When it comes to data protection and regulatory compliance, most of the organizations are not taking into consideration all risk factors that could hinder the security process. The lack of awareness and preparation can lead businesses into failing to protect their company data and preventing data breaches that could cost them their reputation.
No BYOD Policies
According to a research study, uncontrolled user access to data and poor management of where data is stored are two of the biggest mistakes regarding a company’s data security.
Reaching compliance is already a complex process, but companies allowing their employees to transfer data inside and outside the network makes it even more difficult. No employee training or monitoring, along with no BYOD policies is a sure road to failure for any business.
The study shows that a lot of IT professionals (69%) allow employees to transfer data on their personal mobile devices with minor limitations, and another considerable amount (33%) allow employees to move data to cloud apps without any restrictions, exposing sensitive data and putting the company at risk. A much worse discovery is that 47% of organizations have limited or no visibility into how the company data is being moved/transferred outside the network.
Lack of Security Awareness Among Employees
The lack of information security awareness can turn employees into extremely dangerous insider threats. Unfortunately, awareness is also something difficult to implement and to evaluate due to its intangible nature. Training non-security personnel, informing them about data security risks as well as their rights and obligations concerning data security is a must, but security professionals must also be aware that this should be done on a regular basis, not as a one-time thing. Education can be very effective when it comes to spreading awareness among employees and setting an internal security culture. So, infosec pros, please remember that assuming employees know the internal data security policies could be one of the surest ways to fail in protecting data.
No Data Classification
Another huge mistake most organizations make is not classifying their sensitive data. Data classification is vital when it comes to data protection and regulatory compliance. Not knowing what data is confidential or what sensitive data needs to be protected and where it is stored make the process of protecting data difficult. Data needs to be classified into relevant categories for the business according to clearly established criteria and for that, it’s essential that all business unit managers are given the possibility to offer their input. Just thinking of a simple scenario like transferring files out of the company network, it’s clear how the lack of data classification or any other sort of filtering sensitive data going out can turn into a big problem. All employees need to know which corporate data is confidential, sensitive or public and, more importantly, they must be monitored and controlled with a Data Leakage Prevention solution. Financial and accounting files, business strategies, clients’ details, partners, and employees databases, and other information can be classified as strictly confidential that once reached into the wrong hands, can negatively affect the company’s image and integrity.
No Data at Rest and in Use Protection
When thinking of ways to protect data, many businesses assign primary importance to cover data in motion, data being transferred over the Internet and disregard that many employees shouldn’t have access to certain data in the first place. Also, many ignore the protection of data in use which can contain digital certificates, encryption keys, intellectual property (software algorithms, design data), PIIs, and other critical information.
Data in transit or data in motion is information that flows over the public or untrusted network such as the internet and data which flows in the confines of a private network such as a corporate or enterprise Local Area Network (LAN). (Source: Wikipedia)
Data at rest is inactive data that is stored physically in any digital form (e.g. databases, data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices etc.). (Source: Wikipedia)
Data in use is active data stored in a non-persistent digital state typically in computer random access memory (RAM), CPU caches, or CPU registers. (Source: Wikipedia)
A complete security implementation should include all states of digital data.
Encryption, Data Loss Prevention, data classification, Mobile Device Management, secure authentication along with a security awareness culture in place play a key role in protecting the three types of data.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.