Haider Muhammad, the Community Manager for Middle East, Turkey and Africa Community Sales (EMEA) at Milestone Systems, speaks about how newer techniques need to be built to ensure data security
How has the need for data security and compliance changed over the past year?
Technology has been changing rapidly over the past few years. Digital transformation has fueled the rapid acceleration of new technologies like cloud computing, Software-as-a-Service (SaaS) applications, Internet-of-Things (IoT), and computing by Smartphone apps. Over the last year, the pandemic led to organizations rushing to enable their staff to work from home or remotely where possible. This meant investing in Virtual Desktop Infrastructure (VDI) and Desktop as a Service (DaaS) applications.
We also have a lot of people working from home on their personal devices. With the lack of movement, online shopping and eCommerce increased. All these activities heightened the security risks. You can see that, unlike earlier, the digital touchpoints of accessing data have suddenly exploded. Earlier staff were accessing only from the office, and now, there are multiple points. The sudden move to a virtual office has led to inadequate security practices and a lack of awareness and costs of securing devices leading to data security risks. Companies have had shortfalls in implementing adequate security measures and compliance policies.
According to the UAE Government Cyber Security, the UAE saw a 250% increase in cyberattacks in the first year of the pandemic. Online marketplaces expanded with an annual growth of 12 percent. They naturally became the targets of sophisticated cyberattacks in Saudi Arabia and the United Arab Emirates. A report by Mimecast found an increase of 75 percent in phishing or impersonation attacks in the UAE – with 77 percent of those organizations having taken a direct hit in the form of loss of customers, financial loss, and data loss.
According to an IBM report, a data breach in the Middle East costs an average of $6.52 million. We can clearly see the need to ramp up Data security and compliance measures with accelerating cyber attacks over the past year.
What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance?
We would recommend the following measures for organizations to keep their data secure. Awareness plays a significant role. Employees need to undergo security training to avoid lapses from their part. Some of the tips would be:
- Organisations must ensure security awareness training periodically for all the staff about various threats
- Organisations must mandatorily implement policies so users will be forced to change their passwords
- Use and update antivirus and anti-malware software when needed
- Ensure your operating systems are always up to date and update with newer security patches and updates from manufacturers
- Employees must avoid oversharing their screens. During online meetings, they should be extra cautious when sharing their screen
- Beware of phishing
- Do not acquire or use work-related IT equipment without an agreement with your own organisation.
In the case of Video Management Systems (VMS), it needs a few extra measures as follows:
- Awareness: Ensure broader awareness of the need for a secure VMS
- Hardening: Tighten up your Video Management Systems (VMS) as part of an ongoing and dynamic process designed to ensure robustness
- Training: Educate users and colleagues on Best Practice in system set-up, installation, and use
- Privacy: Maintain a ‘culture of privacy’ by ensuring that the system is compliant with local data privacy regulations.
- Regular updates: Keep systems up to date with the latest drivers, patches, and fixes to stay ahead of any hacks
Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow?
There are no specific laws governing the processing of personal data by public sector institutions in the UAE. However, we take personal data very seriously and handle it in the same manner that we would with other countries with laws. In Europe, GDPR is playing a leading role. European Union initiatives protect data in cloud scenarios, e.g., Screms II, which we follow closely to sense early impact for Milestone, our customers, and partners. Another example is GDPR Guidelines and local implementation of rules for storage of video feed.
What, according to you, are the five tips that companies need to follow to comply with data security regulations?
Companies need to understand that data is a sensitive matter and data privacy matters. There can be legal damages in case of non-compliance. We would advise customers to look at data in the following ways that will help them become compliant with data security regulations.
- Data Analysis: Organizations need to understand the kind of data processed. Depending on the type of personal data, there are different principles to follow. In short, the more sensitive the data is for the data subject, the better you need to protect it, and the more specific you need to be about what you are using it for.
- Data Storage: Where is the processed personal data stored? Different regulations may apply depending on which country the data is stored in. For example, when you store data in the US, you are under very different obligations to disclose such data to the authorities than storing data in the EU. Organizations must understand the laws and comply accordingly. Some countries have regulations that their citizen’s data cannot get stored outside their country.
- Legal Requirements: What is the legal permission to process the personal data? This can be either consent from the data subject, the legitimate interest of the data controller, or the fulfillment of a contract with the data subject, etc. To give an example, typically, it would be in your company’s legitimate interest to use such an employee’s photo on an ID card, while you would need consent to publish it on your public website.
- Data Boundaries: Is the personal data being transferred somewhere else? E.g., if the personal information is transferred outside of EU/EEA there must be a legal basis for this. Essentially one must make sure that the transmitted data is under the same level of protection, regardless of where it is stored. It is not necessarily logical which countries are considered secure and which are not. For instance, the EU Commission considers Uruguay and Argentina as secure third countries, while the US is not.
- User Rights: What are the rights of the data subjects? E.g., under GDPR, the data subject has certain rights, e.g., deletion of their personal data and insight in their personal data, and you need to have procedures in place to handle this. We recommend customers seek legal advice to comply with their local data protection and privacy laws or policies for any processing of personal data.
Do you believe the line between data security and data privacy has started to blur?
I would say Data Security protects data from compromise by external attackers and malicious insiders. Data Privacy governs how data is collected, shared, and used. There are data encryption techniques in place that protect data at rest and data in motion. For example, your credit card data is stored securely and is not visible to your e-commerce stores. In the field of video technology, there are also plenty of solutions with the ability to anonymize data through metadata aggregation, privacy masking, data purging, and much more, and thereby video tech can help keep people safe without compromising data privacy.
Continuously, newer techniques are being developed to strengthen data privacy further. Data security techniques are also advancing against new threats, and it is an ongoing process. We can minimize breaches with user awareness and advanced data security techniques. I believe data security and privacy complement each other to mitigate risks and build a strong foundation of trust in the accelerating digitalisation of society.