Data protection, once a marginalized subsection of the cybersecurity industry, has increasingly become a major concern, especially for companies deploying Cloud based applications. GDPR, CCPA, PIPEDA - The list goes on but they all have one thing in common - A focus by regulators worldwide on addressing the issues presented by the use of digital big data.
As the amount of data that companies manage and leverage increases exponentially, organizations are being encouraged to think of new methods of managing their data risk exposure beyond the traditional paradigms. No longer will off-the-shelf antivirus solutions suffice. A more comprehensive policy for the management and protection of company and client data is required.
This article reviews the tactics executives need to employ for a successful data protection strategy.
What Is a Data Protection Strategy?
Any modern company is concerned with two elements—time and money, and a weak data protection strategy will have a negative impact on both. However, aside from the physical costs to a company, their overriding concern is the protection of theirs and their customers’ data. Inferior performance in this regard will damage a company’s reputation, possibly beyond repair.
Recent cyber attacks, such as Estée Lauder’s exposure of 440 million customer records, including email addresses, as well as their company’s network information left more than a bad smell in the air for the cosmetics company. And the leak of 85 million customer records by THSuite, a point-of-sale system in the cannabis industry, left its management high, but not so dry.
And it’s not just the theft of data that is of concern to companies who fall foul of cyber criminals, there is also the real possibility of huge monetary fines. Companies convicted of weak data security or avoidable mistakes have been subjected to penalties in excess of one billion USD, and this continues to climb.
But cyber attacks are not the only interest of a company’s Data Protection officer. Of equal concern is the creation, movement, storage, and deletion of the company’s data resources and intellectual property.
As companies continue to accrue more and more data, which they store on an increasing number of endpoints, linked by networks around the globe, the attack landscape also expands. And, with the increasing exposure of customer data, regulatory legislation has been designed to better protect the personal information of consumers.
Here are seven essentials every data protection strategy needs:
1. Data Risk Management
This is the first step in any data protection process. It involves the identification and assessment of risks to which your company’s data is exposed. Once those risks have been determined, the next step is to specify rigorous pathways whereby those risk exposures can be managed and mitigated. Data risk management also defines a comprehensive approach to measuring risk at any one point and implementing a process of alerts when extreme risk levels have been breached.
2. Map Server Workload Data Flows
You can’t define a detailed data protection policy unless you know where your data (known and shadow data) is and where it’s flowing. The mapping of data flows is an essential element in identifying the risks to which that data is exposed. In addition to actual data flows, any potential data pathways must also be defined. For example, the COVID pandemic saw millions of workers around the world working from home. This opened up huge challenges to companies to secure those new data pathways and end points. Data flows also encompass the entire data chain from creation to transmission, storage, archiving, and destruction.
3. Monitoring and Review
Your company’s data must be transparent at all levels. However, the distributed nature of modern Cloud architecture makes it difficult to do. Most organizations are used to siloed servers that each serve a single process.
While the transition to a distributed tech stack has improved performance and efficiency of the software development lifecycle, it has also presented challenges to data protection policies. Especially, when trying to comply with regulations such as GDPR.
In addition, the distributed nature of the Cloud makes it difficult for Information Security professionals to monitor the entire organizational ecosystem for data breaches since the landscape goes well beyond the organization and into third party applications. DevSecOps, which combine security and software development capabilities, are increasingly trying to map out their stack. A good starting point is creating Dependency Graphs.
However, these are static mappings that don't adapt in real-time to changes made in the stack. This is where Data Security Posture Management (DSPM) solutions can be of service.