Whether you’re a utility or municipality servicing a small rural region, or a large city with millions of customers, you’ve got lots of sensitive, unstructured data across multiple file shares. Growing data privacy and protection regulations mean that every employee across the business has an obligation to know what sensitive customer data the business has, so the business can better protect it.
Smart, connected and digital city projects are vital to communities both for the economic and social opportunities they support. Yet they also introduce a number of new challenges especially when it comes to security and data privacy.
In preparation for their Smart/Connected/Secure Cities webinar series, security solutions provider and Connex founder David Van Remortel, and Cavelo’s own James Mignacca sat down for a discussion on how cities and municipalities implementing smart or digital city projects can protect their data, by taking control of their data.
David van Remortel (DVR): New use cases are changing the way cities can and should look at digital transformation within their projects. What are some of the use cases influencing current digital transformation trends?
James Mignacca (JM): The pace of adoption when it comes to digital transformation has accelerated over the last several years, but what we’ve seen recently is that companies who were sort of holding back have been forced to advance their plans because of the pandemic. The distributed work model is driving exponential data growth, which means that sensitive data is everywhere.
Regardless of where a business is at on their digital transformation journey, we always encourage best practices that support threat defense while ensuring alignment to the various compliance standards that affect their business.
It’s important to note that 10 years ago, security focused on the perimeter and having basic measures like having a firewall to protect the data that lived within the perimeter. But today the perimeter doesn’t exist. Data lives everywhere - because business happens everywhere, so we have to look at data loss prevention in a different way.
DVR: Is there still disparity between the kinds of cybersecurity solutions available to enterprises versus those within reach for small to midsize businesses?
JM: There are a ton of solutions available today, but the reality is that small enterprise and SMB can’t afford most of the solutions enterprises use. Large enterprises have large budgets that they can throw at the problem. Yet 36 billion records were exposed in 2020 and many of those breach events impacted large enterprises. Even with large budgets, enterprises struggle to protect their customer’s private information, so when we talk about disparities and the solutions that are available or accessible, we come back to the reality that unless you know where your data is, you cannot protect it.
DVR: When it comes to municipalities and cities, what kind of sensitive information do they have, and how should they be guarding it, especially as they navigate their smart of digital city projects?
JM: Municipal customers include you and me – tax payers. And the types of information that they collect is very sensitive. When it comes to municipal or city employees, lack of processes across the business and multiple file shares mean that information and sensitive data accidentally ends up somewhere it shouldn’t.
With any data management exercise, the first step is to identify and understand the data that’s important to the organization. Interestingly, what that list looks like varies from municipality to municipality. For example, in some cases municipalities who are farther along the smart city path might have traffic telemetry information. Every city and municipality have sensitive development plans. The key is taking time to establish a prioritized list and identity what information types classify as personally identifiable information. The result is a foundation that will help the organization mobilize data discovery, classification and ultimately, data tracking.
DVR: How are regulatory measures and data privacy impacting how municipalities and cities think about sensitive data?
JM: GDPR (the General Data Protection Regulation) has been a vehicle for change – it’s arguably changed the compliance and data privacy landscape as it’s given individuals more power over their own data and how their data is used and shared. Conversely, businesses are held to a stronger measure of accountability as custodians of personal data.
Regulatory compliance used to be about ‘checking a box’, but now companies are coming to the table understanding that they need to ensure they’re aligning to regulatory and data privacy measures, but they just don’t know where or how to start.
We help them interpret frameworks and industry requirements and provide the reports and documentation they need to achieve compliance. More importantly, we work with them to change behaviors for the positive to protect data.
DVR: Are you seeing a correlation between trending threat vectors and the kinds of information threat actors or attackers are targeting?
JM: The greatest theme right now is that time is not on our side. Ransomware attacks, and phishing campaigns pushing ransomware attacks are rising in frequency and targeting businesses of all sizes. Attackers look for the path of least resistance and often times that means they’re targeting personal information, like credit cards or other identifiers that they can use and/or sell on the dark web.
DVR: How can municipalities and cities get a handle on their sensitive data?
JM: Following industry best practices and putting proper processes, controls and mechanics in place is critical to gain control over where data lives – and where it shouldn’t.
We work with customers to help them sort through their data types and identify where data should live. For example, if sales people shouldn’t have customer credit card information on their machines we’ll help them set alerts so they’ll be notified when data ends up somewhere it shouldn’t or gets moved around. From an application standpoint, it’s working with customers to make sure vulnerabilities are taken care of and ensure systems are configured properly.
It starts with hardening the foundation and taking the time to navigate data management exercises.