You are here
Taking steps to minimise data breaches
ANALYTICS and big data are now undisputedly buzzwords that dominate the visions and plans of many business leaders, driven by the tides of digitalisation and automation.
Singapore is no exception, with many companies across a spectrum of industries embracing the collection of data in a bid to optimise their operations.
Yet, one common blind spot that companies often overlook is the need to have sufficient data security measures.
For instance, the recent Facebook data breach highlighted the pressing requirement for companies to keep their data secure and sovereign, or they could end up facing various government investigations and regulations.
Data sovereignty is a concept that explains how data is subject to the laws and regulations of the country in which it is located. Essentially, this can affect how a company operates, in terms of transfer of data and the geographical location of the company's data centre.
Such governmental regulations can cause potential monetary and reputation damage, and in turn adversely impact profit and share prices.
Singapore was found to have the highest number of financial penalties that may be imposed for breach of data privacy as a percentage of the country's GDP among 14 Asia-Pacific markets, according to global market intelligence company IDC.
Commissioned by Dell EMC, the IDC InfoBrief showed that the Singapore government can impose fines of up to S$1 million for non-compliance of any of its data protection provisions, under the Personal Data Protection Act (PDPA).
PDPA, which came fully into force in 2014, requires organisations to put in place adequate security measures to protect consumers' personal data.
The Personal Data Protection Commission (PDPC) has fined at least 20 organisations over the past two years, according to an article in The Straits Times earlier this year.
Notably, PDPC fined karaoke chain K Box Entertainment Group S$50,000 in 2016 for a data breach, after personal data of 317,000 members were leaked online.
Instead of seeing the regulations as obstacles to growth, companies can use them as a catalyst to improve their data management capabilities.
Simon Piff, vice-president, IDC Asia Pacific's IT Security Practice Business, said: "Data privacy regulations are an impetus for the development of better data management strategies, for example, it is exacerbating the data protection gaps in existing backup infrastructure."
Furthermore, companies will have to adapt their data management capabilities while they become more data-intensive to enhance their products, services and strategies.
Dmitri Chen, vice-president of specialty sales, Asia Pacific & Japan at Dell EMC, said: "But as they use data to take advantage of new opportunities, there is also greater risk - the attack surface is expanding and so too are the requirements for how you manage this data."
"This makes building scalable secure IT environments and optimising infrastructure an unavoidable requirement for organisations today," he added.
The view of greater risks due to increased data usage was echoed by his colleague, Paul Henaghan, vice-president, Asia Pacific and Japan, Data Centre Solutions at Dell EMC.
He said: "The increase in the amount of data and the number of connected devices has a downside - more cyber security risk - and as cyber threats and attack methods become more sophisticated, the data centre must be able to withstand intrusions and security breaches."
IDC identifies three key areas of good data management to minimise risk: security, privacy, and business continuity.
Security means that data has to be safely captured and stored, with data integrity. Therefore, the data centre, a secure facility that houses the company's critical IT infrastructure, needs to be strong and resilient.
On the features of effective data centres, Mr Henaghan said: "Reliable breach detection and rapid recovery to a trusted baseline are some of today's data centres' advanced proactive protection capabilities."
Privacy ensures that personal identifiable information carries the levels of security, accessibility and ability to be deleted, as defined by the various legislations in various countries.
A good understanding of the different legislations will also help business leaders more accurately budget for compliance costs.
Business continuity planning is a process that ensures the business can continue to function even during a time of emergency.
IDC recommends that the recovery point objective (RPO) - defined as the maximum period in which data might be lost due to a major incident - should be near to zero as possible.
In other words, the company should have the ability to access the data as and when required.
One of the statements in the IDC InfoBrief summed up the importance of effective data management.
It said: "The cost of being prepared is less than the cost of recovery."
"The reality is that it costs more to salvage an incident after it has occurred."