5 Ways to Ensure Your Enterprise Data Security Strategy is fit for Purpose

It’s never been more important for large enterprises to have a comprehensive data security strategy. In today’s environment, the majority of cybercriminals aren’t out merely to cause disruption – they’re specifically targeting firms’ most valuable digital assets, either to sell on for direct financial gain or to use as extortion material.

As a result, it’s vital that cybersecurity strategies are updated to focus on protecting sensitive data from the newest tactics being used by today’s highly organized hacker and ransomware groups, who are constantly refining their skills to evade traditional methods of detection.

Put simply, the costs of failing to protect your enterprise data from cyberthreats can be enormous. For the largest companies, mitigation and recovery efforts can easily run into millions or even tens of millions of dollars, and the repercussions can last for years, with damaging reputation, regulatory penalties and class-action lawsuits all contributing to ongoing costs.

For example, the costs of Equifax’s 2017 breach included a $575 million settlement with the FTC in 2019, which included a minimum of $300 million in compensation to affected users. Meanwhile, in the UK, British Airways was hit with a £183 million fine from the regulator after customer financial details were stolen, though this was later reduced to £20 million on appeal.

Most security incidents start in an employee’s inbox, which is why a good email security strategy is vital. However, firms also have to deal with a range of other challenges, including insider threats and accidental data leaks, such as lost or stolen devices or sending emails to the wrong recipient.

Another major issue is managing the scale of data they possess. For most firms, the volumes of information they have to deal with will have grown exponentially over recent years. Big data applications are now commonplace for even relatively small firms, and according to Statista, enterprise data volumes more than doubled between 2020 and 2022.

As a result, they have become highly tempting targets for hackers. In previous years, the goal would often have been to target data such as personal and financial information like credit card details and Social Security Numbers. However, this is not as lucrative as it once was, so hacking groups have moved on to new tactics, primarily based around extorting businesses with the threat of publicly releasing information unless firms pay a ransom. 

This means any types of private data will be at risk. However, for large enterprises that may have huge data lakes, it will not be practical to apply the toughest levels of protection such as advanced data encryption to all of it. Therefore, a data classification audit to identify the most important assets will be a must.

A key challenge for many enterprises is that their existing security landscape was built for an earlier time. Many programs may have been designed when an organization was smaller, or prior to it undergoing significant changes in how it operates. What was fit for purpose even a couple of years ago may no longer be up to the job.

For example, the post-pandemic era has seen a huge increase in trends such as remote and hybrid working, which opens up a wide range of additional – often unprotected – endpoints for cybercriminals to target. These strategies often also depend on cloud data to keep employees connected wherever they are, again offering another target for hackers to attack. 

Legacy tools that were primarily designed to protect a relatively small, well-defined network perimeter therefore need to be reassessed. What’s more, as hacking techniques evolve to evade traditional defenses, it is becoming harder for firms to keep threats out altogether. Therefore, a defense in-depth approach that takes a deeper look within the enterprise’s network is a must.

As companies evolve and grow, a range of new challenges opens up. Larger businesses mean more users and touchpoints, and these often require a different approach to data security. Therefore, understanding where any new gaps may appear is critical to building a modern data protection solution.

One area that must be considered is the cloud. Almost every enterprise now operates cloud services to a greater or lesser degree, and firms are increasingly moving highly sensitive data to these services.

Figures from Thales, for example, show that 75 percent of businesses currently report that at least 40 percent of data stored in the cloud is sensitive. However, only 45 percent of this is encrypted, and as 39 percent of businesses suffered a data breach in their cloud environment last year, this could be leaving many enterprises dangerously exposed.

Even if cloud services use strong data encryption, there are still essential steps that firms must take to ensure security when operating in the cloud. A major challenge is that these tools expand the network perimeter. In a mobile-first world where data can be accessed from anywhere on any device, it will not be possible to deploy geo-blocking or only allow approved devices to access data. 

Therefore, the focus must shift towards monitoring, identification and authentication management and the use of anti data exfiltration (ADX) tools to protect data being accessed remotely or in the cloud. 

Another critical factor to remember is that as businesses grow and add new suppliers, partners and consultants to their operations, this also greatly increases who has access to a network, whether this is through application or directly by individuals.

Most businesses will have a wide array of companies in their supply chain with the ability to access their corporate data, and many of these are likely to be small and medium-sized enterprises that will not be able to dedicate the same level of resources to their security measures.

Hackers are well aware of this, which is why targeting these suppliers in order to piggyback their way into the network of a larger enterprise is a tried and tested method of enacting a data breach. Suppliers such as managed services providers are particularly tempting targets as these often have widespread access to an enterprise’s network.

To guard against such attacks, it’s important for firms to tackle a zero-trust approach to their architecture that includes comprehensive access controls and monitoring.

In order to address these cybersecurity challenges and avoid a potentially costly data breach, there are a series of steps that businesses must take. A good data protection plan will be wide-ranging, covering everything from accidental data loss to how to respond if first lines of defense fail. 

However, there are a few essential steps that no program can afford to overlook. Here are five key data governance and protection areas enterprises need to address to stand the best chance of defeating hackers.

A critical first step must be to have a complete understanding of exactly what data you possess, where it’s stored and processed, and how it’s currently secured. You can’t protect what you can’t see, yet almost all enterprises suffer from ‘shadow IT’ to some extent, where individual teams of employees adopt their own unauthorized storage solutions or applications.

The UK’s National Cyber Security Centre offers specific guidelines on how to conduct a data discovery and risk assessment, with an emphasis on finding this data and bringing it within the scope of enterprise security solutions, rather than reprimanding staff for using unsanctioned devices or services.

When you understand what data you have and where it lies, you can set about determining which of it is actually necessary. It’s easy for scope creep to result in businesses holding on to information long after it is no longer directly useful to operations – but this does not mean it will not be of interest to hackers, especially if it contains valuable personal data.

Data protection regulations such as GDPR have strict rules on when personal data may be retained, so any firm under the scope of this directive should already have policies in place for this. However, it’s important to extend this to other types of information to minimize the data footprint you have to protect.

For the data that is necessary, effective backup policies are a must. This is vital if you fall victim to ransomware attacks that corrupt or delete data. However, you must take steps to ensure that your backups themselves are secure and free from malware, as many hackers will now try specifically to target these resources in order to shut off this method of recovery.

Preventing unauthorized access to your sensitive data isn’t just about stopping hackers at the perimeter. It also means guarding against dangers that are already within your network. This may include criminals who’ve been able to bypass defenses through the use of compromised credentials, as well as the risks posed by an insider threat – i.e., someone with legitimate access to your system who may want to do harm.

To address these issues, strong access control policies are essential. This should include basic safeguards such as the use of strong passwords and multi-factor authentication to ensure hackers cannot use stolen credentials to bypass defenses. 

However, it should go beyond this with concepts such as the principle of least privilege, which ensures account holders are not able to access data that is not necessary for their work. Strong monitoring tools to spot any suspicious login attempts or access requests are also important in preventing criminals from getting their hands on sensitive information.

As the recent attack on MGM Resorts (the latest in a long line of threats targeted at the gambling sector) shows, all it can take is one mistake for even a large enterprise to be badly compromised. In that case, the breach was said to be the result of a voice phishing (or vishing) attack, but there is a wide range of other social engineering tactics cybercriminals can use to gain passwords, bypass access controls or even convince employees to hand data over directly.

Email phishing attempts may be the most common, but as the MGM Resorts attack shows, this doesn’t mean other avenues should be overlooked. And as human error is a factor in around 95 percent of data breaches, enterprises need to ensure they have a comprehensive strategy in place to educate employees about the risks and what telltale signs they need to be on the lookout for.

One final line of defense should be ensuring that even if hackers are able to bypass perimeter defenses and gain access to data, they will not be able to use it. This means putting in place dedicated ADX solutions that prevent cybercriminals from actually stealing the information they find.

If they can’t get data off a network, common and lucrative tactics such as double extortion ransomware are made impossible. Without the ability to blackmail enterprises, the primary motivation for targeting businesses disappears, so hackers may quickly move on to other targets.

While traditional data loss prevention tools offer some solutions here, they are often not agile enough for today’s environment. These centralized platforms are often costly to install and maintain and create more disruption to day-to-day activities. But with behavioral-based ADX tools that can operate on every endpoint, including mobile devices, and study every activity for suspicious signals, enterprises can shut down any data theft attempt before information is able to leave the network.