Information security professionals know that balancing data protection and business operations is an art. It requires a knowledge of the rules, technologies and best practices that are available to create an optimally secure environment; and it demands an understanding of the nuances and fluctuations of human interactions and business workflows in your specific environment.
As midsize and larger enterprises face dramatically increasing threats from cybercrime—and by extension, more demanding regulatory requirements—they must adopt a data protection strategy that meets the needs of both regulators and internal users.
Information security leaders can help their organizations achieve an effective data protection program with a two-phase approach that addresses the concerns of both executive stakeholders and users.
Phase 1: What Is Your Risk Appetite?
To define and build the data security program that works best for the organization, information security leaders need to take their company stakeholders through a series of questions to define the company’s risk appetite –that is, how much risk can you tolerate in order to enable data to be shared and used in regular business operations? Start by asking your executive team questions like these:
Zero Trust: What does data protection look like for us?
Today’s most comprehensive data security programs employ a Zero Trust model. This approach, defined nearly a decade ago by a Forrester Research analyst, centers on the idea that you should not automatically trust any entity—outside or inside your organization. Every connection or transaction that involves data is subject to a defined policy of scrutiny before being allowed.
Such a model is effective because it helps organizations move away from a perimeter-only approach and acknowledges the potentially devastating consequences of data loss from inside the organization. But establishing a Zero Trust model requires your stakeholders to agree on how extreme they want to be with their monitoring practices.
For example, you could decide to block all emails to reduce risk. Of course, that’s not a realistic solution, so businesses establish rules and policies that govern the storage, use, monitoring, and movement of data.
Casting our net: How much data monitoring will we do?
With unlimited resources, information security teams and engineers can configure and tune rules and analysts can monitor event traffic all day. And with a very broad set of policies, they may do just that: monitor event traffic all day—to the exclusion of other duties.
What we really need to determine is how wide a net we want to cast. Very broad policies may catch a lot of events; and a significant majority of those will likely be false positive or authorized business activity. That high volume may be okay if teams have the resources to handle the volume and inspect the content carefully. A wide net will allow us to find activity and data risk that we might not find with a narrow policy.
The potential downside is that if we do not have a team large enough or efficient processes in place, then we may never have eyes on the data. If an analyst does not review it, the result is the same as if the activity never generated an alert.
In contrast, a narrow net will be well defined and allow us to take action on specific data that are on their way out of the organization. With a narrow policy, we will have a high level of confidence in what the data is telling us, even before an analyst reviews the alert that generated. The potential downside of this approach is that we may miss some data on its way out because our scope is too narrow.
Make sure your stakeholders have the conversation about the need to balance wide and narrow policies and the actions that will be taken to protect data, including encryption, quarantine, or blocking actions entirely.
Keeping up: How are we able to allocate our resources?
We also have to consider our own team’s resourcing capabilities and have honest conversations about what we are able to do.
- Do we have the ability to keep analyst eyes on glass 24/7?
- Are we able to protect data through automatic encryption or quarantine and then enable release by an analyst, instead of just blocking emails or content and disrupting the business?
- Do we have a regular update meeting with stakeholders to confirm the types of data and channels our security team is monitoring and to highlight any potential gaps or gray areas for the program?
- Can we leverage that business relationship to help us get to the root of, and fix, broken business processes?
Digital Transformation: How can we control data movement?
One of the simplest ways to consider risk appetite is to ask how we are letting users share data. As more people want to share content over email, in cloud storage shares such as Kiteworks and OneDrive, and through shared business apps such as Google and Office 365 docs, it is crucial that we define the corporate-approved methods for sharing and make sure those policies are easy for employees to use.
By doing this, we can restrict the flow of data to authorized and secure channels and still keep the company running.
Addressing these fundamental questions can help you get your executive stakeholders in agreement so that you can design a workable data protection strategy. The next step, then, is to communicate that strategy to users in a way that they will adopt and support.
Phase 2: Get Users on Board with Data Protection Best Practices
The good news about enforcing your data protection strategy is that people generally want to do the right thing. When we start our information security communications by reminding employees of the value of the data they handle—and empowering them with tools to do business safely and securely—employees will feel less restricted and instead feel enabled.
That doesn’t mean that changing the ways that users interact with data is going to be easy. If an organization has been open, unaware, or careless for many years, then their risk posture may take some time to improve. It takes diligence and care to effectively communicate and adapt to an aware and secure culture.
- Step 1: Set the data classification policy. Starting with the ground rules that you defined in Phase 1, define all types of sensitive data and establish clear roles, rules, and policies for the storage, use, and sharing of those data.
- Step 2: Publish and communicate data protection information to employees. Start by reminding users that the data they are handling are valuable and that protecting data is important. Then, communicate the approved processes for using and sharing data securely. Knowing the value of the data we handle helps us to understand the risk associated with handling that data, validate importance of our job, understand why security controls are important, and realize why that data needs to be sent securely.
- Step 3: Provide methods to securely share sensitive data. When there are changes to the way data is monitored and certain actions are blocked, the resulting business and process disruptions will be frustrating to users. Be sure to have corporate-approved solutions, apps, and platforms ready for them to enable them to share data safely. Keep the lines of communication open and collaborate with users regularly to get new data protection ideas that work for the business.
- Step 4: Help people buy in to securing data. Change can be especially difficult when a person has been doing something a certain way for many years, then has to change because that process puts the company or data at risk. Nobody likes being told they are wrong! Use automated reminders and provide learning tools to help users understand and learn new data handling processes.
Leverage Experts to Maintain Data Protection Effectiveness
Mastery of the art of data protection doesn’t happen by accident. Organizations that have successful data security programs know that those programs require constant and diligent review, practice, and revision to remain effective.
Be sure to establish an ongoing review process that leverages the expertise of information security experts from both inside and outside your organization to ensure your program will meet the needs of your business today and into the future.
Learn from the Experts
Over more than 15 years, InteliSecure has helped organizations build successful data protection programs across different environments, industries, regions, and company sizes. Contact us to learn how we can help you execute the steps needed to create and maintain effective, compliant data protection.