Johnny Karam, Managing Director & Vice President of International Emerging region at Veritas Technologies
Data is often described as one of the most valuable resources in the world. Some of the largest and most profitable global businesses have been built on data, and every organization today relies on it to run its business. But with that data comes a responsibility to protect it.
Until recently, the process of securing and protecting data was often considered an afterthought; not profit-generating and therefore, not important. But the threats of compromise, corruption, financial loss, or loss of data – and high-profile cases of each – have moved many firms to seek out data protection experts to help them secure their information against growing threats. In 2019, Equifax agreed to pay out at least $575 million to compensate the 147 million people impacted by a data breach the company suffered as a result of failing to secure its network. The data breach reportedly cost Equifax almost $1.4 billion, including the cost of implementing significant security upgrades.
Keeping pace while keeping track of data
The rise of online and mobile services has seen financial institutions being entrusted with an increasing amount of highly sensitive personal customer data and, with the more recent accelerated shift to remote working during the height of the COVID-19 pandemic, this data has become more dispersed than ever before. In fact, according to our research, 90% of UAE employees admit to having shared sensitive company data via instant messaging platforms. In many cases, employees either don’t know what their company policy on sharing data is, or they don’t care.
In addition, by rapidly extending their IT infrastructures with complex combinations of cloud, virtual and on-premises infrastructures in order to keep pace with changes over the last year, data has become increasingly fragmented and harder to manage. This has led to a ‘transformation gap’ where businesses’ security measures lag behind their complex IT infrastructures. In fact, Veritas research revealed that 33% of data in UAE businesses is ‘dark’, meaning they have no idea what that data is or what value it holds, while a further 42% of data is considered ROT (redundant, obsolete, or trivial) that should be deleted.
Whilst data is spilling out from the clutches of organizations around the world, regulators have moved to tighten control over data protection measures and introduce penalties for non-compliance.
Progress through compliance
The honest truth is that financial institutions could be doing much more to protect their data. Nearly two-thirds (63%) of businesses in the banking and finance sector admitted to falling victim to a ransomware attack at some point in their history. Despite the frequency of attacks, 46% have either never tested their disaster recovery plans in the event of a ransomware attack or have not tested it in over 90 days. As cases of data breaches and ransomware attacks continue to rise dramatically, the finance sector simply cannot afford to overlook the protection of its most valuable digital assets.
New data protection regulations such as the Dubai International Finance Centre (DIFC) Data Protection Law DPL 2020 and the UAE Central Bank’s Financial Consumer Protection Regulatory Framework are setting a new standard for data protection across the industry and country, which not only promise to protect consumers but also help businesses realize the true value of their data.
Rather than seeing these new laws as a hindrance, financial institutions should embrace these regulations as an opportunity to gain a better understanding of their data. Identifying trends and gleaning insights from their data can enable them to offer better customer experiences or open doors to new revenue streams, while visibility into which datasets need to be protected or deleted can help pass compliance checks and mitigate against ransomware attacks. Perhaps most importantly, they will gain hard-earned consumer trust, giving them a significant competitive advantage. Without a full view of their data, businesses are blind to their own potential.
Regulations, such as the DPL 2020, can also help organizations re-examine unviable working practices that have been arisen in the wake of the pandemic, and educate workforces on data responsibility.
Solving the puzzle
The speed at which data is now generated means that the operation to change course seems daunting. And the answer isn’t to just simplify their IT infrastructure: as the volume of data financial institutions store continues to rise, there is always going to be complexity in their IT environments. But there is a way to use tools to abstract much of the complexity away. By standardizing the systems that manage data across their enterprise, companies can start extracting value from their data.
This begins with visibility: it’s essential to understand what data they have, its value, where it needs to sit, who should access it, and how long it needs to be held for. Once organizations have a view of their business-critical data, they need to ensure that business continuity and disaster recovery processes are optimized to protect it. In the case of a ransomware attack, an encrypted backup is an essential defense mechanism. But it’s important to remember that there is no backup plan in place until it’s been tried and tested.
Testing disaster recovery plans help reveal cracks and vulnerabilities businesses otherwise would never have discovered. Are backups sufficiently isolated to avoid infection from spreading, are there enough copies of valuable data, and are those copies being retained for long enough? Only regular fire drills and tests can answer these questions conclusively. These should be regular, repeatable, and form a crucial part of a business’ backup strategy.
Regulations are often considered an inconvenience, a taxation that should only be applied in distinct circumstances. There may be a reluctance to conform, to comply. But adhering to these regulations will give the financial sector a strategic advantage – one that can help them monetize their data, build consumer trust and survive even the most sophisticated of cyber-attacks. Soon after, all UAE industries will follow suit.