Last month news broke that a data breach of 44,000 Federal Deposit Insurance Corp. customers was caused by an employee leaving the agency. Fortunately, the FDIC discovered the breach before information was disseminated, but the incident is a reminder that enterprises need to understand the data held within their business.
Simple employee negligence poses a serious cybersecurity threat that could have implications as damaging as a breach caused by a malicious actor. "There is always the external risk of a hack or breach from outside, but a lot come from insiders as well," said Dana Simberkoff, chief compliance and risk officer at AvePoint.
In order to determine the best controls to protect your data, you need to understand the data in context. "Every organization has sensitive data. Employee records, intellectual property, medical records. The first thing to understand is the life cycle of data in your business," Simberkoff said.
Determining how the data is being created is the first step toward implementing better practices that will protect these valuable assets.
Simberkoff said it is important to determine where the data is coming from. "Is it created within or coming from the outside? Knowing the source of the data they are protecting is what we see in mature data protection systems," she continued.
Once security practitioners have an understanding of the original source of the data, they can best decide where it should live, with whom it can be shared, how it can be accessed, and how it should be destroyed.
"There are so many considerations when it comes to data sovereignty requirements and cross border data transfer restrictions. Are you storing data on premise or in the cloud?" Simberkoff said.
While most data should have some sort of end to its life cycle, some enterprises are guilty of data hoarding. "Data should be disposed of appropriately and only kept for reasonable business purposes then archived or deleted. As long as you have the data, you have to protect it," Simberkoff said.
Data hoarding results in a big data problem for the enterprise because the more you have, the greater your risk of a bad actor targeting your enterprise, which means the more time you need to spend on protecting that data, which often no longer holds its original value to your organization.
Simberkoff said, "Considering 'a day in the life of a document', is a good practice that will help you to classify your data and understand where it goes, who has access to it, and how long it should be there."
One classic problem that has led to many breaches is the assumption that someone else is responsible for protecting data at different stages of its existence. "I just put it here and someone else takes care of it. Everybody thinks it's somebody else's job," Simberkoff said.
If security practitioners get a good sense of what the business is doing today and know how users are interacting with data as part of their jobs, they can better determine security policies. "Instead," said Simberkoff, "they jump right to policy without understanding how people do their work. We work with large companies regularly that have strict policies around data, but users do whatever they want and the data is everywhere."
Simberkoff recommended having a common set of questions for business users. Thinking about what kind of responsibility your users can have and how technology can help will drive better security practices.
"Look at existing policies and procedures. There is often very little connection between security and how the business is operating. Many organizations have these ivory tower policies that don’t reflect a day in the life of a business user," said Simberkoff.
Security policies need to be reflective of what you do, particularly if you have a breach. The enterprise should have policies and procedures that can be tracked, measured, and evaluated, and Simberkoff said, "It has to be top down and bottom up."
This article is published as part of the IDG Contributor Network. Want to Join?