Cybersecurity: Four steps CIOs can take to minimise data loss
With cyber-attacks on the rise most IT professionals acknowledge it’s no longer a question of if their organisation will get hacked, but when.
Last year the cyber-attack toll hit an all-time high. According to research by Risk Based Security, 2017 saw a record-breaking 5,000 cyber breaches and resulted in a staggering 7.89 billion records being compromised. Big brand names like Verifone, Verizon, eBay, Uber and Equifax all fell victim to breaches that exposed the personal data of millions of people.
That’s a worrying trend for organisations as they prepare for the EU’s General Data Protection Regulation (GDPR) go live in May 2018. Indeed, determining how to handle data-breach notifications and preparing data-protection impact statements (DPIAs) has been front of mind for many C-suite business leaders in recent months.
In response, many CIOs have invested significant effort and resources on securing networks, applications and endpoints in a bid to keep the cyber criminals out and data safe.
But in today’s digital world, where predictable IT controlled networks are increasingly a thing of the past and it’s impossible to prevent every attack - despite deploying advanced threat protection – it’s time to stop trying to protect everything and instead start focusing on what matters most. Your most important data.
Four years ago, industry analyst Gartner recommended CIOs adopt a data-centric approach to enterprise data security. Today there are indications that companies are at last beginning to move beyond focusing on traditional endpoint security products such as firewalls and anti-virus software and utilising data-centric audit and protection approaches to mitigate breach threats and compliance issues.
Let’s explore the top four data-centric security steps that CIOs should take.
Step 1: Understand what data you have and where sensitive data is located
It’s impossible to protect data effectively without knowing what’s there in the first place. You need to understand where sensitive data is located, how it flows across the organisation and where it is put at risk.
In other words, you need to understand the taxonomy of your organisation’s data – the who, where, what, why, and how of where your data sits, who can access it, how it’s used. Because once your data has been structured and modelled, it’s easier to evaluate and protect.
Step 2: Classify your sensitive data
Using tiered categories such as Confidential, Restricted, Private and Public will ensure sensitive data is classified so it can be appropriately stored and protected.
Organisations that need to adhere to strict industry regulations such as the Payment Card Industry Data Security Standard (PCI DSS) will already be familiar with the concept of implementing effective risk-based security as it relates to keeping sensitive or personal data secure.
Classifying data will help you determine what information is important and what type of security safeguards and controls need to be put in place.
Step 3: Monitor and control sensitive data
Defining proper access controls is the key to preventing data leakage and is often the only way to adequately prevent insider and outsider threats. Following classification, data will need to be tagged and appropriate access rights or privileges applied.
This will enable the implementation of data-centric audit and protection when data is used or at rest; this will include activity monitoring, access management and logical control security technologies.
Step 4: Apply additional technologies to boost data security
Having embraced data classification and access controls, it’s time to close the circle on your comprehensive data-centric security programme. This process should include the application of data loss prevention (DLP) technology, cloud access controls and encryption as well as the implementation of system, user and data visibility tools that give context to data movement – key to protecting sensitive data from all threats, internal or external.
Bolster this with end-user training that educates the employees who create or use your organisation’s data. This will make it easier for staff to understand your data policies and why it’s important that they don’t attempt to circumvent the processes you’ve put in place.
As traditional approaches to security become less effective, it’s time to look at security from the viewpoint of data. Adopting a data-centric security stance essentially means shifting focus from networks and in-house IT infrastructures to the sensitive data that needs to be protected within the enterprise.
It’s a profoundly different approach that involves looking at sensitive data in a new way and taking greater care over how this data is handled and distributed.
Protecting data begins with gaining a deep understanding of your data and how it is used and using this intelligence to drive the most effective approach to protecting sensitive data from all threats.
CIOs will benefit from adopting this new streamlined approach to data security that makes it easier to defend data against unauthorised access or usage and integrate data security with business processes that will benefit and protect the organisation as a whole.
- » Signs of the 'always-on' culture: Poorly performing mobile devices put employees' health at risk
- » Microsoft stirs AI and mixed reality into the Dynamics 365 pot with greater enterprise focus
- » This enterprise secure messaging platform – with zero knowledge architecture – may be a Keeper
- » How Mead & Hunt transformed its IT operations through virtual desktop infrastructure
- » Transitioning your data centre to the cloud: A CIO's guide