Data protection has come a long way. In previous years, it was considered a “nice to have” and a line item on the budget further down the page. Today, it’s top of mind for almost every CIO or CISO across all industries.
Yet many organizations are caught in the crosshairs of cybersecurity challenges, often due to common oversights and misconceptions about data security. It’s not surprising due to the rising complexity of threats along with the TTP (tactics, techniques and procedures) of bad actors.
From the pitfalls of decentralized data security strategies to the challenges of neglecting known vulnerabilities and managing compliance, this article will explore each obstacle, provide actionable solutions and shine the light on a real-world example that brings it all together.
Pitfall 1: Failing to move beyond compliance
While regulations like GDPR and SOX set standards for data security, they are merely starting points and should be considered table stakes for protecting data. Compliance should not be mistaken for complete data security, as robust security involves going beyond compliance checks.
The fact is that many large data breaches have occurred in organizations that were fully compliant on paper.
Moving beyond compliance requires actively (and proactively) identifying and mitigating risks rather than just ticking boxes during audits.
Solution: Recognize compliance as a starting point
Organizations must go beyond compliance by adopting a strategic, proactive approach to protect critical data. The strategy should include discovering and classifying sensitive data, using analytics for risk assessment, enforcing data protection through encryption and access controls, monitoring for unusual activity, responding to threats quickly and streamlining compliance reporting. Understanding the broader implications of data breaches (such as legal liabilities and potential losses) is essential in developing robust data security measures.
Pitfall 2: Not recognizing the need for centralized data security
As businesses grow, data gets stored across various platforms, much of it unstructured. Data sprawl is real, underscoring the importance of centralized security oversight.
While their data sources expand further into the cloud, leaders of companies with growing IT infrastructures can become overwhelmed by this expansive attack surface. Without enough visibility and control of their sensitive data, a unified approach is challenging — and opens up gaps in security protocols and new vulnerabilities.
Solution: Know where your sensitive data resides
Effective data security involves knowing where and how sensitive data is stored and accessed, and integrating that knowledge into the broader cybersecurity program to ensure smooth communication between different technologies. Using a data security solution that operates across various environments and platforms is crucial for effective data protection and cybersecurity integration.
Pitfall 3: Unclear responsibility for ownership of data
Data is one of the most valuable assets for any organization. And yet, the question, “Who owns the data?” often leads to ambiguity within organizations.
Clear delineation of data ownership and responsibility is crucial for effective data governance. Each team or employee must understand their role in protecting data to create a culture of security. Because if nobody knows who is responsible for what data, how can you protect sensitive data?
Solution: Hiring a CDO or DPO
Hiring a Chief Data Officer (CDO) or Data Protection Officer (DPO) is a great start for effective data management and security, especially for GDPR compliance. These roles require technical knowledge, business acumen, risk assessment skills and an ability to direct strategic data security implementations. They should also manage compliance, monitor program effectiveness, negotiate with cloud providers and lead data breach response planning. Their role is key in promoting organization-wide collaboration on data security.
Pitfall 4: Failure to address known vulnerabilities
Unpatched vulnerabilities are one of the easiest targets for cyber criminals. This means that organizations face significant risks when they can’t address public vulnerabilities quickly. Despite the availability of patches, many enterprises delay deployment for various reasons, which leaves sensitive data vulnerable.
The challenge in patch management stems from the difficulty in coordinating efforts across IT, security and operational teams, alongside the need to test patches to avoid new issues. In cloud environments, the uncertainty about patching responsibilities and lack of control over third-party service providers only complicates the issue.
Solution: Implement a vulnerability management program
A thorough vulnerability management program is paramount to cybersecurity and involves regular scans and assessments of all data assets (including cloud-based). Making vulnerability remediation a priority and basing it on potential exploits and business impact is essential. Protective measures should also include data obfuscation techniques like encryption and tokenization, as well as robust key management.
Pitfall 5: Insufficient data activity monitoring
In the era of big data, monitoring data activity is inarguably difficult. What was once considered a purely IT decision has transcended into the boardroom and up and down the corporate hierarchy.
For effective data security, leaders must be vigilant about who accesses data, how they access it and when. This includes ensuring appropriate access levels and assessing associated risks — especially since privileged users often pose significant insider threats.
A key element in data protection is real-time monitoring to detect suspicious or unauthorized activities by privileged accounts. The challenge here intensifies with the need to monitor, capture, filter and process an overwhelming volume of data from diverse sources like databases, file systems and cloud environments.
Solution: Develop a comprehensive data security and compliance strategy
Starting a data security initiative requires the alignment of monitoring efforts with specific risks and business goals, and adopting a phased approach for implementing best practices. Priority should be given to monitoring the most sensitive data sources with clear policies and investing in automated monitoring solutions with advanced analytics for detecting risks and unusual activity — particularly among privileged users.
Equifax data breach: Takeaways from a real-world example
One of the most notable examples of a data breach that reflects the failure to address known vulnerabilities is the Equifax data breach of 2017, which exposed the personal information of approximately 147 million people. The breach happened due to a known vulnerability in the Apache Struts web framework, which Equifax had failed to patch promptly.
To address the far-reaching consequences of the breach, Equifax undertook monumental changes, some of which are outlined above.
According to their CIO, the company:
- Invested heavily in cybersecurity (over $200 million in the year following the breach)
- Boosted resources
- Gained buy-in from the entire executive leadership team
- Hired a new CTO with proven leadership during tenure at IBM
- Implemented built-in incentives for security awareness throughout the organization tied to the annual bonus structure and even bonus deductions if specific security goals aren’t reached.
The Equifax breach serves as a stark reminder of the importance of moving beyond compliance to a more comprehensive, proactive data security approach and highlights the need for timely response to known vulnerabilities, ongoing investment in security technologies and the importance of skilled cybersecurity personnel.
For a more in-depth look at the top five data security pitfalls and the solutions to address them, check out IBM’s extensive eBook.