Light Dark
August 28, 2017 By David Monahan 4 min read
Data Protection
Risk Management

It should be no surprise to anyone that the digital age has created data sprawl. Information and critical data are no longer confined to desks and filing cabinets in locked rooms, but stretched across the enterprise in locations far and wide.

Data locations first expanded to structured databases, then unstructured local user systems and then file shares. As the internet and collaboration needs have grown, so have data sprawl options. The explosion of cloud services exacerbated this issue, facilitating streaming around the world to reside in locations never previously thought of or documented.

Download the IBM executive guide: Protecting your company’s most critical information

A Growing Challenge

Global organizational data sprawl increased business risk immensely. A 2016 SANS survey indicated that the risk of theft of employee information is most common, followed by the loss of intellectual property such as source code and PCI data. The incident rate of each increased year over year from 2015 to 2016.

Organizations need to track these ever-increasing and progressively valuable arrays of data types, but the task is becoming more and more difficult. The risk of accidental exposure, unauthorized access and data loss can be the result of employees sharing data without regard to where it will end up once collaborative projects are complete.

E-commerce and the global business economy drive further data sharing across both political and geographical boundaries. That means data owners and custodians are now responsible for ensuring web applications, data sharing and other operational data flows are not violating the growing library of local, state, federal and international protection regulations.

Four Steps for Securing Critical Data

Locating, categorizing, protecting and providing ongoing insight into risks for both structured and unstructured data is a necessity for any organization that maintains sensitive or business-critical data. Creating a programmatic means to providing these data services may seem overwhelming and even impossible to manage, and while it is definitely not a trivial pursuit, it is not impossible. It requires a methodical and diligent approach.

Providing any of these services at scale requires automation. By automating each step in the process, you can ensure that the appropriate checks and balances are in place.

1. Discovery

Locating structured and unstructured data follows the same general process, but with different tool capabilities. Locating structured data requires the ability to find all databases created (in use or not) and scan them for relevant data types. The same goes for unstructured data.

Critical data can be located on user systems, private or hosted data centers, or in private or public clouds anywhere in the world. To be effective, discovery tools should be able to consolidate their findings to provide a single view of critical data of any type, regardless of the storage repository, in an effective, programmatic and coordinated approach to solving this problem.

2. Classification

Once located, the data must be classified. This next step is identifying which data belongs to a protected category and which does not. Subsequent subdivision into the chosen taxonomy is also a best practice. Most organizations need more than basic public and private data classifications.

Another significant step is identifying the data stakeholder, including owners and custodians, and the data users and consumers (remember, users are both human and applications). Parallel to identifying the stakeholders, applications, business processes and data flows should also be mapped and put into a business context. As stakeholders are identified, they will facilitate the identification of applications and flows they use and vice versa.

3. Protection

The goal of the first two stages is to begin protecting data. However, data protection and use policies should be in place before any effort is made to locate and classify it. If there is no policy, then there is no point in going through the exercise.

Policy updates can be done parallel to locating data. This is where all the efforts make a difference. Ensure organizational (e.g., written) data policies are complete, and make sure the automated (e.g., technology-monitored and enforced) policies are accurate and align properly with the organizational policy. Gaps or misalignments in monitoring and enforcement can incur significant cost, especially in regulated environments.

4. Managing Risk

Management needs to be kept informed of the efficacy of the implemented monitoring solutions and controls. Security operations need to be in the loop on detected violations to apply remedial actions. This requires customizable dashboards and reporting to meet the various business and operational requirements. With visibility into potential security risks that could impact a business, incremental improvements can be made to ensure security policies and compliance requirements are being continuously met, and ultimately justify the cost of the program on an ongoing basis.

Evolving Security With Data

While data classification is often the longest step, locating all data across environments is the foundational aspect of this sort of project, and that is often the most difficult step. Data is a growing organism, so discovery must be a regularly repeatable process to identify new data types and repositories. Failure to locate both structured and unstructured critical data across all existing platforms leaves the company open to greater risk and potential fines.

Data management is about risk management. Executive teams are responsible for managing risk in their organizations, and they are being increasingly held accountable for data breaches and faults in compliance. Managing data is an increasingly important project. Delaying data management only makes the problem worse.

Purposefully and methodically define the business requirements for data discovery and ensure the selected solution operates effectively across private data centers, hosted environments and the public cloud. It’s OK to start small and build, but you must start.

Download the executive guide: Protecting your company’s most critical information

 |  |  |  | 
David Monahan
Managing Research Director for Security and Risk Management, Enterprise Management Associates

More from Data Protection
November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

November 8, 2024

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

November 7, 2024

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature