— By Sadik Al-Abdulla
As cyberattacks become more sophisticated and more frequent, data loss is a growing concern for organizations in every industry. In fact, according to CDW research, one in four organizations has experienced data loss in the last two years. Many companies report data breaches that jeopardized their email, network or sensitive information.
No organization is immune — blue-chip companies, small businesses, schools and governments have all been affected. And, as telework and access to mobile computing grows, preventing data loss is an increasingly complex endeavor.
Data loss is expensive, costing organizations an estimated average of $200 per record breached, or an average of $6.8 million per total breach, according to a recent Ponemon Institute survey. But that’s just the monetary loss an organization experiences. The true cost is harder to measure when adding factors such as lost competitive advantage, loss of revenue, litigation and damage to company reputation.
The first step to prevent data loss is to acknowledge that the threat is real. Only then can you build an effective data loss prevention plan.
Define Your Data
Step two, defining all of your organization’s data, may seem daunting, but defining data for data loss prevention purposes doesn’t have to be. The key to success is to draw a distinction between confidential information (e.g., social security numbers) and confidential documents (e.g., a file containing social security numbers).
The definition of confidential is usually very straight forward. At a minimum, every organization should protect the simple data points that allow for fraudulent monetization of data: first and last name, address, social security number, credit card number, driver’s license number, banking information, etc; as well as data protected by regulations.
But every organization also has business-critical data, which must be protected as well. Examples of business-critical data include the next quarter’s sales pipeline, pre-product-launch research data or the source-code for a product.
You must determine what business critical means to your organization. The definition should be measured against three standards:
- Would the loss of this information materially affect revenue and profitability?
- Would your organization’s leadership want to be informed of a leak?
- Would your organization’s leadership take action if informed of a leak?
By applying all three questions to your organization’s data, you can cut through the noise and focus on the heart of data that truly is critical to your business.
Once you establish this definition, measure your small business against that definition and gain clarity regarding the real risks. For instance, the areas of greatest concern do not necessarily overlap the areas of greatest exposure. In many cases, the single greatest exposure existing in an organization can be easily remedied by altering a single business process.
Address Mobile Data Security
Another challenge that small business owners face when protecting their data is the growing mobile workforce. Today, most employees do at least some of their work on a company-provided mobile device or their own mobile device (BYOD). They access data on mobile devices that might not be protected as well as company-issued PCs and laptops located in the office.
In step three, small businesses need to develop a policy for secure mobile device use, consider the security protections they have in place, and determine how to manage mobile devices. One tool organizations increasingly turn to is mobile device management (MDM): over-the-air distribution of applications, data and configuration settings for all types of mobile devices, including smartphones, tablets, mobile printers and mobile point of sale devices.
Educate Your Organization
Once your small business defines its data and addresses mobility, you can move on to step four: communicate the policy to employees. The policy should be practical and concise, addressing which data is confidential and how it should be used, as well as how employees should use mobile devices.
After your organization creates a policy, next tackle the following tasks:
- Resolve process issues that violate the policy and cause ongoing incidents
- Educate users on the policy
- Provide ongoing, real-time notification to users
Proactive Data Loss Prevention
If processes change, creating a policy and educating users can reduce most risk. Technological enforcement can narrow the rest. Step five is the real key, however: make security an ongoing priority. Invest wisely and consistently in security technology that is tailored to manage the specific risks your small business is likely to face.
Consider dedicating an internal or external resource to monitor and manage security issues, making sure that this resource reports to the appropriate stakeholder. This strategy lets you monitor security risks in real time, keeping the organization informed and involved in the security of your data.
Data loss is a threat that will always keep IT professionals up at night, but there are tested and proven ways to safeguard your organization. By defining your data, addressing mobility, educating your staff and taking proactive measures to prevent data loss, you will be able to mitigate your risk of falling victim to this common security threat.
Sadik Al-Abdulla is a senior manager of security practices at CDW,