There are a handful of steps, many common sense, that companies should take following a data breach. Naturally, following an established remediation plan, understanding what happened, and initiating an investigation around a breach are critical incident response steps.
Adopting a data-centric frame of mind when it comes to security shouldn’t be too far down a CISO’s To Do list either. Instead of focusing strictly on the security of networks, servers, and applications, to prevent future breaches, organizations should consider the value of the data they handle.
Regardless of what it is – research, intellectual property, employee login credentials, customer social security numbers, or patient health information – no matter the industry, the security of that data is paramount.
It wasn’t just Equifax. 2017 set a record for both the most breaches and the most data compromised in a year. According to a recently published report, there were 5,207 breaches totaling 7.89 billion compromised records last year.1 It’s been said before and will be said again: these days breaches are practically inevitable.
Often, it’s not a matter of “if” a company is going to breached, it’s a matter of “when.” Breaches may be unavoidable but losing data doesn’t have to be.
There’s been a groundswell around taking a data-centric approach to security for the last several years for a good reason: it’s the future. Companies are moving past traditional firewalls and anti-virus software that mostly focus on one thing: securing the endpoint. In lieu of that, firms are focusing on what matters – and what attackers are really after – by identifying, controlling, and securing sensitive data assets.
Developing an organizational data taxonomy is one of the essential first steps to building a secure organization. Once you’ve structured your company’s business data, you can begin to truly extract its value.
Ask yourself: With what data does the most risk reside? There are numerous ways to break it down. Some data can be classified as confidential or restricted, private, or public.
Merchants that accept credit cards oversee a wealth of information traditionally viewed as confidential. Organizations like banks, processors, hardware and software developers, and point-of-sale vendors have to be compliant with PCI DSS, the Payment Card Industry Data Security Standard. Statutes and regulations protect other types of data. In the instance of electronic protected health information, or ePHI, any health data produced or saved electronically is regulated under the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Classifying data can help establish what information is important and what type of security controls are appropriate when it comes to safeguarding the data.
After you’ve decided which data is the most valuable, tag it, and apply access rights or privileges. Implement robust policies that can help not only enforce standards and best practices but also protect data, whatever it is – confidential emails, files, source code – from leaving the greatest point of risk, the endpoint.
Defining proper access controls is ultimately one of the best ways to prevent data leakage. It’s sometimes the only way to adequately help prevent both insider and external threats.
A good data-centric security approach secures data at rest, during transit, and when it’s in use. When coupled with solutions that accent that approach, like technology or a security awareness program, taking a data-focused view on security can be enormously substantive for an organization.
After you’ve embraced data classification, the rest of the dominos around a comprehensive data-centric security program can fall. Organizations can implement data loss prevention (DLP) technology, cloud access controls, encryption, and data visibility strategies – whatever fits – in order to complement a successful program.
1 “Year End 2017 Data Breach QuickView Report,” by Risk Based Security, February 6, 2018
Doug Bailey is the Chief Strategy Officer at Digital Guardian. He has a reputation as a world-class growth agent who deeply understands technologies and worldwide markets, has successfully developed product and go-to-market strategies, has formulated and scaled profitable revenue-generation capabilities, and has executed successful exit strategies. Before joining Digital Guardian, Doug held numerous senior leadership roles within Intel McAfee, which he helped launch into the security information and event monitoring space. He also led the acquisition of NitroSecurity, where he served as Executive Vice President.