Does Your Business Have an Effective Data Security Policy?

In today’s big data focused environment, a comprehensive information security policy is more important than ever. As well as dealing with increasing volumes of sensitive information, IT teams will need to manage data stored across a wide variety of systems, including cloud networks and personally-owned mobile devices. 

This can be a recipe for chaos if the right data protection solutions are not in place to guard against the loss or theft of sensitive data. Therefore, in order to take back control, a comprehensive data security policy to use as a roadmap is vital.

Put simply, a data security policy refers to all the practices and procedures you have in place to manage the usage, storage and monitoring of sensitive and personal information throughout the business. Its primary goal is to ensure this data is protected from risks, which can include the misuse of personal data, as well as cyberthreats such as malware, phishing, and ransomware.

However, while taking steps to keep data secure is a legal requirement, there are few fixed rules on how data security should be achieved. It will be up to each individual organization to draft its own best practices, including both the technology used to protect data and how employees interact with it.

A good data security policy is one of the first lines of defense against a wide range of cyberthreats, including – but not limited to – external hacking attacks, data theft and ransomware.

As such, it plays a vital part in meeting the increasingly tough data protection requirements now imposed on organizations of all types. Being able to demonstrate a firm has been following best practice can also be highly useful if a data breach is able to bypass defenses, as it can show the company was not negligent in its preparations. This is something that can be vitally important in minimizing any post-breach regulatory or legal actions.

A key advantage of these policies is their ability to govern access to the most sensitive information a business possesses. Exactly what this includes will vary from company to company, but generally, most firms will need to focus their attention on the following:

• Customer and employee records
• Personally identifiable information (names, addresses, Social Security Numbers, etc.)
• Health, genetic or biometric data
• Financial information, especially credit card details
• Intellectual property and trade secrets
• Operational information
• Supplier contracts
• Research and development details and other future planning

A data security policy will help ensure you can identify what sensitive data you possess, where it is located and who is permitted to view and use it. By implementing monitoring and management tools to control this, you can be quickly alerted to any unusual activities or unauthorized access attempts.

The principal benefit of a data security policy is minimizing the risk of a potentially costly data breach, which could easily run into millions of dollars in remediation and recovery costs.

It can also help protect sensitive information from specific threats such as data exfiltration. This is now a primary goal for many hackers, with our research indicating that last year, 91 percent of attacks sought to steal data.

Having a security policy can also help identify what tools will be required to prevent this, such as dedicated anti data exfiltration software, as well as setting out best practices for response.

It can also provide a clear mechanism for reporting if an employee spots anything unusual or believes they have been targeted by a phishing attack or other threat. If everyone within the company knows what to look out for and how to alert security teams safely, this helps improve the overall security awareness throughout the business.

Among the various financial costs that businesses can expect to see as a result of a data breach are:

• Direct ransom payments
• Cost of downtime/lost business
• Investigation costs and consultants
• Penalties from regulators
• Customer compensation (e.g. credit monitoring services)
• Class-action lawsuits
• Long-term reputational damage

While having a data security policy alone is no guarantee a firm won’t be breached, it will reduce the risks of human error, ensure that any intrusions can be spotted earlier and help shut down any data exfiltration attempts before they have a chance to remove the most sensitive information, preventing many of the above consequences.

Getting a data security policy right isn’t just about drafting a comprehensive document. Firms also need to ensure everyone within the businesses is aware of what it contains and what it means for their day-to-day work. This shouldn’t be restricted to IT teams – all employees need to be made aware of their responsibilities under the policy.

A good security policy solution also needs to be flexible enough to account for changing ways of working and the introduction of emerging technologies. Cybercriminals are constantly looking for new methods of bypassing defenses and new vulnerabilities are being uncovered all the time, so a static document will quickly become outdated and unfit for purpose.

There are a range of aspects that should be included within a data security policy. Among the essential sections of these resources should be guidelines covering the following:

• Data discovery and data classification – Where is company data held on your network and how is it classified according to its level of sensitivity?

• Data retention and use – This should identify all acceptable use cases for data and when it should be deleted once it has served its purpose.

• Data storage and transfer – Governs the locations in which data can and cannot be stored (e.g. personally-owned devices) and what protections such as encryption will need to be in place when it is in motion.

• Access management policies – Details access control policies for who is allowed to view data in order to do their jobs and what protections will be in place to authorize and monitor this.

• Roles and responsibilities – This will set out who has primary responsibility for data protection (a requirement under GDPR) and what everyone must do in the event a breach is discovered.

• Backup and data recovery procedures – This should provide detailed instructions for how often data is to be backed up, where these resources are stored, and how to recover it quickly as part of incident response processes.

• Security training policies – Should include a clear schedule for regular employee training and information about how the company will test that lessons and rules are being followed.

• Regulatory and legal compliance – Information about what industry regulations or other legal requirements apply, how compliance with these will be certified and maintained, and who will be responsible for communicating with regulators in the event of a breach. 

It can be easy to assume that once a data security policy is complete and all the above elements have been addressed, that’s job done. However, cybersecurity and data protection are ever-evolving. As well as having to contend with the constantly-shifting tactics of cybercriminals, growing businesses often add new premises, endpoints and storage solutions that may not be covered by an outdated policy.

Therefore, it’s recommended that any documentation be reviewed and updated at least once a year, or whenever there are significant changes within the business such as the adoption of new technologies or ways of working that will affect IT systems or security posture. It’s also important to keep up with any industry developments of changes to compliance rules that may also lead to the need to update the document.

Like reviewing the policy for any updates, employee training needs to be done frequently. As well as making sure all users are up-to-date on the latest rules, this training is also essential for ensuring that the messages sink in. This is why it can pay to test their responses on a regular basis, such as by sending out phishing emails to see who responds.

How firms train is also important. Many people may not be receptive to a one-sided lecture or presentation and quickly forget what was included. This doesn’t mean they weren’t paying attention, but different employees will have varying learning styles, so it’s useful to provide a range of options to ensure everyone understands their responsibilities and what to look out for.

When crafting a data security policy, there will inevitably be a range of issues that will need to be addressed. While no two businesses are the same and each will have its own unique questions that will need answering, there are a few common areas that are likely to require attention.

Identifying exactly what data you have that needs protection is one of the first priorities when creating a security plan, but it can also be one of the most difficult. In today’s environment, trends such as ‘shadow IT’ make it very difficult for security teams to gain a complete picture of their entire network, as many personally-owned endpoints and unapproved consumer-grade applications may interact with business data that they do not have visibility into or control over. 

Any policy therefore needs to have a clear explanation of what devices and applications are approved to access information and how these rules will be enforced, as well as what data encryption solutions will be needed in order to access and transfer data safely. 

However, it is not usually feasible to apply the toughest levels of protection to all data. Therefore, it’s important for businesses to correctly classify data based on its importance and sensitivity to identify exactly where firms should be focusing their resources.

Many employees now expect remote access to key data in order to do their jobs, and will use personally owned smartphones, tablets and laptops to make this easier if the organization does not provide them. This presents a new range of data loss challenges, from misplacing a device on public transport or connecting to corporate resources from insecure public Wi-Fi.

Identifying specific technologies for mobile users is therefore critical in reducing the risk of a security breach. For example, on-device anti data exfiltration software can be highly useful in preventing data breaches caused by hackers taking advantage of less-secure personal devices.

As well as rules that apply to every business, such as the EU’s general data protection regulation, some industries will also have their own compliance rules regarding data privacy and security. For example, healthcare firms will have to contend with strict HIPAA rules, while any businesses accepting online credit card payments from customers will need to be familiar with the 12 requirements of PCI-DSS.

A data security policy must include a section that spells out what, if any, additional industry-specific regulations will apply to their business and what will need to be done to meet these compliance requirements. Failure to project data from security threats in highly-regulated industries can be hugely costly, so any security policy must have a section dedicated to addressing these issues.