If you’re trying to protect all your data, you’re fighting a losing battle.
Advanced persistent threat is the new normal, and your best plan of defense is to make sure that the attacks that do get through don’t hurt you. How can you do that? By focusing your security efforts on what really matters: your critical, sensitive and privacy data.
When I talk to customers about security, I stress the importance of having a data-centric security model. What that means is that security efforts need to be built around the data you need to protect. Surprisingly, organizations don’t always have good visibility into what data they should be protecting. Part of the problem stems from the fact that every organization defines critical data differently. For a hospital, that definition would include patient records, medical images, billing information and physicians’ notes. For an advertising agency, however, it could be client emails, intellectual capital around upcoming campaigns or even a client contact list.
Once organizations have identified the data they need to protect—and that’s exactly what our Security Advizer service is designed to help them do—it’s important next to look at that data across its entire lifecycle, from creation to storage, usage, sharing, archiving and recovery. Understanding how data is used across its lifecycle ensures that you don’t frustrate operational processes with security measures that could make it hard to use or share data, for example. In addition, organizations should have a clear idea of who is accessing the data and which applications/platforms are engaging with that data.
Identifying the right data to protect really comes down to first classifying your data and then estimating the risks to your business if that data were lost, stolen or altered. It’s easy to get carried away with creating lots of different data subclasses, and that can be counterproductive. If you have nine different classes of data, chances are that your users will find the rules for them prohibitively complex and look for ways to bypass them, potentially exposing your data. For that reason, it’s best to organize your data into a few key categories such as public data, confidential data and compliance-regulated data.
Understanding the risks associated with each class of data is critical, as it will ultimately help determine where you store your data, who has access to the data and what type of data encryption methods to use. In a sense, data risk analysis is similar to other business impact analysis initiatives, as you look at what the impact to your business would be if the data were compromised. Would it impede your ability to conduct business? Would it result in non-compliance or regulatory fines? Or could you live without it?
One final step that we recommend as part of the data security identification process is confirming the location of your data. This might seem obvious, but the reality is that data is rarely as organized as you might think. There are data discovery tools, many of them free, that can help enterprises confirm where their data is actually stored. This is important not only for planning out a data security strategy but also for compliance audits.
Ultimately, data identification is only the first step in the way we at Rolta AdvizeX go about applying the NIST Cybersecurity Framework functions of Identify, Protect, Detect, Respond and Recover. It is, however, the most important step for organizations, particularly where limited budgets dictate the need to align financial and personnel resources with the greatest security threats.
For a complete overview of our data-centric security model, including best practices for success, I encourage you to listen to our recent Data Security Webinar. ▪