Digital is transforming the world today; changing the way we communicate with one another, how we do our shopping and even how we do business. Looking at just how much digital has evolved our interactions over the past ten years, there’s no denying that in another ten years, every service we use will be digitised in some way.
At our Digital Security Symposium in July, we teamed up with ISACA to deliver guidance on how to secure your systems in the digital world, looking at three key themes; Cyber Security, Audit and Assurance, and Compliance. The entire day was jam packed with vital information for business owners and other delegates including keynote and breakout sessions.
ISACA is a global non-profit membership association for IT governance, risk management, cyber & information security and assurance professionals. And with their expert knowledge, we were able to provide an in-depth overview of what approach to security businesses should be taking. Also speaking were representatives from other IT companies and solutions including Turnkey, Virtustream, CSI Tools, Virtual Forge, Grey Monarch, Xpandion, CyberSafe and both SAP and SAP Cloud Trust Center. We’d like to say thank you to them for taking part, as the day was a roaring success.
The hot topic of the moment which is affecting companies Europe wide is data protection. Everyone is wondering whether their private data is safe in the hands of the services that they use every day. Think Amazon, 02, Tesco and even Santander. Are they complying with EU data privacy regulations? And is there a strong enough security measure in place to stop individuals hacking into their systems? Well, we’re sure they have the best security in place, but what about your business?
Why is Security Vital in a Digital Solution?
We all know how important security is but what exactly needs to be secured? Pointed out by Bill McDermott, CEO of SAP SE, he said: “trust is the ultimate human currency,” and of course, trust is the major enabler for a successful digital transformation.
Ensuring that your systems are locked down and safeguarded from cyber-attacks is becoming mandatory by law. No longer is it a recommendation, but a requirement that all businesses that handle data will have to abide by. If not followed, companies could face significant fines of up to 4% of annual worldwide turnover. If security measures are not in-built into your system then there is a high chance that not only your data, but also your customers’ or clients’ data will also be in danger of exposure and open to breaches.
A digital solution usually doesn’t work without people’s information, for example customers and affiliates. Mobile devices or an IoT device can also fall into this category, as well as on-premise applications, Cloud applications, and structured and unstructured data stored in databases. Ensuring that all of these separate elements are secure at all times means you will have to do some, if not all of the following:
- Manage people’s identity lifecycle - including name, address, phone number, credit card details, logins
- Protect data exchanged in the air - between users and devices as it travels on a wireless network - this can be done through encryption
- Manage mobile and IoT devices and their lifecycle - such as fingerprints and personal information.
- Protect data exchanged between on-premise applications and Cloud services - as this may contain personal information
- Protect data in databases or in big data, which lives on premise systems and in the Cloud - there could be vulnerabilities relating to administrators, contractors or third party providers who can usually access sensitive data in the production systems with privileged accounts.
How to Ensure your Systems are Secure
First of all, there must be a cultural and business change, making sure that you are protecting other’s personal data with the same respect you expect to have your personal data protected. To tackle this, there are several steps that you can make, including privacy by design and default. If privacy features are designed into your system, then there is no opportunity for breach or error. Requirements relating to security and breach reporting are covered in full in Articles 32-34 of the General Data Protection Regulation which was passed on April 14th.
In this section of the document, it states that: “controllers and processors are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” The assessment of what might be appropriate involves considering the context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.
The regular testing and evaluating of technical and organisational measures designed to ensure security of data processing is advisable, looking at the following:
- Privacy impact assessments - a tool that you can use to identify and reduce the privacy risks of your projects.
- Controller selection process, data processed - Customer selection determines which customers are included in your reports and segmenting them into identifiable groups may help
- Evidence of pseudonymisation, encryption, breach management
- Ensuring confidentiality, integrity, availability and resilience of processing systems and services - ability to restore availability and access to personal data in a timely manner in the event of an incident
- Engaging a DPO for transparency of compliance and process
- Manage third party contacts
The capabilities of SAP cover all of this, including Data Services/Information Steward which allows you to tag and profile data across SAP and non-SAP landscapes, as well as managing personal data accuracy and consistency. It can also help you with Information Lifecycle Management to manage the procedures in SAP landscapes; this means deleting and archiving safely with defensible legal retention requirements. SAP also has capabilities for the following:
- Enterprise Threat Detection, Dynamic Auth Management and EDRM - ETD on HANA: advanced threat analytics/real time cyber and breach monitoring. DAM and EDRM context-based access management, blocks, alerting and correlations
- Access Governance, UI Tools - Manage lawful and block unlawful access to personal data for active business systems, contracted processors, archives, employee enrolment
- Process Control - Custodian of GDPR: digital governance services to supervising authority with controls and automated monitoring for SAP and non-SAP landscapes
- Process Mining by Celonis - Powered by HANA, understand and visualise in real-time which business processes ‘touch’ personal data
Ensuring that all security issues can be managed through your current system, whether you use SAP or not, will allow you to be consistent and deliver transparency with ease of access. It will also help you to look after all critical areas of the business, enabling all technologies to run smoothly, from Internet of Things to core business applications. However, although SAP can provide the tools as discussed in this blog, there are numerous offerings from our partners that could be better and cheaper than SAP’s. Feel free to explore our member partner’s websites mentioned above for more information on this.
Want to know more about securing your systems? With our membership you can gain access to exclusive events and webinars, just like this one, that will help keep your business running efficiently and without any security breaches. Just contact us on 01642 309930 to find out more. Alternatively, you can drop us a few lines on firstname.lastname@example.org and we will come back to you.