To implement or not to implement? That is the question when evaluating a new technology solution for your organization. Complicating the often daunting decision are the preconceived notions held at various organizational levels as to whether the solution is necessary, or more trouble than it’s worth. This can become especially problematic when misinformed thinking is the reason an organization doesn’t implement solutions that are vital to protecting one of the most valuable assets – data. Here, we’re addressing some of the common data protection myths, the truth behind them, and how data classification, data loss prevention (DLP), and digital rights management (DRM) can aid your organization with data protection.
Myth #1: Only the Information Security department is responsible for data protection
While the Information Security department plays a major role in spearheading an organization’s data protection program, ultimately, it is up to everyone in the organization to be responsible for appropriately handling and protecting data. Data protection is not as effective if it is just done by just one person or department. Every single employee in the Information Security department could be following data protection policies flawlessly, but if other employees and departments aren’t doing the same, the organization is at risk for a data breach. In order for a data protection program to be effective, everyone needs to be aware of the sensitive data they are handling, no matter what department they are working in. The Information Security team is there to educate, help build a culture of security, and assist with the software and security concerns, not do data protection for everyone.
Myth #2: Small and medium-sized businesses aren’t at risk of data loss
In a recent survey, 61% of small business owners reported that they were “not concerned” or “not concerned at all” that their business would be the victim of a cyberattack in the next 12 months. While small and medium-sized business (SMBs) may be under the impression that because they aren’t a large-scale corporation, nobody is interested in their stealing their data, this couldn’t be further from the truth. Potential attackers aren’t often looking to specifically target certain companies, but mostly looking for sensitive data that they can gain easy access to. These attackers are also aware that smaller businesses may lack data protection measures and security teams, making SMBs a much easier target than a larger organization.
Moreover, any sized organization can be a victim of an insider threat – arguably the greatest threat of all. In rarer circumstances, an insider threat can be malicious or intentional (think disgruntled employees, taking IP to a new job etc.), but on the whole, an accidental insider threat is the far more common danger. We can equate accidental insider threat to the average employee, just doing their job, who makes an unintentional, but critical mistake. Last year, the Cabinet Office in the UK was fined £500,000 after an employee accidentally disclosed online a confidential document with personal details pertaining to recipients on the New Year’s Honours list back in 2019. So, as long as there are people within in a company, the risk of insider threat is always there.
Myth #3: You will always know if you have been hacked or there was a data breach
Perhaps one of the most dangerous myths – organizations often believe that there will be obvious signs to tip them off when a data breach happens. The truth is that data breaches and cyberattacks can go undetected for months, especially if originating by insider threat. A 2022 report by IBM states that the average time it takes to identify and contain a data breach is 277 days (about 9 months). The report also stated that containing a data breach in less than 200 days saved an average of $1.12 million. Needless to say, the earlier you detect any sort of unusual activity regarding your data, the better off you will be.
Myth #4: Data protection solutions are expensive
Data protection is an investment, but it’s a drop in the ocean compared to the potential damage caused by a data breach, including fines for regulatory non-compliance, litigations, and reputational damage. The average cost of a data breach reached an all-time high of $4.35 million in 2022, a 12.7% increase in just 2 years compared to $3.86 million in 2020.
You can think of investing in data protection solutions much like taking out car insurance – you get car insurance for protection in case you get into an accident, not because you plan on getting into an accident. And just like a car accident may not be your fault, the same goes for exposed data. You could have been doing everything right, but someone else made a careless mistake, that resulted in the accident and if you don’t have an insurance policy, you are in for a huge repair bill. Having proper precautionary measures in place, such as data classification, DLP, and DRM solutions, means data is protected wherever it is which drastically reduces the chances that it will be exposed. In addition, if data does happen to get exposed for whatever reason, having these precautions in place results in much lower fines and consequences.
Myth #5: Our data protection program is complete
As much as every organization would love to set up their data protection program and never think about it again, data protection is an ongoing process – you’re never “done”. It’s a journey with ever-changing destinations as technology and processes can, and will, change as business needs evolve, and your data protection strategy will need to adapt accordingly. In order to keep pace, organizations need to implement a solid base for data protection comprising solutions such as:
- Data Classification – Identifies and labels all data so the organization is aware of what data they possess and what level of protection is required.
- Data Loss Prevention – Gives visibility to data movement and blocks threats to sensitive information, while preventing unauthorized release of data from the organizational network. This can be achieved through Network Data Loss Prevention (NDLP) for organizations networks, Endpoint Data Loss Prevention (EDLP) for individual devices, or by combining the two for protection on both sides.
- Data Rights Management – Wraps a protective code around documents to encrypt files, ensuring sensitive data is protected no matter where it travels.
Look towards maturing data protection instead of completing
Once you’ve got a solid data protection strategy, and the required solutions in place, you will want to frequently re-evaluate your organization’s needs and look at what improvements you can make. This process is known as “maturing” your data protection solution. Perhaps you started with basic levels of data classification, but want to add more or make them more department specific? Or maybe you initially implemented Network DLP only, but with an increase in hybrid working environments, you need to add Endpoint DLP as well. You might find increasing amounts of data being shared outside your organization, and want to assess if the access controls currently being used are still effective.
Unaddressed, belief in data protection myths can be dangerous, giving organizations a false sense of security, leaving them unprepared and vulnerable to data loss. Being well-informed and able to tell a myth from the truth is one of the first steps in developing a strong data protection stance. That, along with the right solutions, will help your organization achieve the level of security it requires.
Fortra market leading data protection solutions combine data classification, data loss prevention, and digital rights management, to deliver data protection throughout the entire data lifecycle.