A 5-Step Action Plan for DSPM

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Karthik Krishnan of Concentric AI drums up a 5-step action plan to establish strong data security posture management (DSPM).

October is Cybersecurity Awareness Month, and every year, most tips for security hygiene and staying safe have not changed. We’ve seen them all – use strong passwords, deploy multi-factor authentication (MFA), be vigilant to spot phishing attacks, regularly update software and patch your systems. These are great recommended ongoing tips and are as relevant today as they’ve ever been. But times have changed, and these best practices can no longer be the bare minimum.

The sheer number of threats to your data — both external and internal — is increasing exponentially, so maintaining a robust data security posture is paramount. From a data protection standpoint, perhaps the most difficult challenge to address is that business-critical data worth protecting now takes so many different forms. Intellectual property, financial data, business confidential information, PII, PCI data, and more create a very complex environment.

Traditional data protection methods, like writing a rule to determine what data is worth protecting, are not enough in today’s cloud-centric environment. And think about how easy it is for your employees to create, modify, and share sensitive content with anyone. Your sensitive data is constantly at risk from data loss, and relying on employees to ensure that data is shared with the right people at all times is ineffective.

In fact, according to the 2023 Verizon Data Breach Investigations Report, 74 percent of all breaches involve the human element — either via social engineering error, privilege misuse, or use of stolen credentials. Concentric AI’s own 2023 Data Risk Report research reports that, on average, each organization had 802,000 data files at risk due to oversharing — that’s 402 files per employee. The risk to data is enormous.

As Cybersecurity Awareness Month approaches, it’s a good reminder that data security posture management (DSPM) is critical for organizations to implement for visibility into actionable insights on how to mitigate data security risk. DSPM empowers organizations to:

• Identify all sensitive data
• Monitor and identify risks to business-critical data
• Remediate and protect that information

A 5-Step Action Plan for Data Security Posture Management

The following DPSM checklist combined with new initiatives for Cybersecurity Awareness Month can help you create a comprehensive five-step guide through Awareness, Action, and What You Need to Know:

1. Data Sensitivity: The Foundation of Security

• Awareness: It is critical to be able to discover and identify your at-risk data. Knowing where your sensitive data resides is the first step in securing it.
• Action: Host workshops and webinars to educate employees about the types of sensitive data (PII, IP, etc.) in your organization, and why it’s crucial to protect them.
• What You Need to Know: Understanding the types of data you’re handling can make a huge impact. Employees should be aware of what constitutes sensitive data and the risks associated with mishandling it. Workshops can cover topics like data classification, secure handling of PII, and the importance of data encryption.

2. Contextual Awareness: More Than Just Data Types

• Awareness: Organizations must be able to understand the context of their data. Data is not just about types but also about the context around it.
• Action: Use real-world examples to show how data can be misused if taken out of context. Encourage employees to think before they share.
• What You Need to Know: Context matters. Data that seems harmless can become a security risk when placed in a different context. Employees need to be aware of and trained to consider the broader implications of the data they handle, including how it interacts with other data and systems. For example, consider an employee’s first name. On its own, a first name like “John” seems harmless. But combined with other pieces of data such as a last name, email address, or office location, it can be used to craft a convincing phishing email. Imagine if you receive an email that addresses you by your full name and references your specific office location or recent company activities. It would appear legitimate and could trick an unsuspecting employee into revealing sensitive information or clicking on a malicious link.

3. Risk Assessment Drills: Preparing for the Worst

• Awareness: Organizations need to understand where there is risk to sensitive data in order to protect it. Knowing the vulnerabilities can help in crafting better security policies.
• Action: Conduct mock drills to simulate scenarios where sensitive data might be at risk due to inappropriate permissions or risky sharing. This happens far more often than you think.
• What You Need to Know: Mock drills can help employees understand the real-world implications of data breaches. These drills can simulate phishing attacks, unauthorized data sharing, and even insider threats. The key is to help employees understand the importance of following data security protocols. Hint: while employees need to know these implications, your organization should be leveraging solutions that reduce the burden on employees.

4. Permission Audits: Who Has Access?

• Awareness: Organizations need to be able to track and understand data lineage and permissions. Knowing who has access to what data is crucial.
• Action: Dedicate a week to auditing and correcting data permissions across all platforms. Make it a company-wide initiative.
• What You Need to Know: Regular audits of data permissions can prevent unauthorized or risky access to sensitive information. During Cybersecurity Awareness Month, make it a point to review and update permissions, ensuring that employees have access to only the data necessary to do their jobs. The principles of least privilege and zero trust are applicable here.

5. Actionable Insights: The Path Forward

• Awareness: Finally, organizations need to be able to take action and remediate any risk. Proactive measures can significantly reduce the risk of a data breach.
• Action: Share weekly insights on the company’s data risk posture. Highlight any successful remediations as well as areas that need attention.
• What You Need to Know: Transparency is critical. Sharing insights about the company’s data risk posture can empower employees to take individual actions that contribute to the organization’s overall security. Celebrate the wins, but also highlight any underlying risks that need to be mitigated.

Cybersecurity Awareness Success: Combining Security Awareness with Robust DSPM

Cybersecurity is a shared responsibility, and Cybersecurity Awareness Month is the perfect time to reinforce this message. Combining data security awareness with robust DSPM is key for keeping data secure. All organizations can achieve a strong level of data security via a solid cybersecurity awareness program, and by following tips and best practices in order to minimize the impact of a data breach. Having the best of both worlds is achievable with a security-aware workforce and a robust DSPM solution.