Contact us

If you’ve got a story or event for the GPSJ website, e-mail Stuart Littleford at

October 2021
« Sep    


Data governance – making sure sensitive information doesn’t end up in the wrong hands

By Jon Fielding, Managing Director, EMEA Apricorn

Jon Fielding, Managing Director, EMEA Apricorn

Deciding how an organisation’s sensitive data should be protected and who is responsible for this is an important process. A wrong decision could not only cost a company its reputation, but also result in huge financial fines.

In the third quarter of last year, the Information Commissioner’s Office (ICO) fined the Verso Group, a lead generation and data gathering company, £80,000 due to non-compliance with data protection laws. In the same period, data security incidents rose by nearly 20 percent, with general business, education and local government reporting the most occurrences. This comes as no surprise: according to recent news, Wigan County Council had experienced more than 80 data breaches over two years. With the impending General Data Protection Regulation (GDPR) promising a no-holds-barred approach to data protection negligence, and risks continuing to evolve, what can organisations do make sure they are protecting their sensitive data?

Understand your data

Companies need to carefully monitor the data that is both being created and leaving their respective organisations. For government, healthcare, finance, and education industries that generate, store and move copious amounts of sensitive information on the network, the implications are dire if the correct controls are not in place.

Is some instances, mandatory designation of a data protection officer (DPO) is required as stated in Article 37. Where this is necessary, the DPO will not only implement a security policy and strategy alongside the IT team, but will also be responsible for reporting. The DPO will need to document exactly what data is collected and how it is processed, stored, retrieved and deleted throughout its lifecycle to pinpoint where data may be unprotected and at risk. This thorough analysis will then enable them to delete all unnecessary data and to identify appropriate technologies, policies, and processes to remedy any shortcomings, allowing for a proactive rather than reactive approach. This is especially important where employees use third-party devices such as USB sticks, the Cloud, and other external devices.

Create effective policies

With the GDPR coming into effect in May 2018, it is more important than ever for businesses to ensure comprehensive security policies are in place and enforced. Data security must not only be considered internally but also when data is taken out of the office and beyond the confines of the internal corporate network.

London-based consultancy Willis Towers Watson found that 90 percent of all cyber claims stemmed from some type of human error or behaviour and a survey by Apricorn also found that 50 percent of companies did not require employees to seek permission for external USB drive usage. These two factors are risk enough for any business to fall foul of a breach, but combined, they are merely an accident waiting to happen. A case in point was when personal details of more than 130,000 current and former US Navy personnel were exposed in a breach linked to the compromise of a third-party supplier’s laptop in November 2016. This is a prime example of lax security policy, and how it can leave organisations vulnerable to data compromise and attack.

With all this in mind, companies need to start taking control of their data by implementing foolproof security policies. These should include whitelisting of allowable removable devices and blocking of all non-approved devices.

Encryption safeguards the sensitive data of organisations and their employees both at rest and in transit, protecting from human error and aiding GDPR compliance. In fact, encryption is one of the very few technical mandates in the GDPR articles; specifically Article 32. The cost of standardising on encrypted USB drives to protect data is nominal in comparison to the financial consequences of a data leak – which under the GDPR could be 20 million Euros or 4 percent of the company’s global annual turnover, whichever is higher – and their deployment offers a simple step towards GDPR compliance.

Layered defence

In today’s business environment, it is critical that companies supply employees with secure devices, including hardware and software that can defend against data breaches and cyber attacks. While employees are often the weak link in protecting data, organisations also need to make sure they’re taking a multi-layered approach to security tools.

With remote working becoming more popular, there is now not only emphasis on protecting workstations and internal networks, but also emails, browsers and removable devices. Working through a secure VPN and storing information on cloud platforms is also becoming popular with employees who are used to storage platforms such as Dropbox and Google Drive in their personal lives. These platforms are easy to use and easy to integrate with personal devices, compared to corporate tools that are sometimes user-unfriendly. However, many businesses do not have policies to cover these cloud services, which leaves data unencrypted and at risk.

While there isn’t a “one-size-fits-all” solution, organisations do need to invest time and money to establish the right security strategy for their needs. For example, using different vendors and products can increase the risk of exposing data due to incompatible solutions. Integrated approaches might not work for other organisations as they might not want to replace existing solutions or might not have the budget. Security and IT teams need to analyse the requirements of the company and implement toolkits that will make security processes easier and more efficient to follow. For example, providing employees with devices that include on-board authentication and encryption will help with data security, efficiency and cross-platform compatibility.

What remains the most important aspect of successful governance of sensitive data is consistency. IT teams, C-Suite and employees all need to be educated on, and adhere to, the policies in place to ensure that sensitive data doesn’t end up in the wrong hands.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>




This site uses Akismet to reduce spam. Learn how your comment data is processed.