company resources.
There’s no longer a need for the complexity of organizations spinning physical infrastructures. Investing in low-cost, foundational controls — with help from the cloud — will likely lower your company’s security risk, ensure a positive return on investment, and demonstrate value and due care to stakeholders regarding the way your organization handles sensitive data.