Cyber Resilience and Data: Mitigating the Risk of Unauthorized Access, Theft, and Loss of Data
In the past several years, data has reached new levels of importance and value as organizations become increasingly more reliant on data to run their business. This has made data resilience a top priority for these organizations.
While many organizations look to regulations and compliance frameworks to understand their data resilience requirements, data resilience requires a much more holistic approach. Data resilience must start with a deep understanding of the data your organization has, creates, and maintains, while also understanding the value of that data. Without a comprehensive understanding of your organization’s data, it’s difficult to know what to protect, how to protect it, or which regulations may apply. Good data resilience practices result in compliance, not the other way around.
Data resilience isn’t just about regulated information either. In addition to regulated data, every organization has its crown jewels to protect. Product designs, trade secrets, and other intellectual property will be difficult to recover if lost.
Historically, people tend to think of data resilience as being synonymous with backups. However, in the modern world, data resilience expands beyond simply ensuring data is backed up. It includes protecting data as it’s in use, which requires understanding who needs access to data, when they need access to it, and how that data is protected throughout its journey. This includes retaining and purging data appropriately.
Potential Consequences of Data Loss and Breaches
The consequences of data loss and data breaches can be significant in terms of lost time, money, and reputation, especially if you’re in a regulated industry or working with regulated data. Every organization processes some amount of personally identifiable information (PII), where a breach will result in fines and fees, which can be substantial. Organizations are also at risk of reputational loss, even if the compromised data isn’t regulated. If you expose a customer’s or partner’s trade secrets, it can erode your standing with existing and prospective clients. In addition, most data legislation dictates that breached organizations must provide several years of identity protection services to individuals whose data was exposed, which is another potential cost.
Data loss and exposure can also significantly disrupt operations. If your crown jewels are compromised, can you even do business? This type of disruption is difficult to recover from and can result in the loss of clients and business. Additionally, if a breach puts you in violation of contract terms, for example, being able to produce a certain number of components and equipment on time, the organization can be at risk for legal action.
Common Gaps in the Protection of Data
In general, organizations understand the need to protect data that is known to be highly sensitive, but most organizations aren’t able to effectively identify and protect all of their data throughout its lifecycle within their environment.
Many organizations written security policies direct employees to store sensitive data in a secure location in a secure manner. Oftentimes, there’s no monitoring or controls in place to prevent an employee from putting a sensitive document or spreadsheet in a less-secure file sharing platform.
Another common gap is data that doesn’t have a defined owner — someone who’s responsible for the information. Data that doesn’t have a defined owner is hard to identify within the environment and makes it difficult to understand who should have access to it. Therefore, it’s difficult or impossible to adequately protect.
Taking a compliance-only approach as a data protection strategy has its gaps because if you don’t know your data, you don’t know what laws apply to it. In addition to HIPAA and GDPR, all 50 states have data privacy laws. If you’re in Minnesota and keep data about customers in California or the European Union, you may be bound by regulations in those jurisdictions. It’s not just one or two sets of regulations you need to follow.
Data Discovery and Classification (DDC)
Data protection becomes significantly easier when the location of data is known and the data is classified. Data discovery and classification tools help organizations understand where data lives and the journey of data within your organization — the inflows and outflows of data — which is critical when developing a data resilience strategy.
There needs to be general agreement, from the executive level on down, as to what data exists in the environment and how it should be protected. This requires involvement from more than just your IT department because IT doesn’t know the value or importance of specific data sets as well as the people who work with the data on a regular basis.
The benefit of data discovery and classification — and mapping out the processes of how data gets created or ingested — is the ability to manage the lifecycle of data throughout the organization — protecting it in storage, protecting it in use, and purging data that’s out of date.
Once you know where your data is and what it is, you can be more effective in determining what regulations the data is subject to and what controls to put in place to effectively and successfully implement a data loss prevention solution.
How DDC Works
Typically, DDC tools work by connecting to cloud and internal applications to crawl through file shares, workstations, laptops, and SaaS apps to discover information in your environment and classify data based on the content of data files. For example, if an HR database contains social security numbers, a DDC tool can categorize and monitor it to ensure that if an unauthorized user tries to access it, the organization can take action, whether it’s to send an alert or block the activity.
Another aspect of DDC is end user behavior analytics (EUBA), which monitors how data is used by different roles throughout the organization. Anomalous behavior, such as a user opening thousands of documents at once, can be identified.
DDC isn’t a one and done activity. It runs all the time to help ensure that the same data isn’t copied across multiple locations. The DDC process may reveal that you have many more copies of data than you expected that are stored in inappropriate locations with the wrong people having access to it. This is a common scenario.
Getting Started with your Data Resilience Program
To get started on your own data resilience program, it’s best to start with data discovery and classification.
It’s not necessarily an easy project. It requires having a plan for the upkeep, management, and tracking of data and the ability to classify data in real time or near real time. That’s a hard pill to swallow when you’re knee deep in other security projects.
But it can be worth the effort because when you know your data, you can start to shape priorities around next steps for data security because you have better clarity on what to protect and what’s subject to regulation.