Malaysian organisations are faring better with attempts to practise holistic data protection and compliance policies. However, they still need to overcome challenges to raise their game, according to several industry players.
This includes the need for more strategic implementation of a data protection framework, imbuing data protection and security culture at all levels in organisations, and harnessing better data protection IT skillsets.
Speaking to Computer Weekly about gauging the maturity of data protection and compliance in Malaysia, Tanvinder Singh, director of cybersecurity and privacy at PwC Malaysia, says it is not possible to paint a general picture of the state of data protection in the country using a scale of one to 10, one being poorest and 10 being the best.
“There are organisations with access to the best tools that have experienced data breaches because of human errors,” he says. “Data protection is a journey and not a destination. Hence a target compliance rating [of one to 10] will continue to be volatile.”
What matters more than an absolute score, says Singh, is how aware organisations are about assessing the impact of non-compliance, the possibility of breaches happening, and what they are doing to improve their overall security posture.
This includes having organisations identify assets, detect anomalies, protect critical services, and respond and recover from data breaches, he adds.
Agreeing with this view, Arivindran Saidoo, senior manager for security consulting at Accenture Malaysia, says there is a wide range of capability levels in the country to protect data and ensure compliance across organisations of all sizes and industries.
Saidoo notes that some organisations have the right tools and processes in place but are not using them to the fullest potential, while some still lack cultural awareness.
“However, with all the recent major data breach incidents in this region, Accenture is observing a positive trend of organisations taking the correct measures to address data security concerns,” he says.
Raymond Goh, head of systems engineering, Asia-Pacific and Japan, for Veeam Software, says two aspects affect the current state of data protection in Malaysia.
The first is whether organisations treat data protection as an afterthought, and the second is the operational changes required to improve data protection.
Goh says many organisations only think about data protection after they have suffered a data loss, but it is too late to act when that happens. This then leads to operational challenges that affect data protection.
“By the time an organisation gets into a data protection plan, they often rush to implement policies without thoroughly analysing their overall needs and requirements,” he says.
“Organisations need to think about data protection in tandem with any IT initiatives so that their data protection strategy will cover both the present and future, all of which will improve data protection and compliance.”
The people challenge
Underpinning the challenges facing many Malaysian organisations is the adage that data protection and compliance are only as strong as their weakest link. This invariably leads to what PwC’s Singh calls the “people component”.
Singh says organisations need to be constantly vigilant in maintaining high levels of awareness and engagement with employees and other stakeholders to ensure that best practices and policies are adopted and followed consistently.
“This applies to all employees, not only those we tend to think of as responsible for data security, such as IT or legal functions,” he says.
Veeam’s Goh agrees that many Malaysian organisations struggle with the people component and recommends that they begin addressing this challenge by instilling the mindset that a data breach can happen to anyone, any time, anywhere.
Organisations then need to put tools and systems in place to give them complete visibility of their data to establish clear data profiles, which can help them map protection strategies and expose any gaps they might have, he says.
“Lastly, review current data protection strategies, implement changes that are required to fill any gaps, and map out desirable business outcomes when embarking on any change,” says Goh.
Accenture’s Saidoo adds: “Organisations need to embed within the workforce a security-aware culture to be built on a continuous education programme and mandatory security training for all employees.”
Does legislation help?
Malaysia has had regulations in place for data protection in the form of its Personal Data Protection Act (PDPA), which was gazetted in 2010 but came into force only in 2013.
The PDPA affects how data lifecycle is managed within an organisation. This includes data storage, processing, collection, destruction and retention of all personal data, including employees, customers and third-party suppliers.
Asked whether legislation such as the PDPA has helped curtail any lackadaisical attitude towards data protection and compliance, Saidoo says many organisations prioritise compliance over optimising their capability.
Saidoo argues that although compliance with data privacy laws forms the bedrock of securing data within an organisation, a structured, top-down approach must be taken to really address data protection needs.
“Every organisation should have well-defined data security policies that are in line with legal requirements to serve as the basis for all data security requirements and controls,” he says.
“An organisation’s security policies should then drive the accountabilities and responsibilities of data owners and data users.”
However, while legislation such as the PDPA has its value, Veeam’s Goh points out that organisations’ top management are ultimately the ones who will play a major role in ensuring employees’ data is fully protected.
“Rather than merely complying with rules and regulations, organisations should consider them as guidelines,” he says. “With this mindset, they will be able to take into account the bigger picture and implement steps beyond legislation to protect data.”
Data in the cloud
One issue surrounding data protection and compliance that faces Malaysian organisations is the pressure to adopt cloud computing due to ongoing digital transformation efforts.
According to Dell Technologies’ 2020 Global Data Protection Index (GDPI), 64% of organisations in Asia-Pacific and Japan are investing in cloud-native applications, and 58% are keen on software-as-a-service (SaaS) applications.
Saravanan Krishnan, director of data protection solutions for Dell Technologies South Asia, says organisations may encounter limitations when moving and protecting sensitive data in the public cloud, especially outside their home country.
Chief data officers (CDOs) would need to classify and segregate sensitive and mission-critical data from their least sensitive or non-mission-critical data, says Krishnan.
“This needs to happen so that a cost-effective, risk-averse cloud operating model for both data protection and data sovereignty are adequately addressed,” he adds.
Krishnan also points out that managing data across today’s multiplatform, multi-cloud world is challenging for many organisations, even large, established ones.
“So, organisations simply cannot afford to only ‘keep the lights on’, but they need to understand that managing data protection processes and ensuring data integrity require alignment across the whole organisation,” he says.
Veeam’s Goh argues that organisations will have to make significant changes in how data is collected, stored and managed.
“This involves updating their IT design and infrastructure, setting up local servers and appointing data protection officers,” he says. “They will also need to take urgent steps to ensure they fully understand and have clear visibility into all network activity.”
PwC’s Singh says the overarching thing to bear in mind when dealing with data in the cloud is that privacy and security considerations should be a key part of any organisation’s cloud adoption strategy before any data migration work begins.
“Organisations need to consider spending resources on building their strategy around ‘secure adoption’ and having relevant toolkits, such as cloud adoption frameworks, policies, standards or control blueprints for secure cloud migration on a case-by-case basis,” he says.
Still, not all organisations have to worry about data being stored outside Malaysia, says Accenture’s Saidoo.
Noting that most major cloud suppliers give organisations the option to choose their preferred regions, Saidoo says these options specify where their data will be stored and legally bound through a service level agreement (SLA) to deliver accordingly.
He adds that Malaysia’s PDPA presents important considerations for organisations as they journey to the cloud, notably about inter-country restrictions.
“In any case, we recommend a phased approach,” he says. “Organisations should conduct thorough assessments, after which applications and data can be migrated from the legacy infrastructure to the cloud in stages.
“Meanwhile, organisations can continue to run their services in a hybrid environment of on-premise, private and public cloud infrastructures.”
Are skills adequate?
With all the above-mentioned developments in Malaysia, industry observers have mixed views on whether Malaysia has the right IT skillsets to handle data protection and compliance competently.
Dell’s Krishnan cites a Malaysia-based study by LinkedIn, which suggests that the top jobs organisations are looking to fill are data scientists, data engineers and cybersecurity analysts.
This, he says, indicates societal shifts and a reflection that businesses in Malaysia are waking up to the realities of a data-driven economy, which bodes well for the country.
PwC’s Singh believes Malaysia’s data protection skillsets are being developed over a period of time and that the country is on an upward trend.
“However, the spread is unequal, and there is a general scarcity of talent in the data privacy domain that can work with organisations to design and improve the controls needed to mitigate the associated risks,” he says.
Singh also advocates more collaboration among large and small organisations to share different approaches and their learnings.
Meanwhile, Veeam’s Goh describes Malaysian organisations as just having the bare minimum skills, such as those who can manage backup and recovery of data, which he says is certainly not optimal.
“Backup administrators should progress from routine monitoring of backup and restore jobs to more strategic initiatives like cloud, mobile and edge computing and multi-cloud deployment,” he says. “Besides receiving classroom training, organisations should also look into on-the-job project-based training to enhance skill sets.”