As threats to corporate data security grow more severe, some companies might need to reevaluate their data security plans to help ensure the best possible defense against hackers and information thieves. A data security plan outlines the training, tools, policies, and procedures an organization will use to help prevent and respond to data breaches.
When done accurately, data protection plans can help stop data theft and potentially save companies millions in fines and reputational damage. Conversely, companies could suffer if their security plans are not built on comprehensive and correct information. For example, if a security team does not know that company employees store confidential information on hard drives, they will likely not establish effective secure hard drive destruction procedures. This omission could expose sensitive data to information thieves.
Some businesses struggle to understand how and where sensitive data is stored, used, and destroyed. An ISACA survey of professionals working in data privacy found that 49% of respondents felt like they did not have enough privacy budget. In the same survey, 53% of respondents said a common cause of privacy failure was not performing a risk analysis. Hidden data can cost companies millions and puts them at greater risk of security threats. Redundant, trivial, and obsolete data, also known as ROT and dark data is problematic because you may not even notice if it goes missing. Information gaps can pose an even greater risk to companies of non-compliance with data protection regulations.
By asking the right questions and taking steps to understand information security, business leaders can be better informed as they develop data protection plans that include tactics to help prevent physical and digital data breaches.
Five Key Data Management Questions
The “basics” of an organization’s data management program form the foundation of effective information security. Business leaders should meet with their data protection officer and any other relevant employees to answer some key questions about their companies’ information management procedures, including:
- What data is collected and stored? Companies will collect different types of confidential data depending on the products and services it provides. For instance, a clothing shop might store the names, email addresses, and credit card numbers of its customers, while a law firm might store confidential information about past or ongoing litigation. Leaders should also identify whether the collected data is physical (paper, hard drives, etc.) or digital (electronic files, cloud files).
- How much data is collected and stored? The amount of information a company stores can help inform the investment in security tools, services, and personnel. For example, an organization that collects large amounts of sensitive paper documents might need to use a secure information management service that offers regularly scheduled document destruction.
- Where is data stored? This question can refer to the location of physical data (stored in desks, file rooms, home offices) and/or digital data (stored on external servers, local hard drives). Data location can play a role in a range of executive decisions from establishing security policies to selecting information technology.
- For how long is data stored, and why? Certain data loss protection regulations, such as the General Data Protection Regulation (GDPR) in Europe, require companies to store data only for as long as necessary. Unneeded and unused data can make organizations bigger targets for hackers and information thieves. Unless the organization is actively using sensitive information, it should be destroyed or deleted.
- With whom is data shared? Most organizations enlist the help of external partners and might share sensitive data with them in the process. For instance, companies might share customer email addresses with marketing firms to develop an email advertising campaign. Sharing data with third parties, while often necessary to a business’ operations, could increase the risk of exposing sensitive data to bad actors. In 2021, the third-party software provider, Kaseya, experienced a cyberattack which compromised not only Kaseya’s systems but the files of as many as 1,500 companies. Security teams should address third-party data sharing in data security plans and connect with their external partners to understand their security protocols.
How to Improve Data Management Knowledge
Once business leaders and security teams fully understand the “basics” of corporate data management, they can begin to implement other strategies to help improve data knowledge and security, such as:
- Data Risk Assessments: During data risk assessments, an information security professional reviews a company’s physical and digital data protection procedures to determine vulnerabilities. Data risk assessments provide companies with a helpful outside opinion that can inform information security investments.
- Understanding Legislation: Countries around the world, including Canada, have implemented data protection legislation. Businesses should stay informed of new and existing regulation as violation could result in legal action, fines, and reputational costs.
- Culture of Data Security: Knowledge of basic data management information is not only critical for decision-makers but employees throughout organizations. Companies should implement regular information security training to help familiarize employees with data protection plans and procedures.
Physical data protection should be a key player in every company’s data protection policies, and we are ready to help. Our team of experienced physical information security professionals can help leaders identify vulnerabilities and create a plan for safe and secure data management. Learn more about Shred-it's services and contact us to schedule a free security risk assessment.