Studies show that nearly 50% of companies had at least one security incident during the last year prompting organizations to increase their security budgets to try to protect themselves. But, while IT has the responsibility for data breach protection, it's the business units who own the data that are most affected by a security incident. Working with business units and determining the most critical assets that need the highest level of protection is the most important element to achieving security.
Security is Built on Policy
Employees' attitudes towards data security comes from the top down. Senior management needs to demonstrate that compliance policies aren't just about meeting the minimum standard required to pass an audit; they're actually about protecting a company's data—and its customers' data.
Data can't be stolen if it doesn't exist, so it's important to have policies that limit the capture and storage of data that isn't necessary for business operations. There should be a plan for managing the life cycle of data—and that life cycle should end with an effective means of archiving and destroying data that's no longer required.
Effective access controls are also important. Many data breaches occur when login credentials are compromised, most often when employees fall for phishing schemes. To limit the impact of this human error, data access must be limited to those who have a legitimate need for access.
Creating these policies isn't a one-time task. As the business grows and expands, the nature and volume of data collected will change. To maintain security, policies need to be reviewed periodically so they can grow and change along with the business.
Assess Risks and Obligations
Along with defining policies for managing the data life cycle, companies should invest the time to think about known vulnerabilities and plan responses, both technical and procedural. Because companies share data with many third-party businesses, it's important to assess your partners' data security as well as your own.
Failure to meet legal and compliance standards places an organization at risk of a security breach as well as failing an audit and facing stiff fines and legal fees. Organizations need to invest the time to fully understand and meet their compliance obligations.
Once an organization understands their priorities, they should begin reviewing the data they own and their policies surrounding it. They should also understand how they are currently securing data access and methods of protection to compare in-house policies against industry best standards.
An assessment should include the organization's ability to respond to a security incident, including internal reaction, such as employee education on how to notify the incident response team. The organization should also have a plan for notifying and working with the appropriate external authorities and notifying customers and managing the impact to the organization's public image and business contracts.