Enterprises that collect the personal information of employees and customers have become attractive targets for cyberattacks and, due to their revenues, frequently fall under the incidence of many of the new wave of data protection regulations. Facing the double challenge of data protection and compliance, enterprises have begun heavily investing in data security strategies but often choose to focus on external threats. In this article, Filip Cotfas has described six data security tips for enterprises.
And while these do account for approximately half of all data breaches, 49% of them are due to human error and system glitches according to the 2019 Cost of a Data Breach Report released by the Ponemon Institute and IBM Security.
Enterprises data security can easily be compromised through employee negligence: an email sent to the wrong address, a USB forgotten in a public place, or files too big for an email attachment transferred through third-party services with poor security practices.
So what can companies do to ensure that their data is secure and protected, not only from outsiders but also insiders? The following are the six data security tips for enterprises.
1. Perform data auditing
Data auditing is the foundation of every good data protection strategy. The reason for it is obvious: before enterprises start working on data security, they must know what type of personal information they collect, where it is being stored, and how it is being used. By finding and monitoring sensitive data, companies can discover vulnerabilities in their data flow and can take informed decisions when building their data protection strategies.
By addressing identified risks, enterprises can also save money by implementing solutions that are tailor-made for the vulnerabilities data faces within their network. Data monitoring can also help companies discover bad data security practices among employees which allows them to build more efficient targeted training.
2. Educate employees
Enterprises must ensure that employees understand the importance of data security and the reputational and financial consequences of a data breach. Training should be offered to all employees that directly handle sensitive data, making sure that they are aware of the best data security practices and the steps they need to take to avoid a potential security incident.
Employee training can be greatly improved by providing clear scenarios that may occur in their day-to-day tasks. Practical advice that can be directly applied after the end of training is also an important part of any successful training exercise. It can also be used to correct practices identified as potentially hazardous during data auditing.
3. Understand compliance and regulatory requirements
While a strong data protection strategy can keep an enterprise’s sensitive data secure, it does not necessarily mean that it is also compliant with data protection regulations. Indeed, many new legislations like the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) do not only require that companies keep data secure, but also offer data subjects new rights in regards to their data such as the right to be forgotten or the right to opt-out of the sale of their personal information.
It may also be that while data auditing has shown a company does not perhaps require certain protection mechanisms, they might be required by law to implement them, regardless of whether they are useful to them or not. It is therefore essential that enterprises understand what compliance requirements apply to their sector and country and make sure that their data security strategies integrate them.
4. Protect data on the move
Many enterprises tend to focus their data security strategies on sensitive data found within the confines of their company network. However, as remote work gains popularity or becomes enforced due to emergencies such as the recent COVID-19 pandemic, data protection strategies should also include policies that ensure that data stored on company devices stays protected whether they are in the office or not.
The use of VPNs and data protection solutions that apply policies at endpoint level and therefore continue to be active outside company networks are some of the things enterprises should consider when building their data security strategies for remote work.
5. Control devices that connect to your network
Another blind spot of data security strategies is removable devices such as USBs. Now a popular hacking tool and a frequently lost item, USBs have been undermining companies’ data protection strategies for years. Enterprises have the option of blocking their use altogether by adopting device control tools that allow them to block or limit the use of peripheral and USB ports on company computers.
Alternatively, they can introduce the use of trusted devices, allowing only company-issued removable devices to connect to a work computer. There is also the possibility of enforcing encryption on all USBs connected to a company endpoint, ensuring that, every time an employee copies files onto a USB, they will be encrypted and not accessible to anyone without a password.
6. Implement a data breach response plan
Finally, no data protection strategy is foolproof. Even the comprehensive CIS 20 Critical Security Controls can only prevent 97% of all data breaches. This is mainly due to the unpredictability of security incidents. A new software or hardware vulnerability can be discovered and exploited before it is patched or a well-trained employee can be tired and make a careless mistake.
The most effective way to deal with a data breach is to plan ahead. By putting together a data breach response plan and testing it out, enterprises can make sure that, if a data breach does occur, its causes are swiftly discovered, remediation actions are taken and employees know exactly how they need to proceed. An efficient response to a data breach can save companies considerable expenses and help mitigate the gravity of a security incident.
Disclaimer: The author of this article is Filip Cotfas – Channel Manager at CoSoSys Ltd. All views expressed in the post are his own.