To Build Trust in a Time of Data Insecurity, Embrace a Proactive Strategy

Data is the lifeblood of today’s digital economy, but only if it can be trusted. While data fuels innovation and agility, it’s also at the centre of growing security threats and regulatory requirements. The ability to strike the right balance between data protection and operational excellence is increasingly tied up with the ability to inspire trust among customers, employees and investors.

Many companies have experienced a year-over-year increase in cyberattacks, including 54% of European organisations, according to a September 2023 IDC report. That’s one reason why data security now tops executive agendas across the continent. In fact, 45% of surveyed CEOs in Europe said they will prioritise spending on data security, risk and compliance to support trustworthy data collaboration and sharing. Respondents’ top operational security priority? Data privacy and regulatory compliance. 

Given all this, what CIOs now urgently seek is confidence that the company's critical business, people and financial data is not only compliant but secure from cyberthreats and internal bad actors. The fastest route to such confidence is now clear. Tech leaders need a proactive data privacy management strategy that leverages best practices and top-of-line technology, and deploys custom automation tools that bolster controls, monitoring and audits.

“Risks are growing along with the complexity and scale of data,” said Mark Eaglefield, Head of Digital Products, Veolia UK, a global leader in environmental services that operates in nearly 50 countries. “Without a proactive stance, you can’t quantify the organisation’s level of risk – until after the damage is done and trust has been lost.”

Protecting Data – and Building Trust – by Default

When it comes to data security and compliance vulnerabilities at multinational organisations, it can be hard to know where to start. In 2019, Veolia’s tech leaders made a key decision that has grounded its data management strategy. The company became a full-platform Workday customer.

A unified tech environment spanning human capital management, finance, payroll, recruiting and other areas established a baseline of well-defined, documented and managed processes around user access and security, Eaglefield said. “That’s our solid foundation, which we strengthen with best practices woven into our evolving, proactive data privacy strategy.”

Foremost among those practices is a steady drumbeat of education and awareness-building efforts around data privacy and user security. Veolia’s IT organisation educates a range of stakeholders – such as end users, auditors and IT teams – via training sessions and published policies and procedures, through various communication channels. “It’s a continuous cycle – education and awareness is key,” Eaglefield said. “We never assume our stakeholders know and understand how we aim to protect data and what the stakes are.”

Another best practice Veolia has embraced: forming and leaning on a team of dedicated, in-house security experts. These experts, deeply fluent in the Workday operating environment, collaborate closely with internal data protection teams. They’re up-to-speed on current data privacy legislation and attendant regulatory requirements impacting the business. They act as peer reviewers in a way, helping to ensure that the organisation’s policies, procedures and controls always reflect the current threat and regulatory landscape, Eaglefield said.

“In terms of user-based security and compliance, these experts are crucial collaborators, allowing us to continually strengthen the design of our particular configuration,” he added.

The Right Tools for the Job 

Every business has a unique data environment to protect and related risks to guard against. At Veolia, there was growing awareness among security leaders of vulnerabilities related to proxy access.

The company had a proxy policy for its non-production environment, allowing users granted proxy access to see all the same data the individual being proxied typically sees. While just a small number of trusted individuals were granted such access, the lack of data masking still left Veolia open to potential data protection compliance and breach risks. The solution: Smart Shield, a tool designed by Kainos to enable data masking for specific proxy users in Workday. 

“Now we can make sure that a user assigned to, say, a finance proxy group can’t view any compensation data relevant to the individual that they're proxying in as,” Eaglefield said.

At large organisations with thousands, or tens of thousands, of users, manually auditing user configurations relative to segregation of duties and system access levels is impossible. Audit automation must be part of any proactive data privacy solution – which is why many IT leaders rely on 360-degree security monitoring tools.

“The more complex your business is, the harder it is to get a panoramic view of data-related risks,” said Kim Freestone, Product Principal at Kainos. For example, “employees who have inappropriate and unrestricted access to highly sensitive data.”

Veolia, which has 14,000 users, chose to implement Kainos’ Smart Audit tool, which automates data security monitoring, including flagging business processes and data at high risk for fraud and breaches. There’s huge value in having an overarching viewpoint, in terms of segregation of duties and identifying related conflicts, Eaglefield notes. Preventative checks review whether users’ data access level is justified, and a daily digest email offers his internal controls team a helicopter view flagging anomalies, along with detailing current conflicts and what’s under review.

Proactive risk assessment involves more than just putting controls and processes to protect data in privileged access areas, Freestone says. “It’s also about assembling a body of evidence to show auditors, whether internal or external, that you’re serious about mitigating risks.”

Keep an Eye on Complacency

In an era of rising security threats and emergent AI capabilities, trust is earned in the realm of data privacy and protection. That will become even more true as organisations are challenged to both tap the power of AI while also complying with entirely new regulatory frameworks governing data sets and practices, such as the European Commission’s AI Act.

There is no such thing as absence of risk when it comes to networked data. But with a proactive data management strategy that embraces both best practices and the best of what current technology offers, CIOs can build and then fine-tune a future-ready IT infrastructure. Instead of stressing over unknown risks, leaders can find assurance in a highly configurable security model governing all of the enterprise’s apps and data. The right tools can surface risks and then prompt the right protective actions before it’s too late.

The biggest data misstep is complacency, Eaglefield said. “Don’t wait for a problem to arise – get ahead of it right now.”