Data Security

Businesses are Due for a Sarbanes-Oxley Level Wake-Up

Written by: Anne Gotay 5 min read

Data breaches are on the rise, with the amount in 2021 exceeding 2020 well before the year was over. The increase in breaches in combination with high-profile attacks such as the Colonial Pipeline and SolarWinds have brought the need for information security to the forefront of the general public and the federal government. Suppose organizations cannot protect their assets and secure their data on their own. In that case, the government will likely enact regulations to adopt the best security and privacy practices.

Organizations need to get their data privacy and data security game in order before major regulations pass and force them to get secure. Find out how we got to this state and what your company can do to be prepared for data security and privacy regulations to come.

 

Setting the Stage

Before you think that this can never happen, it is essential to remember that similar actions have occurred in the past. In 2008, an enormous financial crisis stemmed from major financial institutions not following best practices for their industry. The fallout from this market meltdown spawned several regulations, including the Sarbanes-Oxley (SOX) act intended to protect investors from fraudulent accounting activities by corporations.

In the attempt to rapidly grow and innovate, organizations errored toward delivering solutions and products over taking the time to bake in security. This left many products going to market with vulnerabilities that left the company and their data exposed. The failure here was not malicious but driven by the need to move quickly to compete in the market. Nonetheless, the result is vulnerable systems that attackers can utilize.

With SOX being driven by financial mismanagement and directed toward protecting investors, it is not a giant leap to imagine a similar regulation driven by IT mismanagement to protect consumers. President Biden’s executive order on improving cybersecurity in 2021 is one of the first warning signs that something of this nature could be on the horizon. The order applies specifically to government agencies and the organizations that serve them, but this is only the beginning. This will likely be transformed by congress into a more binding set of regulations to manage how organizations manage their IT and cybersecurity practices.

How Sox Happened

The financial crisis of 2008 was also sparked by companies attempting to move fast and take shortcuts. In this period, many large organizations such as Bear Sterns, Lehman Brothers, and Merrill Lynch were lauded as leaders in their market but ultimately collapsed and were subject to bankruptcy or acquisition.

After evaluating the root cause for the mass financial failure, it was discovered that there were numerous causes, including predatory lending, massive defaults, deregulation, and lack of regulation. All of which created massive risk for financial institutions and their investors. Even though investors carried much of the risk, the financial companies did not adequately convey this data, causing investors to believe they held a safer investment than they truly did.

This perfect storm of conditions created the Global Financial Crisis, a massive collapse in the global market. To prevent a disaster of this magnitude from reoccurring, regulations such as SOX and the Gramm-Leach-Bliley Act (GLBA) were enacted to set strict guidelines on how publicly traded companies handle their data and financial records. They outlined harsh penalties for those that fail to comply, with heavy fines and even the possibility of imprisonment for company executives.

Collaboration for Growth

To be competitive in the current market, organizations need to move quickly, producing research and innovation for new products and services. Doing this requires utilizing internal resources efficiently and collaborating with partners, peers, and researchers. Effective collaboration necessitates sharing information, which creates a level of risk for your organization.

Individuals, including employees outside of the organizational network and resources, create a risk for data being leaked. Your company has limited control over the security level of the endpoints they use to access information or the safety of the networks they utilize. This creates an opening for theft by bad actors or even accidental disclosure. To collaborate safely, businesses need a way to limit who can access their data and ways to protect it so that even if it is stolen, it is not useful to the thieves.

Data is Everywhere

The risk for organizations does not only come from externally sharing data but also from using it internally. Data is spread across numerous applications within the organization, all with different management and oversight practices. No matter if they reside in the Cloud, on-premises, or on end-user systems, there are a variety of places that sensitive data may reside, creating a challenge in applying appropriate and effective measures to secure it.

While it might seem easy to mandate the centralization of all data with strict access controls and processes to use it, it adds time and bureaucracy that hinders workers from getting their jobs done. Security that slows down and hinders workers inhibits growth and innovation as worker efforts are dedicated to the security process rather than processes that help the organization improve. Finding ways to strike the balance of allowing users to work while keeping the data secure is challenging on its own and made more challenging when information is widely distributed.

 

Building a Foundation

With all of the challenges involved in keeping your organization growing, it is no surprise that many companies have traded off development speed for security. The problem is that companies are making the same mistakes with IT and security that financial companies did in years past with their own data and reporting. This creates risk for customers in the same way that risk was created for investors without informed consent.

This creates an opportunity for businesses that wish to get ahead of current threats and potential regulations that they could face. Taking time to create a solid foundation for their IT and security practices will help companies prepare for whatever changes come, keeping their data safe. The foundation they build will allow them the flexibility to adapt to new regulatory mandates without having to rush and quickly implement solutions and processes on someone else’s timeline.

Protecting Sensitive Data

One of the first steps in implementing good security practices requires starting with the data’s target in mind. It is what cybercriminals are looking for when they attack and what customers care the most about if it is compromised. Controls should be designed around protecting the data first by keeping it confidential while still ensuring that it is available for those that need it.

Doing this requires more than a single type of protection. It takes a holistic data security solution to protect data throughout its lifecycle of storage, transmission, and use. This requires a combination of data encryption, access control, and threat detection to not only guarantee the confidentiality of the data but to detect when attacks are starting, so they can be stopped before they get a foothold.

Securely Sharing Work Together

With organizations embracing cloud computing and remote workforces, the need for securely sharing data for collaboration has never been more critical. Businesses can now hire the best and brightest worldwide without worrying about relocation challenges. Bringing together top-tier talent is a fundamental recipe for innovation.

Using cloud technology, applications and data can be shared across great distances as easily as if they were in the same building. Securing this new collaboration requires more than traditional security methods that are not equipped to keep up with these new technologies. Many legacy solutions do not scale with cloud computing, nor do they work well with data staged throughout multiple environments, especially outside the office’s traditional boundaries.

Previous data encryption solutions effectively protected data when it was stored in one location or even between endpoints. This older technology is not sufficient for guaranteeing privacy when the data needs to be analyzed. It requires pulling the data out of its protected state to a form that can be accessed. This creates a hole that attackers can exploit.

Newer solutions bridge this gap and can protect the data wherever it resides and when it is in use. It forms a protective fabric throughout your entire IT infrastructure keeping the data confidential at all times. Combining this with advanced detection capabilities driven by machine learning (ML), threats can be rapidly detected, helping prevent attacks before they can take hold.

Starting the Foundation

Creating a secure IT foundation will help your organization have the right technology and processes in place to be ready for any mandates that may come. It does not require ripping out old infrastructure and replacing it, but evolving the solutions you already have with a data-centric security approach that places the focus of security where it belongs, on the data.

Sotero is a leader in weaving a data security fabric for organizations that focuses on the data. The Sotero data security platform takes a holistic approach to data protection, applying multiple layers of controls. Going beyond basic data encryption, Sotero weaves in access controls to streamline data management. Sotero’s behavioral monitoring keeps track of your resources and delivers visibility of misuse through a single pane of glass interface, catching attacks early.

Contact a data security expert to learn more about how Sotero can help your organization protect its most important asset, its data.

Tags:

data protection,

data regulations,

data security

Subscribe to our Blog

Take a look at a truly encrypted future, with no data left unsecure.

Request a Live Demo.

Schedule a live one-on-one
demo of Sotero.

Book Demo