Data has become ubiquitous: from business processes and applications to smart phones, tablets and printers, the places data is stored and processed have moved beyond the confines of traditional network infrastructure and, implicitly, outside its protection mechanisms.
As a consequence, data breaches have become increasingly common, leading to a global movement towards the adoption of stricter regulations for the protection of users’ personal data. Notably, the EU’s General Data Protection Regulation (GDPR) is seen as a trailblazing legislation that enforces individuals’ rights and makes companies accountable for the security of the data they process.
But while compliance is important to avoid fines, the threat of data breaches should be a wake-up call to all companies, no matter which country they operate from or where their customers are located. As seen daily in the headlines, attacks and leaks rarely have anything to do with borders, but more with the amount of data a company stores and processes and the weakness of its security measures.
In the broader context of digitalization, insider and outsider threats, there are a few basic steps organizations can take to build a solid foundation for data protection:
1. A data-centric approach
Traditional security strategies rely on perimeter-based approaches to data protection such as firewalls, antiviruses and antimalware solutions. While these remain a vital part of protecting networks and IT infrastructure from malicious attacks, new technology and work practices have brought an increased level of flexibility and dynamism to the way data is handled and travels inside and outside a network.
Among them, the rise of BYOD and remote work along with increased reliance on cloud and third-party services, mean that data is continuously leaving the security of in-house networks and entering vulnerable environments, sometimes, due to the rising phenomenon of shadow IT, without the knowledge of the company.
It is therefore important for companies to adopt a data-centric mindset when discussing data protection policies. What this essentially means is that the focus should shift from one exclusively aimed at networks and IT infrastructure to the sensitive data that needs to be protected within them. When a system’s size becomes fluid and its extensions potentially hazardous, it is easier to identify and protect crucial sets of data.
2. Defining sensitive data
Companies need to, first of all, classify the data it collects and stores based on its importance. One category, automatically considered sensitive and falling under the incidence of most data protection regulations, refers to personally identifiable information which can be used to identify, contact or locate a single person. PIIs include names, credit card numbers, addresses, emails, passport numbers, tax IDs etc.
Another category is the type of internal information every company collects and that it needs to keep private: financial data, HR, accounting, billing etc. Lastly, based on a company’s particular sector additional sensitive data can be defined: for hospitals and healthcare providers it can be patient health information, for software companies their products’ code, for media and publishing companies copyrighted materials etc.
3. Data protection policies
Once sensitive data has been identified, company-wide policies for its protection can be established. Organizations must first determine whether there are any compliance requirements they must meet and work their way from them as a basis to incorporate all relevant data categories deemed high risk.
Policies should be established in consultation with the departments they may affect, to ensure that any new protective measures are not cumbersome to the discharging of their duties.
4. Personnel training
Another important step towards an effective data protection strategy is raising awareness of new policies and compliance requirements among employees. Most of the time, they are unaware of the protocols they must follow to keep data secure and what risks the company runs when they are being careless when handling data.
Employee negligence is one of the number one reasons behind data leaks so training is crucial to inform them of their duties concerning data protection so they process it with greater care and focus.
5. Using specialized software to protect data
To ensure that data protection policies are being accurately implemented, they can be enforced through the deployment of specialized Data Loss Prevention (DLP) tools which can control data within the network as well as its transit.
Solutions such as Endpoint Protector offer organizations the option of transforming company policies into rules and definitions, based on which data can be blocked from transfer, deleted or encrypted when found on unauthorized users’ computers or automatically encrypted when transferred onto USB portable devices.
In an age when trust in companies will be defined by the level of data security they can provide customers and employees alike, organizations failing to come up with an effective data protection strategy are likely to lose both business opportunities and users and leave themselves vulnerable to breaches and leaks.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.