It’s a fast-changing digital world and security leaders can be certain of this much: Yesterday’s data protection strategy won’t suffice to meet tomorrow’s complex security demands.
Enterprises once could rely on network perimeters to defend the integrity of their confidential information. No longer. Data now lives and moves around a multiplicity of digital touch points, passing between the cloud, the Internet of Things and myriad mobile devices that may or may not be secure.
(Nico Popp, Symantec's SVP, Information Protection explains this trend and its implications on the enterprise in this video talk: https://embed.ustudio.com/embed/DTkChBHtXcx2/UPulVrTLDTBC)
The potential attack surface grows larger all the time. And with so much data now existing outside of what was the traditional defense perimeter, enterprises must plan to defend their information.
No easy task but you can pull together the components of an information-centric security plan by including the following 5 items in your checklist:
1. Prioritize information assets based on business risks
Organizations need to invest sufficient time in assessing what data is valuable to them and the business risk of a data breach. This should be the starting point of any security conversation. Businesses wind up with visibility into what data needs to be protected or its value to the business. For example, a business risk for a healthcare company might be regulatory exposure from the loss of PHI or patient health information by negligent hospital staff.
So, before anything else, identify the most important information assets and prioritize them within your overall data protection strategy, which should incorporate various controls and protective measures across the data lifecycle.
At the same time, security teams should work closely with business leaders – those who are closest to the information – to fully understand the business requirements and the impact they may have on day-to-day operations, employee behavior and corporate culture.
2. Develop data protection policies for the most important assets
Confidential information can be anywhere in the organization. The task of tracking it all down and developing policies to protect it can be overwhelming. Nearly every organization we work with finds they are most successful with a controlled, staged rollout with policies targeted at the highest-risk assets and the most vulnerable exposure points. So, go step by step. First, meet with business units to define data protection goals and policy requirements. We recommend ranking major information types (e.g., corporate financials, engineering plans, customer PII) and then re-ordering them based on priorities for monitoring high-traffic channels such as email, web, cloud apps and endpoints. Next, determine approximate timelines for deploying policies. Be realistic and build in adequate time for security teams to tune new policies and minimize false positives, and for business units to get comfortable with process changes.
Confidential information can be anywhere in the organization.
3. Deploy technologies that enforce policies and change end user behavior
No surprises here: An organization’s biggest security vulnerability is often its employees. Unfortunately, bad habits linger and many employees continue to flout best practices by reusing weak passwords, clicking on malicious links, and indiscriminately sharing files.
But the right combination of technologies can do more than enforce policies to comply with regulatory and legal obligations; it can also change end user behavior to drive down business risk.
Go beyond baseline network and application security such as firewalls and intrusion detection systems, and implement differentiated protection for information assets with data-centric security: multi-factor authentication, data loss prevention, cloud access security, encryption, and digital rights management.
4. Integrate data protection practices into business processes
It’s virtually impossible for data security technologies to be effectively or efficiently deployed in isolation. For your data protection strategy to be successful, it is essential to consider which business processes are critical to governing the use of information assets – such as product development, risk and compliance, and legal. The nuts and bolts involved in data protection at the information governance level is even more essential in advance of new compliance requirements around data management, storage and security that take effect next May with the arrival of GDPR. Organizations need to align data protection process with their unique business processes and regulations.
5. Educate business stakeholders to create a culture of security
A successful data protection strategy requires more than just technology and processes. Security must be a shared interest and employees need to become invested in protecting the organization’s information assets.
Develop (or reinforce) a communication strategy that increases employees’ level of understanding of the kinds of data that are sensitive, their role in protecting it, and the impact that not protecting it can have on the business and their job.
The message to stakeholders and employees must be clear: protecting information is everyone’s responsibility. Failing to fulfill that responsibility could destroy the organization’s reputation.
What this means for your business
The challenge for organizations is to reduce the business risks associated with exposing information by targeting the right data, engaging the right people and employing the right technologies. Research firm International Data Corporation (IDC) released a whitepaper exploring the merits of an information-centric approach to protecting data throughout its lifecycle. Click here to download the paper and learn more.