Five steps to preventing sensitive business data loss
BY Mark Stevens
While today’s data breaches may differ in terms of attack type and origin, they all produce the same result—significant data loss. Data is the lifeblood of most modern companies and the long-term negative impact on those who suffer breaches demonstrates just how serious the issue of data loss has become today.
But as hackers continue to get smarter and more persistent, what can companies do to protect their information? Below are five recommendations that will help your company keep its sensitive data out of the wrong hands.
1. Identify Where Sensitive Data is at Risk
Your customers, business partners, and investors will ask what your security posture looks like, so it makes sense to perform a thorough review of your environment to identify gaps where confidential data, including information contained on mobile devices, could be at risk.
You don’t have to conduct this risk assessment yourself. Proven services in the market can quickly help you understand all the locations where sensitive data lives within your company and how it’s being used.
2. Don’t Rely on the Traditional Network Security Focus
Almost 100 percent of large companies have security programs that start and end “on the network.” Why? Because it’s easier. Racking a security device on the network causes very little organizational friction. Yet the IT teams in these companies spend almost every day purposely punching holes in the network. VPNs are a common example; their widespread use makes them popular targets for attackers due to the high number of potential entry points and often lax attitude towards security from users.
These inevitable holes mean the network will always be vulnerable to attackers.
Add this to the fact that many employees operate in a mobile environment and demand access to sensitive information on their phones and tablets, devices that traditional network security measures don’t protect.
A layered approach to security is becoming increasingly important for companies, with device-focused technologies such as mobile device management (MDM) playing a pivotal role.
3. Focus on Data Protection Solution
According to Forrester’s The Future of Data Security: A Zero Trust Approach report, “In this new reality, traditional perimeter-based approaches to security are insufficient. Security and Risk (S&R) professionals must take a data-centric approach that ensures security travels with the data regardless of user population, location, or even hosting model.”
Several proven data protection solutions on the market ensure security travels with the data. Called data loss prevention (DLP), these types of solution help classify data, put a usage policy against it and strictly enforce it. But DLP is no longer optional for any company wanting to protect sensitive customer data. This is the reality of the environment in which we now live and work.
If you make it fractionally harder to steal sensitive information, or render data useless once outside the network, attackers will move to another company that presents an easier target. Several leading analyst companies, including the above mentioned Forrester, are changing the conversation when it comes to data protection. As data remains the target and its attack surface continues to grow larger than ever before, protecting that data must be at the core of any company’s security approach.
4. Consider Outsourcing Your Data Protection.
A way around challenges associated with implementing advanced data protection strategies is to outsource to a managed security provider. Many of these companies have deep DLP expertise and proven infrastructure, meaning you can concentrate on your business while they keep your data secure. They can also improve your security posture much faster than if you implement data protection solutions yourself. If your IT team is already stretched, a managed security approach gives you the comfort of knowing that customers’ data is being protected without taking valuable staff time. They can also provide the assurances demanded by customers, banks, and other security-sensitive organizations.
5. Go Beyond Traditional Security Training with Positive Social Engineering.
Employee security awareness is a critical step to protect customer data. The key to effective employee security training is to go beyond slideware and annual refreshers. Innovative companies are using the prompting functionality in technologies to help employees self-correct all data use issues. For example, a customer recently reported an 85 percent decrease in data usage policy violations after six months of using real-time, pop-up dialogue box prompts. Sometimes all employees need is a simple, real-time reminder of what corporate policy is, and how they can adhere to it.
Customers and business partners will increasingly demand that companies show proof of ongoing security and monitoring to protect sensitive data. The security of the information supply chain is gaining traction within IT security circles and companies are realizing that the weakest link in their security posture may not be within their perimeter walls but rather inside the walls of those they choose to do business with. If you follow these steps, not only will you be able to demonstrate how you’re protecting their data, you’ll also be in a position to use your advanced security posture as a differentiator with new customers.
Mark Stevens is the senior vice president of Global Services, Digital Guardian.