Risk assessments have become an essential part of compliance efforts with data protection legislation around the world. They are explicitly mandatory in the case of some regulations like the EU’s General Data Protection Regulation (GDPR), with data protection authorities around Europe issuing lists of data processing activities that would trigger the need for a data protection impact assessment (DPIA) in their country.
Companies looking to outsource data processing or hire third parties for various services have also begun requesting risk assessments as part of their vetting process. This is also a consequence of new data protection legislation that makes companies accountable for the sensitive data they collect. Data controllers, in particular, are held responsible for any data breaches that may occur and are likely to be fined, regardless of whether a breach is due to their own failure to protect sensitive data or that of third parties handling the data for them.
A good example of what can happen is the case of the SingHealth data breach in Singapore in which the personal data of 1.5 million healthcare patients was compromised. The Personal Data Protection Committee (PDPC) fined Integrated Health Information Systems (IHIS), the technology agency running SingHealth’s IT systems approximately $540,000, while SingHealth itself, as the data controller, was issued with a roughly $181,000 fine.
It is therefore crucial for data controllers to ensure that any company they do business with has an adequate level of data protection in place to avoid fines and other legal liabilities. One way they do this is by requesting that companies that want to work with them, provide them with risk assessments.
What is a data security risk assessment?
A risk assessment, in the context of cybersecurity and data protection, is the process of identifying, analysing and evaluating the risks data and a company’s IT infrastructure face. They are useful not only for compliance with data protection legislation but also to help organisations identify key vulnerabilities and build cost-effective efficient data protection strategies to meet them.
Risk assessments imply four main steps:
- Identifying all critical assets of a company’s technological infrastructure and how sensitive data is collected, stored and transmitted by these assets;
- Assessing the risks to the identified critical assets and determining how to efficiently allocate time and resources towards addressing them;
- Selecting the security controls to treat the identified risks;
- Implementing tools and processes to address the identified vulnerabilities and threats.
Although implementation is sometimes not considered part of risk assessments, it is their direct consequence. Once vulnerabilities are identified, companies must also prove they have addressed them.
How does Data Loss Prevention help with risk assessments?
Data Loss Prevention (DLP) tools have become an indispensable part of risk assessments. They support the identification stage by discovering and monitoring sensitive data in motion and at rest within the company environment. Solutions such as Endpoint Protector use Personally Identifiable Information (PII) scanners to search for, remediate, and monitor over 100 file types for sensitive data. Even more conveniently, some of its policies are already predefined for data protection requirements for regulations such as GDPR, PCI-DSS, or HIPAA.
DLP monitoring allows companies to identify not only where data is stored within their network, but also how it is being processed and used by its employees. This is an important aspect of risk assessment as many times the way an organisation’s workforce handles data is a major source of vulnerabilities.
This is due primarily to the fact most companies will have cybersecurity tools such as antivirus software and firewalls in place to deal with malicious outsiders, but will implicitly trust its employees to keep data secure. However, human error is the third biggest root cause of data breaches, accounting for no less than 24% of them.
By using DLP tools to monitor sensitive data movements, organisations can, therefore, identify problematic practices and develop improved data protection best practices and policies for their employees.
Taking remediation actions with DLP tools
DLP solutions also support the implementation phase of risk assessments by helping companies apply policies to remediate any vulnerabilities DLP tools discovered in the identification stage. In case of data at rest, this means data found on unauthorized computers can be deleted or encrypted by admins directly from their DLP dashboard.
When it comes to data in motion, DLP solutions offer the possibility of blocking the transfer of sensitive data over vulnerable channels such as file-sharing services, messaging applications, or email addresses outside the company network. Some DLP tools also offer device control options that limit or block the transfer of sensitive data through removable devices such as USBs, smartphones, external drives, memory cards, and more.
Risk assessments can sometimes be the only thing standing between companies and important new customers. By performing regular risk assessments, organisations can anticipate these new demands, improve their own data protection strategies, and take a significant step towards compliance with data protection legislation.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.