Is Your Data Protection Strategy Fit for Purpose in Today’s Threat Landscape?

What’s the quickest way for any business today to lose money, destroy its reputation and even put its future existence in jeopardy? In many cases, it’s through the mishandling of mission-critical or customer data.

This is because digital data matters more than ever. For instance, customers are increasingly aware of the value of their personal information and they have very little patience for firms that handle it badly. This could be selling it on to third-party advertisers without their consent or failing to secure it, leaving it vulnerable if there is a cyberattack.

The consequences for failure are severe, so making sure protection and cybersecurity are central parts of your data strategy is a must. But this is easier said than done.

It should go without saying that protecting your most sensitive assets from harm must be a top priority for every business today. But what does this mean in practice? There’s no simple answer, as developing and sticking to a data protection strategy must be a constantly evolving process in order to counter new threats and emerging risks. 

With the age of big data, information volumes are higher than ever. What’s more, with personal data often spread widely across a network, understanding where your most important assets are and how to secure them is a vital part of any data strategy.

A comprehensive data protection strategy is about much more than backing up your files and putting cybersecurity tools in place to protect against intruders. It should be a living document that everyone in the business is aware of and can review on a regular basis. These plans must also cover both accidental data loss incidents, such as hardware failures or lost devices, and intentional data security incidents like ransomware and data exfiltration attacks.

Among the elements, an effective data protection plan should clearly define the following:

• What data the business possesses and where it is stored
• Which data assets are the highest priority for protection
• How often backups will occur and where will these assets be held
• What measures are in place to protect data from unauthorized access (e.g. encryption, access control, data exfiltration prevention)
• Who in the business holds ultimate responsibility for data protection
• What ongoing training and employee education efforts are in place

A key part of any protection plan is ensuring data resiliency. In other words, are your systems able to withstand unexpected disruption caused by data loss, theft or corruption? 

Cyberattacks that steal and encrypt critical data are especially challenging to deal with. Any delays in getting operations up and running can result in downtime, which is becoming increasingly costly in a more data-dependent world. Resilient businesses should therefore be able to ensure their critical data is always available and accessible whatever happens.

Figures from the Uptime Institute, for instance, show that in recent years, the cost of outages has grown significantly. In 2019, it found 39 percent of incidents resulted in costs exceeding $100,000. However, by 2022, this had grown to more than 60 percent, while more than one in seven outages (15 percent) now cost upwards of $1 million.

While not every period of downtime is the result of data protection issues, it’s something that cybercriminals are always looking to take advantage of. By targeting businesses with disruptive attacks such as ransomware, they can often force organizations to pay huge amounts of money in order to restore access to the system, with many firms calculating the losses they face from extended downtime will exceed the cost of a ransom.

Sometimes, you may hear the terms data protection and data security used interchangeably, but in fact they are very different.

Data security is all about protecting your business’ digital assets from threats, whether these come from outside the company, such as hackers, or from inside your walls – for instance, malicious insiders or negligent employee behavior. It means guarding your perimeter against both incoming and outgoing suspicious activity, as well as monitoring access and being constantly on the lookout for unusual behavior within your network.

On the other hand, data protection is focused on safeguarding information from loss or corruption. While this can include protecting against accidental or deliberate data exfiltration, it also covers efficient backups and ensuring you can minimize your time to recovery in the event you do suffer an incident. 

These two areas require their own approach, tactics, and technologies to keep your business safe. However, you can’t have one without the other, so they both need to be factored into a comprehensive strategy. 

When developing a data protection policy, there are a range of areas that must be included. This must factor in information security in order to protect against data breaches, but it should also consider data privacy to ensure you are compliant with various regulations around the world.

Many businesses will also have to contend with a variety of rules that will mandate the use of one or more key data security standards. This is especially the case for those operating in sensitive industries such as financial services and healthcare. 

However, data protection legislation such as the California Consumer Privacy Act or the EU’s General Data Protection Regulation often require the use of secure technology standards in order to demonstrate firms are fulfilling their responsibilities when it comes to personal data.

Certifications such as ISO 27001 are crucial for many businesses as a way of reassuring customers about their data security, and these standards typically place strong emphasis on resilience to cyberattacks, as well as meeting data privacy requirements. 

Additionally, any company handling customer payments that require them to process credit card information will need to implement PCI DSS standards. This includes a range of requirements such as encryption and access controls, and if firms fail to maintain any of these, they may find their ability to accept payments blocked, with major credit card providers also issuing fines for non-compliance.

Identifying which elements of your business need the highest levels of protection must be a top priority. This is a job that falls under the remit of the data controller, or data protection officer – a required position under GDPR rules. 

Determining this should cover multiple factors, including who the information refers to (the data subject), who has ownership of it, how valuable it is to the business and what the consequences would be if it were to be lost or compromised.

Key types of sensitive data that would typically warrant the highest levels of protection include:

• Customer data – Including personally identifiable information such as names, addresses, dates of birth and social security numbers.
• Employee data – Personal information should be treated with the same care as that of customers.
• Financial information – Customer credit card information is an obvious category, but supplier and business partner details must also be included.
• Operational data – Any information that a large number of employees depend on to conduct their day-to-day activities.
• Business data – Intellectual property, research and development data and trade secrets can all be highly valuable to unscrupulous competitors.

Creating a data protection policy requires the use of the latest technology to guard against growing issues such as data exfiltration and extortion. In many cases, the traditional defenses firms have in place will not be up to the task of protecting sensitive data in today’s environment, where cybersecurity risks are higher than ever, and hackers are keenly aware of the value of the information they target. 

A good data protection and data security strategy requires a multi-layered, defense-in-depth approach, including technologies such as next-generation firewalls, antivirus tools, access management, comprehensive backups, and security information and event management systems.

One of the biggest issues with legacy data protection tools such as antivirus and endpoint protection software is that they often rely on signature-based detection methods to spot potential threats and unusual behavior. This makes them an inherently reactive technology that can be bypassed by newer hacking techniques such as fileless malware.

Standard data loss prevention tools are also complex, resource-intensive tools that demand a great deal of time, attention, and expertise in order to function.

The result of these drawbacks is that many firms find they do not have the capabilities to adequately protect their sensitive data from harm. In many cases, they will not have full visibility into what data is leaving their network and when until it is too late.

To counter these issues, firms need a modern solution that uses advanced technologies such as machine learning to build up a picture of what normal behavior looks like and automatically step in if it detects unusual activity that may be indicative of a data breach. Advanced anti data exfiltration (ADX) and data protection technology enable businesses to guard against threats such as ransomware and extortion. 

On-device protection is also important, as this provides a much more lightweight solution that does not send any information to outside the business or decrypt customer data. In an environment when much data processing is also handled away from the confines of a firm’s primary network – such as on mobile devices or in the cloud – this offers an extra layer of protection and ensures businesses are able to keep up with the demands of a more mobile, less centralized working environment.