Executives Sleep Better at Night with a Comprehensive Data Protection Program
Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Avani Desai of Schellman examines how a comprehensive data protection program can help executives get a better night’s sleep.
In today’s day and age, we’re all guilty of being laissez-faire with our data. Whether that be accepting a website’s cookies without reading the fine print, clicking a link from a friend without knowing its destination, sharing copious amounts of personal data on social media, or even giving those same social apps access to the microphone on our smartphone, these actions put ourselves and our employers at risk of a data incent.
Considering that, according to IBM, the average cost of a data breach has reached $4.35 million, a laissez-faire approach to data should be keeping executives up at night. If this is how people handle data in their personal lives, what’s to stop them from falling victim to the same habits while at work? While people are a business’s greatest asset, they’re also the biggest security threat.
Executives should be asking themselves, “How do I get my employees to treat business data with more caution and security than their own personal data?” The answer is to develop a comprehensive data protection program, train employees on data protection best practices, and ensure a security-first culture across the organization.
Executives Sleep Better at Night with a Comprehensive Data Protection Program
Developing a Comprehensive Data Protection Program
To compose a comprehensive data protection program, organizations first need to understand what data the business relies on most and what information would be most detrimental to the business if it were released to the public. To gain this understanding, businesses should conduct a formal and documented risk assessment, enabling them to identify critical assets and organizational risks to, in turn, create a data hierarchy. Because every byte of information is not going to be critical, it’s key for organizations to group their data into sensitivity groups such as:
- Restricted: If compromised, could lead to criminal charges, fines, or business damage such as proprietary information or data protected by government regulations.
- Confidential: Requires specific authorization.
- Internal: Only accessible to company personnel like process documentation, written internal communications, business plans, etc.
- Public: Either freely accessible or deemed okay for distribution to whomever.
Once the company’s data is established into a hierarchy and has been assigned labels, the security team will be able to work alongside key process owners and management to ensure each classification is adequately protected.
Once the data is classified and protected, the next step is to determine who should have access to each classification. The risk of data fraud or loss is much greater when there’s no separation of access – users should only have access to information that is commensurate with their job responsibilities.
Even with all these procedures in place, data breaches are, unfortunately, still more likely than not. So, businesses also need to prepare for an incident by implementing a formal, tested, and documented business continuity and disaster recovery plan to ensure that data is not lost or leaked in the event of a breach.
Effectively Training Employees
To address an organization’s weakest security link – its employees – businesses need to ensure that they’re properly trained on data protection practices. A well-rounded security awareness program will provide employees at every level of the organization with knowledge and awareness of the classification levels of the data they interact with in their everyday jobs. Further, employees must be educated on what type of attacks to be aware of and what they look like so they can accurately report them.
Business continuity and disaster recovery teams also need dedicated roles and responsibilities for how to handle various data breach scenarios. For the entire organization to buy into these trainings, it’s important to understand that different generations will be receptive to different styles as they have each undergone a similar evolution based on the technology of their time. For example, Millennials and Generation Z tend to be technology-reliant for communication– meaning they’d be much more receptive to an online course compared to an in-person, full-day training session. That would be much more appealing to Generation X or Baby Boomers, who place higher value on face-to-face communication and are more likely to retain information delivered in person. By offering different training options to the organization’s workforce, different generations of employees are able to choose the avenue that best suits them and, in turn, best protects the company’s data.
A Security-First Mindset Starts with Leadership and the Board
Paramount to the adoption of a comprehensive data protection program and effective employee training is a security-first culture instilled by the leadership team and board. Company leaders and board members set expectations for the firm, so by understanding the organization’s security posture and potential gaps, they are able to effectively implement that data protection strategy and employee training practices.
Additionally, to do this, leadership needs to be aligned with employees on overall business goals and holistic security practices because any fragmentation due to miscommunication or lack of support will deteriorate a security-first mindset. In contrast, leaders with a security-first mindset are better able to understand and address the needs and concerns of their security team, such as needing new talent, reallocating funds, or even providing more funding all leading to a more well-rounded, secure data protection program.
Many of us don’t think twice about logging on to a public Wi-Fi network, not using a privacy screen on electronic devices, skipping multi-factor authentication (MFA) setup, using the same password for all digital accounts, or ignoring the reminders on your phone and computer to back up your data. But in today’s technology landscape, these simple, easy, and lazy actions can put our data at risk. That’s not an option at work considering the business consequences of a data breach. But, by implementing a comprehensive data protection program, training employees on data protection, and adopting a company-wide security-first mindset, board members and leaders don’t have to worry about a data breach stemming from employees’ laissez-faire attitude towards data.