Even before the pandemic, data breaches were a common occurrence, with prominent companies suffering attacks that were regularly reported and analyzed. They have continued to surge, and data security is at the top of every organization’s mind. Due to the changing threat landscape as a result of a hybrid-remote working model that has created a wider attack surface, threat actors are increasingly successful in gaining access to sensitive data, and organizations are still struggling to implement adequate data security practices to avoid breach. Many of these organizations still tend to make critical mistakes with regards to data security that, if left unaddressed, can lead to drastic consequences for the entire business.
Mistake 1: Failing to understand the true threat against their employees, suppliers and ultimately, their data
Having a culture of security and privacy within an organization cannot be underestimated. If a top-down corporate strategy does not address and encourage data security or privacy beginning with the executive team, how can you expect the workforce to take data security and privacy seriously? Receiving a cybersecurity threat is now an ever-present reality. A classic example is clicking a phishing email in the inbox which now happens daily in most companies. All it takes is for one employee to make a mistake and click a phishing link and, before you know it, hackers are maneuvering through the system as they seek out your sensitive data or other items of information to leverage. This same mistake can be made by a third-party within the supply chain, too. Underestimating the cyber threats that exist will only lead to complacency and inevitably a costly data breach. To avoid such an event occurring, adopt a strong security culture—promoted and adhered to by the executive leadership team—that emphasizes the point that every employee, from the CEO down to the workforce, must take security seriously, with each and every digital maneuver made.
Mistake 2: Failing to train the workforce adequately
In order to achieve this strong data and privacy security culture, an organization must take it upon itself to train the workforce with proper investment into time, effort, and tools. Many organizations fail at this hurdle, and research has shown that a lack of training significantly increases the risk for human error. However, this doesn’t mean tomorrow you showcase a 20-slide presentation on security practices and have the workforce answer a 5-question quiz. This type of routine effort will just waste time and fail at reinforcing the core security messages. Security training needs to be facilitated through an enthusiastic multi-pronged proactive approach to provide ongoing security awareness. Some organizations outsource this service, while others manage this effort internally using various interactive teaching methods including videos, quizzes, and games to reinforce the data security and privacy message. By regularly focusing on the human element of security with positive reinforcement and endorsements by leadership, organizations will go a long way toward reducing the possibility of a devastating data breach. Security training should never be seen as a tick-the-box exercise; it must be always be top of mind with each and every employee, from the most junior intern to the chairman of the board.
Mistake 3: Failing to view data security as a “business problem”
Business objectives and security operations must complement one another, and that includes data security. So, building the strongest security and privacy posture involves both functions having their strategies complement one another. From a business perspective, focusing on building a strong security culture will help reduce the opportunity for mistakes to a bare minimum, while the IT department can implement the strongest fail-safe policies, tools, and best practices across systems and critical assets. Viewing data security and privacy just as an “IT problem” will only lead to misalignment. The IT team alone cannot bear that burden, but neither can the workforce without dedicated IT support.
IT will certainly need the right tools to mitigate and neutralize a mistake or threat made by the business, and having data-centric security, in which security is focused on protecting data itself rather than borders and perimeters around sensitive data, is required. From a business view, this will negate any threats involving a malicious attacker gaining access to data, which again is an inevitability for most enterprises. Once in place, organizations should add additional layers of defenses that protect the perimeter including next-generation intrusion detection, user access controls, and other network security. From an IT outlook, on the other hand, to effectively prepare for a data breach, assume a breach is about to happen and understand what fail-safe procedures are in place to neutralize or mitigate the threat.
Mistake 4: Failing to have full visibility over data and access
A major mistake made when trying to implement data security methods occurs when the business fails to accurately assess the following: where the data is, how much data they have, and how that data is being accessed and used. With sensitive data especially, this is in violation of many governmental regulations, industry standards, and even internal compliance rules. Furthermore, how can you protect data if you can’t locate it? You can’t protect what you don’t know exists!
To help with this dilemma, seek automated data discovery and classification tools to detect and analyze the existence and usage of enterprise data along with its lineage without needing to seek further knowledge of the data’s origin or location. Depending upon initial seeding by humans about where data is or is not probably isn’t the best way to start this process. Next-generation discovery tools are able to begin the process automatically without knowing where data might be.
With the data ecosystem being highly dynamic, there are many benefits of having automated data discovery and classification tools which match the fast-paced nature of this changing landscaping. This includes having a timely response to Data Subject Access Requests (DSARs) and audits, risk mitigation, data governance, and compliance with key aspects of PCI DSS, GDPR, CCPA, and many other data privacy and protection regulations. In this day and age, your organization simply can’t comply adequately with regulations without knowing where all your sensitive data resides.
Mistake 5: Being naïve to data security
Organizations must come to the realization that hackers will always find a way through perimeter defenses in order to gain access to a network. With more information and processes becoming digitalized, and the growth of digital transformation during the past 18 month, hackers are continuously taking advantage of the increased attack surface, much of which is largely porous. Statistics have even shown that they have amplified their attack attempts to try successfully navigating their way through sophisticated security defenses. Businesses must now focus on the most valuable asset within the organization: the data. Take a proactive stance, think ahead, and plan for the worst-case scenario that the defensive controls have been bypassed and the perimeter defenses will soon be breached. Given these assumptions, securing the data using data-centric security technology must be your approach (preferably using tokenization or format-preserving encryption) because it allows for access to protected data (instead of deprotected data) and cannot be comprehended or leveraged even if it falls into the wrong hands.
With the business landscape continually evolving and the cyber environment in a highly volatile state, having a data-centric security solution that can adapt to these changes is essential for maintaining an advantage over cybercriminals. Data-centric security can “hold the line” in case all other defensive methods fail, because it protects the data itself by obfuscating sensitive data elements. Threat actors simply cannot leverage tokenized data for their advantage.
Companies today face an extremely complex threat landscape in which attackers seem to have the upper hand. In order to keep one or more steps ahead and avoid falling victim to large-scale data breaches, you should make sure to implement an efficient data protection strategy along with cultivating a healthy culture of data security and privacy, without cutting corners and without exempting certain people or groups from participating in that culture. If your professionals are aware of the mistakes they could make or even are making, they will be better prepared to avoid them and properly secure their activities—and your business.