As organizations grapple with complex challenges and techniques to set up a fool-proof data protection and recovery system, the integrated data security approach is emerging to be the most comprehensive solution to plug gaps and loopholes
The last few years have witnessed an explosion in data, giving way to several modern technologies and concepts that is making data more consumable and accessible. Big data analytics, mobility and other social technologies are improving our lives in different ways. But what happens to all the confidential data that is the life-blood of organizations? As a flip side of modern technology, what if classified confidential data falls into wrong hands. The far reaching results of such an incident has been experienced by many in the past few years, in parallel to benefits of growth in data and technology. The data breach at Target – one that is hard to forget – was one of the greatest incidents ever. Initially estimated having compromised data of over 40 million customers it has now risen to 70 million! The impact that such an incident creates on the balance sheets, company goodwill, reputation and recovery expense is massive and long term. A robust data protection strategy has never been of more importance.
As organizations grapple with complex challenges and techniques to set up a fool-proof data protection and recovery system, the integrated data security approach is emerging to be the most comprehensive solution to plug gaps and loopholes, and fortify an organization to a large extent. This approach implies a comprehensive coverage of data protection, governance and cyber security. Companies today are investing heavily in data security measures and are often more than eager to get into an integrated model, owing to the simple yet effective solution it offers to an extremely complex situation. However, there are certain foundational aspects that need to be considered, failing which will lead to falling short of objectives and targets.
Here’s a look at the top 5 mistakes a company could probably end up making, when moving into an integrated data security model:
1. Poor integration of systems: Obviously, this ranks at the top of all requirements. An integrated model will definitely require integrated systems. Security threats keep changing constantly and rapidly. Most organizations, however, are stuck with a myriad of applications, hardware configurations, program codes, internal admins, so on and so forth. There will also be a host of incompatibilities and inefficiencies hidden across this heterogeneous mix of systems that add on further to the integration problem.
2. Lack of training and skill upgrades of workforce: Social engineering techniques such as phishing or spear phishing are sprawling in the world of security threats and attacks. These are targeted attacks on the people within an organization. Most companies fail to address the training needs of their employees in regards to security best practices. Apart from the broader workforce, specific teams working in the CIO and CISO also need constant training and skill upgrades to keep up speed with the changing threat scenario and actively monitor organizational vulnerabilities.
3. Absence of data governance: Organizations often fail in establishing a proper framework to govern data flow. Data is created at various levels and functions of an organization, and is at different levels of confidentiality. Without a proper governance council in place, there is no formal way to monitor data handling that could result in data loss, threat or breach. An effective governance framework involving business, security, data management and IT teams should be set up with designated risk owners, shared goals and visibility into handling sensitivity data.
4. Flawed Cyber Security planning and integration with corporate security strategy: The traditional approach to cyber security planning mostly comprised traditional threat vectors like virus, malware, phishing attacks, Trojans and Keyloggers. However, now it has advanced into much more sophisticated ways of using multiple vectors and multi-stage attacks. Also, cyber security planning is often not integrated with corporate security strategy leading to lack of visibility among the multiple data stakeholders.
5. Lack of accurate identification and classification of sensitive information: As highlighted earlier, data is created at various levels and functions of an organization, and is at different levels of confidentiality. Data Protection is largely dependent on the sensitivity and confidentiality of the content that defines the levels of protection that is required. Many a times, organizations fail to hold a frequent exercise of identifying and classifying data, in consultation with business stakeholders.
Data breach in an organization is not child’s play. It requires a lot of sophistication in resources, planning and time to be able to attack the right places at the right time. In order to create an effective protection system for an organization, it requires the CIO and CISO functions to collaboratively think from the attackers’ perspective, get in their shoes and examine how prone the organization is to a possible threat.
This article is contributed by Prasenjit Saha, who is the CEO of Infrastructure Management Services and Security Business at Happiest Minds Technologies Pvt. Ltd