How to Implement the Right Data Protection Program

Michael Berruti, Director of Client Strategy

03.18.2020

Building a successful information security culture begins by asking yourself one simple question—and it probably isn’t what you expect.

 

For many companies, implementing a data protection plan is a necessary but overwhelming process. Concerns about expense, staffing, ROI, and even simply where to begin can sidetrack even the best intentions.

But if your organization is working to meet information security compliance requirements or depends on sensitive intellectual property (IP), letting data protection decisions slide isn’t an option.

Fortunately, you can make the entire process less painful—and more successful—by beginning the project with the right first step. And it might not be the one you expect.

Answer this Data Protection Question First

The most effective way to begin a data protection program isn’t by identifying which data loss prevention (DLP) or information security technology to invest in. No matter your company’s industry, size, or location, the first step should always be to answer this question:

What are your most critical data assets?

The answer informs everything about your data security program, from which technology to buy to which processes to prioritize.

For nearly every organization, these assets will fall into one of two categories:

  • Personally identifiable information (PII) of clients, employees, or both
  • Intellectual property (IP) that your business depends on

The easiest way to determine which category applies to you is to ask where your greatest financial risk lies. If your greatest area of risk is regulatory fines and loss of reputation, your critical data assets are most likely PII. If the bigger threat is loss of revenue through competitive espionage or loss of unique processes or products, then IP is probably your biggest asset. 

Where to Focus: Information Security Compliance or Intellectual Property?

Each category leaves data vulnerable at a different point. For PII, the most important question is where and how you store the data. (Hint: If your organization is losing sleep over GDPR, CCPA, or the New York SHIELD law, you likely fall into this category.) For IP, your focus should be on how, where, and by whom the data is transmitted.

Suppose you’re in the insurance industry. You must comply with multiple regulations regarding the protection of PII. Failure to do so will result in stiff fines and could even threaten your company’s reputation. The first step in any data protection effort must be to identify where you store these critical data assets.

This step often results in a shock when organizations realize data isn’t where they think it is. You might be under the impression that your company’s and customers’ PII is safe and sound on physical servers in your corporate environment, only to discover that, thanks to employee use of shadow IT, the data (or copies of it) are outside your security perimeter.

In this case, the most urgent action in your data protection initiative should be to create a delineated process and documentation around data storage and to utilize your available technology and tools to enforce that process and to protect your predetermined storage locations. You might not even need licensing for security products or features that do more than that—not yet, at least.

In contrast, suppose you work for a manufacturing company. Your organization relies on unique IP—a product, idea, formula, or even a process that helps you attract and maintain your clientele. What happens if an unscrupulous subcontractor finds a way to transfer that IP to your biggest competitor? Or if a disgruntled employee decides to take it with them when they leave the company? Or if a careless click on a phishing email exposes your network to hackers?

In this situation, your data protection strategy might focus on data transmission even more than on storage. How do employees, vendors, and subcontractors access sensitive data? Do you have controls in place to prevent transmission outside the organization? If not, your first step should be to implement the necessary processes and permissions to lock down such transmission. Begin by monitoring how employees are handling data, where they’re sending it, and so on.

How to Optimize Data Protection ROI

Now that you know what your next steps should be, you’ll need to make sure you have the capabilities in place to accomplish those tasks. If you haven’t already purchased data protection technology, you can create some cost savings by licensing only the functionality you need to map and secure your critical asset storage and to secure data transmission. Then, you can build more mature and customized policies and rules on top of those foundational elements.

An incremental approach can reduce your initial capital expenditure, speed ROI for that investment, and make the entire project more attractive to company stakeholders.

What if you’ve already acquired a security solution but aren’t sure how best to implement it to achieve these goals? If you’re looking at a complex product or you don’t have a data protection expert on staff, consider using the expertise of a managed data protection services provider to get the most out of your technology investment.

Be sure that the managed services provider is experienced with the product you’ve purchased and can help you establish KPIs that will measure the progress you’re making with these initial steps. Doing so will make the process smoother and help you maintain executive buy-in for your information security project.

Start Where You Are

Building a compliant and robust information security culture can be a challenge. But an experienced data protection partner can provide a manageable, incremental path to building data security as quickly and painlessly as possible. Regardless of how you establish and ramp up your program, the most important step is the first one. Get started now.

Want to learn more?

Please feel free to reach out to our experts anytime for objective and practical answers to your questions.