It’s All About The Data: Protecting Your Most Valuable Asset
Over the past year news of data theft has become as commonplace as changes in the weather. Nary a week goes by where we don’t hear of another major leak of sensitive data, from customer personal information to credit card data to corporate secrets. What has changed over time is the frequency and impact of data theft, which can be attributed in part to the expansion of access to data in new network architectures (e.g., cloud, hosted networks, private computing devices/BYOD, etc.).
But there are two more fundamental reasons for this increase in data theft, reasons are magnified due to the changing technology landscape: companies do not value their data as a top business asset, and they focus on securing the technology, not the data itself. Stealing your customer and company information is becoming much easier to do. Companies spend millions on security technology rather than thousands on risk assessments and process (governance) improvements in information management. Companies almost never have a full accounting of all data they create, transact and store, but they have detailed inventories of the servers on which that data resides. If you’re not paying attention to the data itself, you don’t value that data enough to effectively protect it from the bad guys who value it more than you do.
Addressing this increasingly urgent problem is not easy. It requires a fundamental change in the way you think about your data. Believe it or not, you probably already have a pretty good idea of what that new mindset is. Consider the security you employ in your personal life. You lock the doors and windows to your house when you leave, but it doesn’t stop someone from breaking in and stealing your television, which you consider an acceptable risk. But maybe you do lock up your more treasured valuables, such as jewelry, in a fireproof box and hide that in your closet. And maybe you lock up your most treasured items, such as family heirlooms, in a bank’s safety deposit box. The same holds for your data. Here is a simplified version of the steps we perform with our clients in protecting their data:
- Perform an information inventory of all of the data you create, transact and store. Inventory representatives of different levels from every department and record what data they deal with daily to conduct the company’s business. Then go out and perform a full risk assessment of all of that data and verify where the data resides.
- Classify all data according to industry standards and create a framework in which the data will be protected commensurate with its classification level. Account for how the data will be stored, copied, transmitted and destroyed, as well as investigation and reporting processes in case the data is stolen or mishandled.
- Assign roles and responsibilities for the protection of data to all employees and third-parties who may use the data. Include this information in your company information security policy.
- Create an information management policy that specifies how the data protection framework will be carried out, and implement that framework in the IT environment.
- Now you can purchase the security technology you need to enforce compliance.