In the last decade, as digitalization efforts swept all sectors, data, and sensitive data, in particular, have become an increasingly valuable commodity, attracting the attention of both cybercriminals and legislators. Enterprises, that collect the personal information of employees and customers, have become attractive targets for cyberattacks and, due to their revenues, frequently fall under the incidence of many of the new wave of data protection regulations.
Facing the double challenge of data protection and compliance, enterprises have begun heavily investing in data protection strategies but often choose to focus on external threats. And while these do account for approximately half of all data breaches, 49% of them are due to human error and system glitches according to the 2019 Cost of a Data Breach Report released by the Ponemon Institute and IBM Security.
Data security can easily be compromised through employee negligence: an email sent to the wrong address, a USB forgotten in a public place, or files too big for an email attachment transferred through third-party services with poor security practices. So what can companies do to ensure that their data is secure, not only from outsiders but also insiders? Here are our tips.
Perform data auditing: Data auditing is the foundation of every good data protection strategy. The reason for it is obvious: before enterprises can start protecting their data, they must know what type of personal information they collect, where it is being stored, and how it is being used. By finding and monitoring sensitive data, companies can discover vulnerabilities in their data flow and can take informed decisions when building their data protection strategies.
By addressing identified risks, enterprises can also save money by implementing solutions that are tailor-made for the vulnerabilities data faces within their network. Data monitoring can also help companies discover bad data security practices among employees which allows them to build more efficient targeted training.
Educate employees: Enterprises must ensure that employees understand the importance of data protection and the reputational and financial consequences of a data breach. Training should be offered to all employees that directly handle sensitive data, making sure that they are aware of the best data security practices and the steps they need to take to avoid a potential security incident.
Employee training can be greatly improved by providing clear scenarios that may occur in their day-to-day tasks. Practical advice that can be directly applied after the end of a training is also an important part of any successful training exercise. It can also be used to correct practices identified as potentially hazardous during data auditing.
Understand compliance and regulatory requirements: While a sturdy data protection strategy can keep an enterprise’s sensitive data secure, it does not necessarily mean that it is also compliant with data protection regulations. Indeed, many new legislations like the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) do not only require that companies keep data secure, but also offer data subjects new rights in regards to their data such as the right to be forgotten or the right to opt-out of the sale of their personal information.
It may also be that while data auditing has shown a company does not perhaps require certain protection mechanisms, they might be required by law to implement them, regardless of whether they are useful to them or not. It is therefore, essential that enterprises understand what compliance requirements apply to their sector and country and make sure that their data protection strategies integrate them.
Protect data on the move: Many enterprises tend to focus their data protection strategies on sensitive data found within the confines of their company network. However, as remote work gains popularity or becomes enforced due to emergencies such as the recent Covid-19 pandemic, data protection strategies should also include policies that ensure that data stored on company devices stays protected whether they are in the office or not.
The use of VPNs and data protection solutions that apply policies at endpoint level and therefore continue to be active outside company networks are some of the things enterprises should consider when building their data protection strategies for remote work.
Control devices that connect to your network: Another blind spot of data protection strategies is removable devices such as USBs. Now a popular hacking tool and a frequently lost item, USBs have been undermining companies’ data protection strategies for years. Enterprises have the option of blocking their use all together by adopting device control tools that allow them to block or limit the use of peripheral and USB ports on company computers.
Alternatively, they can introduce the use of trusted devices, allowing only company-issued removable devices to connect to a work computer. There is also the possibility of enforcing encryption on all USBs connected to a company endpoint, ensuring that, every time an employee copies files onto a USB, they will be encrypted and not accessible to anyone without a password.
Implement a data breach response plan: Finally, no data protection strategy is foolproof. Even the comprehensive CIS 20 Critical Security Controls can only prevent 97% of all data breaches. This is mainly due to the unpredictability of security incidents. A new software or hardware vulnerability can be discovered and exploited before it is patched or a well-trained employee can be tired and make a careless mistake.
The most effective way to deal with a data breach is to plan ahead. By putting together a data breach response plan and testing it out, enterprises can make sure that, if a data breach does occur, its causes are swiftly discovered, remediation actions are taken, and employees know exactly how they need to proceed. An efficient response to a data breach can save companies considerable expenses and help mitigate the gravity of a security incident.
- Filip Cotfas
- The author is Channel Manager, CoSoSys.