Data protection, once a marginalized subsection of the cybersecurity industry, has increasingly become a major concern, especially for companies deploying Cloud based applications. GDPR, CCPA, PIPEDA - The list goes on but they all have one thing in common - A focus by regulators worldwide on addressing the issues presented by the use of digital big data.
As the amount of data that companies manage and leverage increases exponentially, organizations are being encouraged to think of new methods of managing their data risk exposure beyond the traditional paradigms. No longer will off-the-shelf antivirus solutions suffice. A more comprehensive policy for the management and protection of company and client data is required.
This article reviews the tactics executives need to employ for a successful data protection strategy.
Any modern company is concerned with two elements—time and money, and a weak data protection strategy will have a negative impact on both. However, aside from the physical costs to a company, their overriding concern is the protection of theirs and their customers’ data. Inferior performance in this regard will damage a company’s reputation, possibly beyond repair.
Recent cyber attacks, such as Estée Lauder’s exposure of 440 million customer records, including email addresses, as well as their company’s network information left more than a bad smell in the air for the cosmetics company. And the leak of 85 million customer records by THSuite, a point-of-sale system in the cannabis industry, left its management high, but not so dry.
And it’s not just the theft of data that is of concern to companies who fall foul of cyber criminals, there is also the real possibility of huge monetary fines. Companies convicted of weak data security or avoidable mistakes have been subjected to penalties in excess of one billion USD, and this continues to climb.
But cyber attacks are not the only interest of a company’s Data Protection officer. Of equal concern is the creation, movement, storage, and deletion of the company’s data resources and intellectual property.
As companies continue to accrue more and more data, which they store on an increasing number of endpoints, linked by networks around the globe, the attack landscape also expands. And, with the increasing exposure of customer data, regulatory legislation has been designed to better protect the personal information of consumers.
Here are seven essentials every data protection strategy needs:
This is the first step in any data protection process. It involves the identification and assessment of risks to which your company’s data is exposed. Once those risks have been determined, the next step is to specify rigorous pathways whereby those risk exposures can be managed and mitigated. Data risk management also defines a comprehensive approach to measuring risk at any one point and implementing a process of alerts when extreme risk levels have been breached.
You can’t define a detailed data protection policy unless you know where your data (known and shadow data) is and where it’s flowing. The mapping of data flows is an essential element in identifying the risks to which that data is exposed. In addition to actual data flows, any potential data pathways must also be defined. For example, the COVID pandemic saw millions of workers around the world working from home. This opened up huge challenges to companies to secure those new data pathways and end points. Data flows also encompass the entire data chain from creation to transmission, storage, archiving, and destruction.
Your company’s data must be transparent at all levels. However, the distributed nature of modern Cloud architecture makes it difficult to do. Most organizations are used to siloed servers that each serve a single process.
While the transition to a distributed tech stack has improved performance and efficiency of the software development lifecycle, it has also presented challenges to data protection policies. Especially, when trying to comply with regulations such as GDPR.
In addition, the distributed nature of the Cloud makes it difficult for Information Security professionals to monitor the entire organizational ecosystem for data breaches since the landscape goes well beyond the organization and into third party applications. DevSecOps, which combine security and software development capabilities, are increasingly trying to map out their stack. A good starting point is creating Dependency Graphs.
However, these are static mappings that don't adapt in real-time to changes made in the stack. This is where Data Security Posture Management (DSPM) solutions can be of service.
Data breach prevention should be at the heart of your data protection policy. Such policies will protect against intrusion by threat actors as well as sabotage from internal malicious threats. Note that some 50% of today’s data breaches are perpetrated internally.
Data must be secured on all planes, from “core to edge”. Perimeter defense is no longer satisfactory, and all data must be fully encrypted and incorporate the full range of antivirus protection.
Regulatory obligations such as those defined by the European General Data Protection Regulation (GDPR), which is aimed at protecting the data rights of EU citizens must also be adopted, and the US California Consumer Privacy Act (CCPA). Failure to abide by these regulations can result in significant financial penalties.
Commonly known as the “CIA Triad”, this is a standard designed to define organizational data and information policies. (Note, this term is also called the AIC Triad (availability, integrity, and confidentiality) to avoid confusion with the US security agency).
Your company has an absolute obligation to protect the sensitive information entrusted to you by your clients, as well as securing your own company information and intellectual patents and property.
Your data must be secure, it must measure what it is supposed to measure, and it must be readily available for those personnel authorized to use it.
The core of your data protection policy will be cybersecurity management. This involves securing your company’s data as it flows across company networks. Key to this management is the range of tools to protect against threat actors intent on breaching the walls of your cyber defenses. Access by external cyber criminals presents your company with unacceptable financial risk, which could result in considerable damage to your company’s reputation.
Cybersecurity management involves an extensive range of security policies (the “what”) as well as procedures (the “how”), designed to protect your company’s assets from cyber attack. These policies will include physical approaches to security management, such as password management, testing and training awareness for company employees, and comprehensive management reporting.
Access management covers the range of data access from internal company users, to access by customers and third-party company contractors and suppliers. All users are defined, with specific levels of access to company databases and systems. In this way, unauthorized access, use, or transfer of data is prevented. Strong data access control is a key requirement for both external auditors as well as regulatory enforcers such as the GDPR.
This article has covered seven of the key aspects for a comprehensive data protection policy. Polar Security is an automated data security and compliance company that can manage decentralized data stores throughout the cloud infrastructure, regions, VPCs, and services, as well as monitor flows between workload apps. Its unique technology automatically maps and follows your data and data flows across cloud distributed data storage to provide deep visibility and protection for your data assets.