It should be no surprise to anyone that the digital age has created data sprawl. Information and critical data are no longer confined to desks and filing cabinets in locked rooms, but stretched across the enterprise in locations far and wide.

Data locations first expanded to structured databases, then unstructured local user systems and then file shares. As the internet and collaboration needs have grown, so have data sprawl options. The explosion of cloud services exacerbated this issue, facilitating streaming around the world to reside in locations never previously thought of or documented.

Download the IBM executive guide: Protecting your company’s most critical information

A Growing Challenge

Global organizational data sprawl increased business risk immensely. A 2016 SANS survey indicated that the risk of theft of employee information is most common, followed by the loss of intellectual property such as source code and PCI data. The incident rate of each increased year over year from 2015 to 2016.

Organizations need to track these ever-increasing and progressively valuable arrays of data types, but the task is becoming more and more difficult. The risk of accidental exposure, unauthorized access and data loss can be the result of employees sharing data without regard to where it will end up once collaborative projects are complete.

E-commerce and the global business economy drive further data sharing across both political and geographical boundaries. That means data owners and custodians are now responsible for ensuring web applications, data sharing and other operational data flows are not violating the growing library of local, state, federal and international protection regulations.

Four Steps for Securing Critical Data

Locating, categorizing, protecting and providing ongoing insight into risks for both structured and unstructured data is a necessity for any organization that maintains sensitive or business-critical data. Creating a programmatic means to providing these data services may seem overwhelming and even impossible to manage, and while it is definitely not a trivial pursuit, it is not impossible. It requires a methodical and diligent approach.

Providing any of these services at scale requires automation. By automating each step in the process, you can ensure that the appropriate checks and balances are in place.

1. Discovery

Locating structured and unstructured data follows the same general process, but with different tool capabilities. Locating structured data requires the ability to find all databases created (in use or not) and scan them for relevant data types. The same goes for unstructured data.

Critical data can be located on user systems, private or hosted data centers, or in private or public clouds anywhere in the world. To be effective, discovery tools should be able to consolidate their findings to provide a single view of critical data of any type, regardless of the storage repository, in an effective, programmatic and coordinated approach to solving this problem.

2. Classification

Once located, the data must be classified. This next step is identifying which data belongs to a protected category and which does not. Subsequent subdivision into the chosen taxonomy is also a best practice. Most organizations need more than basic public and private data classifications.

Another significant step is identifying the data stakeholder, including owners and custodians, and the data users and consumers (remember, users are both human and applications). Parallel to identifying the stakeholders, applications, business processes and data flows should also be mapped and put into a business context. As stakeholders are identified, they will facilitate the identification of applications and flows they use and vice versa.

3. Protection

The goal of the first two stages is to begin protecting data. However, data protection and use policies should be in place before any effort is made to locate and classify it. If there is no policy, then there is no point in going through the exercise.

Policy updates can be done parallel to locating data. This is where all the efforts make a difference. Ensure organizational (e.g., written) data policies are complete, and make sure the automated (e.g., technology-monitored and enforced) policies are accurate and align properly with the organizational policy. Gaps or misalignments in monitoring and enforcement can incur significant cost, especially in regulated environments.

4. Managing Risk

Management needs to be kept informed of the efficacy of the implemented monitoring solutions and controls. Security operations need to be in the loop on detected violations to apply remedial actions. This requires customizable dashboards and reporting to meet the various business and operational requirements. With visibility into potential security risks that could impact a business, incremental improvements can be made to ensure security policies and compliance requirements are being continuously met, and ultimately justify the cost of the program on an ongoing basis.

Evolving Security With Data

While data classification is often the longest step, locating all data across environments is the foundational aspect of this sort of project, and that is often the most difficult step. Data is a growing organism, so discovery must be a regularly repeatable process to identify new data types and repositories. Failure to locate both structured and unstructured critical data across all existing platforms leaves the company open to greater risk and potential fines.

Data management is about risk management. Executive teams are responsible for managing risk in their organizations, and they are being increasingly held accountable for data breaches and faults in compliance. Managing data is an increasingly important project. Delaying data management only makes the problem worse.

Purposefully and methodically define the business requirements for data discovery and ensure the selected solution operates effectively across private data centers, hosted environments and the public cloud. It’s OK to start small and build, but you must start.

Download the executive guide: Protecting your company’s most critical information

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read