Many business leaders associate data protection with cyberattacks. Mainly, due to the alarming news stories that continue to surface—from the WannaCry ransomware attack that spread across 150 countries to Equifax’s massive breach that affected as many as 147.9 million consumers. Luckily, media coverage for these incidents has spurred much-needed awareness for data security. However, cyberattacks are just one concern when it comes to developing a comprehensive data protection strategy.
You may be surprised to learn that the practices and processes your company uses on a daily basis are far more likely to put your important data at risk. Unsafe practices by your employees, for instance, create vulnerabilities for your organization, but are preventable if you implement the right defenses with a data protection strategy.
We’ve gathered considerations on what to include in your data protection strategy, outlined how you can balance innovation and productivity with security, and collected tips on how to get buy-in from your board and C-level execs.
Part 1: Why Data Protection Must Be a Top Business Priority
A recent Dell end-user security survey revealed that 72 percent of employees would share sensitive, confidential, or regulated company information under certain circumstances. These internal risks can be as deadly as the chance of cyberattack. Here’s why you need to create processes that protect your business and educate your employees, managers, and security experts on the role they play in data security.
Many companies manage data protection with a reactive approach. In fact, 62 percent of companies said they would not increase their cybersecurity spending after experiencing a breach that appeared to do no harm. Companies unfamiliar with the risks often wait until it is too late to fix them. Knowing ransomware attacks have quadrupled to 4,000 a day over the course of a single year isn’t enough. The importance of data security requires that companies know the value of what they are protecting internally.
The Importance of Data Security in Protecting Your Assets
While traditional assets were formerly measured in real estate and cash holdings, today’s economy measures value differently. Intellectual property, revenue, and reputation are all at stake. And without clear security measures and an internal auditing system, employees are left to make judgement calls on each piece of data on a case by case basis.
Connecting Innovation and Data Security Threats
Research shows a direct link between innovation and the risk of cyberattack. This is the trickiest for businesses who depend on their ability to launch new software, applications, or products on a regular basis. Simply put, they must also place a greater investment in security and take a proactive approach.
The “Ponemon Institute’s 2016 Cost of Cyber Crime Study” revealed:
- Cost of cybercrime increased 20 percent during acquisition or divestiture of companies
- Launch of a customer-facing app increased cybercrime costs 18 percent
- Companies engaged in 5 or more types of innovation had greater than average costs of cybercrime
The importance of a data protection strategy can’t be overestimated in planning for an app launch or for corporate innovation. Without factoring in data security, the same innovations you are depending on to grow can backfire and hurt your company in the near term.
Preparing for the Internet of Things (IoT)
Experts say that the IoT increases risk vectors for cyberattack at a rate we have never seen. The more data you store, transfer, and manage, the more opportunity there is for risk. Deloitte states that innovation and data security should be of equal importance, and an integrated risk philosophy is not optional; only a centralized approach is able to secure all business regions, products, and business units. Whether you are an innovator in the market or have a mature product or service, there are factors that apply to you, like how well you control access to data across every endpoint connected to your network.
Compliance and Regulation
Security and compliance issues are also a major hurdle for some business leaders—often due to lack of resources and knowledge.
HIPAA-HITECH mandates are an example of how regulations should be integrated into the security standards of your company and into your daily operations. Health providers and insurers aren’t the only markets where HIPAA processes are standard concerns. Your Human Resources and management personnel need safeguards in place against sharing private information. When designing a security process to protect your data, every aspect of business should be audited for risk, and you should map your compliance requirements to a specific mitigation method. Whatever the method, processes and technology should provide optimal protection while allowing your employees to work without limitations.
Part 2: How to Convince C-Suite Decision Makers to Make Data Protection a Top Priority
Data protection should be top of mind for chief executives and company-wide decision makers, but competing priorities and limited budgets are common barriers. Convincing C-suite executives of the priority of data security is crucial. A recent article in the Harvard Business Review cites a troubling disconnect between executives and IT professionals within organizations.
The study noted that in the event of a security breach, C-suite executives and IT decision makers were likely to blame the other. This is definitely not the climate you want to foster in your organization. There was widespread agreement between executives and IT decision-makers on the fact that a cyber threat to their company could easily take place in the next 12 months, and that the frequency and severity of attacks will only increase.
Knowing that it’s only a matter of time before a security incident occurs and that a rapid and thorough response will be needed, how can executives be encouraged to make data security a top priority?
Improving Your Data Protection Strategy: Understanding, Training, and Better Protection
One of the mistakes business make in preparing a security plan and investing in their data protection is underestimating the risks. In order to improve data security, executives and IT pros need to get on the same page. Through greater understanding, more thorough training, plans can be implemented for better data protection.
1. Understanding the Value of Information Security
Understanding the importance of data security investment needs to start at the top in order to get the right budget, people, technology and processes in place. Help your executives gain a clearer sense of what’s at stake when your critical data and systems are not protected. Colin McKinty, in the Harvard Business Review notes, “It isn’t just about what the thieves get away with. A successful cyber-attack can have far reaching implications such as impacting share price, lost business, fines—even a failed strategic investment or merger.” If you’re in healthcare, financial services or another regulated industry, you must also consider the cost of non-compliance or data protection negligence. You could face fines from regulators, customer loss, patient lawsuits and major reputational damage. The more data, real-world examples, and specifics you use to demonstrate the importance of data protection, the better. Here are some stats to get you started:
- Nearly 5 million data records are lost or stolen worldwide every single day, according to the Breach Level Index
- Smaller breaches often go unreported, and it’s not unusual for exposure to be greatly underestimated in the initial aftermath. For example, the real impact of Yahoo’s 2013 breach only came to light in Oct 2017.
- “The 2017 Cost of Data Breach Study” from the Ponemon Institute estimates the average cost at $3.6 million, or $141 per data record.
- About 60 percent of hacked small and medium-sized businesses go out of business after six months.
When pitching your data protection strategy to your leadership team, be sure to include how you’re going to implement the plan and train everyone in the organization—after all, the plan is no good if no one knows how to use it or why it’s in place. Training should not be a once and done proposition, but an ongoing expectation. A recent Dell survey found that nearly a quarter of the workforce finds it difficult to keep pace with changes in policy and procedures. So training is both extremely important and a constantly evolving part of the security equation. If you need motivation, just remember that the faster a data beach or security incident is discovered and contained, the less it will cost to your business.
3. Highly Targeted Protection
Like most business concerns, the importance of data security can be a benefit to your business if you tailor the solution to your business. You should identify the value of your assets before you determine the investment that’s required to protect it. Data classification is the first step to that process. While businesses need to invest greater resources in their data protection, it’s not always easy to know how to allocate those resources.
“One of the challenges business face today is that they have technology in place to mitigate threats like malware. The problem is isolated tools and tech alone are not sufficient,” says OnRamp Head of Info Sec Nikola Todev. “Organizations should focus on visibility of what is going on within their environment and on the effectiveness of their procedures. User activity visibility combined with common sense protection, preventive measures, awareness, and incident response should be your top priorities.” Also, a multi-layered technology approach is recommended based on the type of data and systems you have in place and your compliance and security goals. SIEM software, for instance, is one tool that greatly improve your ability to gain visibility into your IT environment and stop threats before they escalate.
As executives and IT decision-makers come to a common agreement on the wide-ranging impact a data breach can have, they will become greater allies in understanding, training, and developing a data protection strategy for the crucial data assets of your organization.
OnRamp specializes in helping organizations take control of their security and compliance posture. If your organization needs assistance developing a data protection strategy from scratch or improving your current plan, please reach out. Our security experts are available to help you reduce risk, and you can get started for free with our consulting services.
The original version of this post first published on Onramp.
Additional Resources on This Topic:
How to Tech Guide: Encryption for Data Security – Part 1
How to Tech Guide: Encryption for Data Security – Part 2
Data Risk in the Third-Party Ecosystem
Data Security Must Be a Business Priority
The 15 Biggest Data Breaches of the 21st Century