Data Protection October 5, 2017
By David Monahan 4 min read
Series: Expert Perspectives on Creating a Data-Centric Risk Management Program

As organizations march into the digital age, data sprawl is accelerating. Information of all kinds is stored everywhere, accessed by multiple people many times a day and shared across corporate and international boundaries. Most organizations do not have a handle on data locations, ownership and flows outside of regulated or compliance-related information. Though this information is critical, other data can lead to corporate ruin if deleted, modified inappropriately or shared with the wrong parties.

The Intellectual Property Security Problem

There are terabytes of intellectual property and private corporate data that, if exposed, could impact careers, business reputations and bottom lines. For example, in 2014, Sony lost a high volume of data valued at well over $100 million, with executives being fired and stars refusing to work with the entertainment company. The next year, cybercriminals stole $160 billion worth of intellectual property from Codan, an Australian manufacturer of metal detectors, which was then used to produce counterfeit products.

Organizations can no longer afford to put off getting their information under control. According to a McAfee study titled “Net Losses: Estimated the Global Cost of Cybercrime,” corporate espionage accounts for more than $445 billion lost across the world in 2014.

Download the executive guide: Protecting your company’s most critical information

Creating a Data-Centric Risk Management Program

Though intellectual property security may seem like an insurmountable problem, it isn’t. Organizations can shift the paradigm by embracing a continuous, systematic approach to managing their data. Failing to be systematic can leave data undiscovered and thus unprotected. Failing to be continuous can at best cause gaps and, at the worst, allow data management to regress into its previous unmanaged state.

Organizations should take the following steps to secure their intellectual property.

  1. Start small, build success and then expand. The task of securing all your data at once is insurmountable, but doing it one byte at a time is the key to success. Each organization has common-use data dumping grounds. Start with a few of the smaller ones and work your way up.
  2. Locate data repositories. Information is everywhere, and you will ultimately need the right tools to find both structured and unstructured information. Starting small allows you to manually create business requirements for the tools you will need to do it on a larger scale and a continuous basis.
  3. Identify data owners and custodians. Every piece of data needs an owner and/or custodian to determine its importance to the business, who needs access to it, how it should be handled and where it should be stored. These are the people responsible for creating policies around the data. Security and IT departments merely implement the policies and should not be held responsible for determining what policies apply to which pieces of data.
  4. Learn how to classify and tag data. This part of the process helps the organization understand the various types of data it has and which data is most important. This creates the foundation for the risk profile and security policies for each type.
  5. Map data flows in processes and applications. These two exercises are related, but not exactly the same. A process may use an application, and thus a handoff is mapped. But information owners should also know what all the applications in their environments are doing with the data for processing, storage and transport.
  6. Create a risk profile for data. Now that information is located, access is understood, and workflows and processes are mapped, risk profiles can be created for the information.
  7. Adjust the information security policies for data. Once the risk profiles are known, the data owners must work with IT and security teams to create the new policies for the data. Identify which applications and users no longer need access and which business processes need to be updated.
  8. Appropriately adjust access, business processes and application flows. Now that policies are complete, the projects to make changes should be created and prioritized based on the risk levels of each identified issue. A key to this is to intersperse the short- and long-term projects to create a few quick wins upfront. This creates an initial positive impression that will help management understand the importance of the program and operations personnel maintain momentum to complete the larger and longer-term projects.

As organizations become savvier in their data-centric risk management programs, business leaders need timely information to gain visibility into the data. Only with accurate insights can efficient controls be created to protect organizations from very real security risks. These insights cannot be gained by a manual effort.

To accomplish both the intelligence gathering and the data security project implementation, security professionals should look to adopt a toolset that will meet the project’s goals and requirements. An effective tool should have the capability to:

  • Locate data across internal and external repositories.
  • Provide continuous visibility into data repositories.
  • Create early visibility into potential risks to sensitive data.
  • Identify specific, high-value, sensitive data at risk from internal or external threats.
  • Provide a complete view of sensitive data in terms of processes, procedures, application access, compliance and ownership.
  • Deliver easy-to-understand dashboards to facilitate conversations, improve business processes and mitigate risks.

Protect Your Crown Jewels

The road to a data-centric risk management program is not easy, but it is well worth the effort. Creating a programmatic approach to data risk means that the practicing organization will have, at minimum, better-protected data as well as an overall reduction in redundant data and business risks. The projects will surely uncover multiple problems in human and application workflows, ranging from fairly small issues needing only incremental improvement to systems that require major overhauls. Such an intellectual property security program can help organizations streamline processes to fend off data thieves and protect their crown jewels.

Download the executive guide: Protecting your company’s most critical information

 |  |  |  |  |  |  | 
David Monahan
Managing Research Director for Security and Risk Management, Enterprise Management Associates

Prior to becoming an analyst, David was an information security executive for over 20 years. He used his diverse audit and compliance, and risk and privacy e...

More from Data Protection
Cloud Security   March 15, 2023

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Data Protection   March 7, 2023

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…

Data Protection   March 1, 2023

The Digital World is Changing Fast: Data Discovery Can Help

The rise in digital technology is creating opportunities for individuals and organizations to achieve unprecedented success. It’s also creating new challenges, particularly in protecting sensitive personal and financial information. Personally identifiable information (PII) is trivial to manage. It’s often spread across multiple locations and formats and can be challenging to find and classify. Organizations need a modern data discovery and classification solution to identify sensitive data across physical, virtual and public clouds. The Current State of Sensitive Data Discovery and…

Intelligence & Analytics   February 21, 2023

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature