The 5 Challenges of Data Protection
“We shall defend our island…we shall fight on the beaches, we shall fight on the landing grounds, we shall fight in the fields and in the streets, we shall fight in the hills; we shall never surrender.”
Former U.K. Prime Minister Winston Churchill said that during World War II. His stakes were a bit different than yours, but now that we’re in the Digital Age, your organization’s “island” has become the data in your charge—protecting it is paramount.
But as Allied forces had the challenges of many different fronts and their terrains, there are difficulties in protecting data as well. As a cybersecurity assessment firm that regularly evaluates the security of data against different standards, we’ve seen that, oftentimes, organizations will make many of the same mistakes.
To help you avoid becoming one of them, this article will identify some of the major challenges faced by government, private industry, and personnel in charge of information—commonly referred to as “data owners”—while analyzing ways you can mitigate and control these challenges.
Such details will help you target security areas you may need to so that you can better “defend your island.”
5 Things to Avoid When Protecting Data
1. Mislabeling Assets When Classifying Information
When it comes to data protection, everyone’s priority is to protect the most critical information above all else. But oftentimes, things get mislabeled—data that isn’t critical is mistakenly included for that level of protection, or data is miscategorized to the wrong tier.
When mislabeling of assets happens, there can be numerous consequences, including misuse of resources—those spent on protecting critical information in most cases should far exceed that of information ranked much lower on your data classification scale.
But to correctly distribute resources, you need to correctly classify your data. To do that, you should start by asking these two questions:
- What data does our business rely on most?
- What information, if made public, would be detrimental to our business as a whole?
It’s not enough to simply voice these though—you should conduct a formal and documented risk assessment involving all aspects of management to answer these questions. Through this process, your end goal is to identify critical assets and your organizational risks.
From there, you can work to complete your hierarchy of data. Every single byte of information may not meet the definition of “critical,” but there will likely be varying levels of importance/necessary security for different types of data.
How many different groups you create for your data is up to you, but typically there are four labels used—here they are, from most sensitive to least:
- Restricted: If compromised, could lead to criminal charges, fines, or business damage—think proprietary information or data protected by government regulations.
- These would be the “critical assets” referenced in Step 1.
- Confidential: Requires specific authorization—examples of confidential data include forms of PII.
- Internal: Only accessible to company personnel—things like process documentation, written internal communications, business plans, etc.
- Public: Either freely accessible or deemed okay for distribution to whomever.
With your hierarchy established and labels assigned correctly, your security professionals will find it easier to work with management and key process owners to adequately fulfill protection needs for all classifications.
2. Incorrectly Configured Privilege Management
Clear and correct labels are only the first step—the next challenge, once that’s done, is deciding who should have access to the different classifications, something security professionals wrestle with because individual access is difficult to track and control.
But privilege management such that one person cannot perform an entire process unchecked is incredibly important—the risk of fraud and data loss is greatly increased when segregation of duties is not in place within an organization.
Separation of access at all is important, but when determining specific information privileges for specific people, the results of your comprehensive risk assessment can help as can asking this basic question: “what information does this person or group need to perform their job function?”
Authorized users should only have access to information that is commensurate with their job responsibilities.
3. No Business Continuity and Disaster Recovery Plan
When it comes to data protection, much of the focus is placed on preventative security measures. But in fact, equal attention (at least) needs to be paid to incident response—or, what happens if a breach does occur.
Hence why you should implement a formal, tested, and documented Business Continuity and Disaster Recovery (BC/DR) Plan to help ensure that data is not lost or leaked in the event of a breach. These days, security incidents are more likely than not, and so if and when it happens, protecting the data you still can—especially that which serves critical business operations—will be important.
That’s why an important part of your BC/DR plan should be protecting and storing, both logically and physically, the data deemed most critical in different locations. If it’s not—and critical data cannot be recovered or sensitive data is leaked—your organization could face devastating consequences.
4. Lack of Personnel Awareness
In the same vein, focus on security measures also often centers on technology more than anything else. But in the words of Kevin Mitnick, a renowned white-hat hacker, “companies spend millions of dollars on firewalls, encryption, and secure access devices, and it’s money wasted because none of these measures address the weakest link in the security chain.”
He means your people—the weakest link in the security chain is, and always has been, people. To help with that, you should provide security awareness training that does the following things:
- Exists at every level of your organization from the ground up.
- Provides specific knowledge and awareness of the classification levels of the data they interact with in their everyday jobs.
- Includes roles and responsibilities for personnel in your Business Continuity and Disaster Recovery Plan, along with instructions on how to handle various scenarios.
- Addresses the generational gaps in your workforce by tailoring to the learning differences that come with those.
It may be a challenging ask to use budgeted resources for the maintenance of such a comprehensive security program, but the benefits have been shown to outweigh the costs—you’ll reduce the risk of people being the cause of critical data leaks, as they’ll be wiser about possible threats like social engineering.
5. Compliance Pushback
Audits (and the related compliance) are often seen in two lights—they’re embraced as helpful or they’re scorned as a hindrance. While, as auditors, we understand that our doing our job may complicate your operational day-to-day, if you want to better protect your data, you should adopt the former mindset.
Choosing the right auditor that fits in with your team can go a long way, but no matter who you work with, compliance with laws and regulations related to data assists those that abide by these standards.
Given their different methodologies for protecting assets and the information that keeps your proverbial engine running, compliance audits help enormously with preventing costly data breaches, which surely would make for a bigger headache than a bi-annual or annual audit(s).
And you do have options, so you can choose which assessment best suits your organization’s controls, resources, and data:
Next Steps for Your Cybersecurity
Winston Churchill went down as a British legend for his zeal during World War II, and even though the “battle” landscape is now largely digital, you’ll need to emulate him to protect and defend the data in your charge. Now that you understand five basic missteps that many organizations make when building up their digital security, you’re better positioned to keep your information safe.
But part of security is evolving knowledge of new threats and adjusting your protection measures and methods. To help with that, read our other content that can shed light on specific threats and ways to prepare against them:
About JOE O'DONNELL
Joe O'Donnell is a Senior Manager with Schellman mainly dedicated to the PCI and PCI specialty service lines. Prior to joining Schellman in 2015, Joe worked at in industry within the Enterprise Risk Management consulting practice. He managed IT Reviews in support of the financial audit but helped with various engagements including but not limited to: SOC reports, penetration testing and vulnerability scanning, SOX, HIPAA, and bank audits. Before focusing his career on IT auditing services, Joe worked as an Enterprise Operations Computing Analyst where he gained experience in IT systems analysis and data center operations.