In our previous blog, we looked at six best practices that your organization can quickly take to protect its data and (of course) the data of your clients as well. While that’s a great start towards protecting your data, getting out from between a rock and a rock and a hard place requires more than that – it requires another level to provide maximum data protection.
Six Programs to Take Data Protection to Another Level
With that in mind, let’s look at six programs to take data protection to another level, many of which include disciplines beyond cybersecurity. These are organization wide initiatives that need to be addressed.
Identify and Classify Sensitive Data
You can spend a lot to implement various mechanisms to protect your organization’s data, but it can be expensive to protect all your data across the entire organization. And you can still fail to protect the data that’s most important in your organization.
All data is not the same and shouldn’t be treated the same. If you’re not protecting the data that is most sensitive to your organization and your clients, your data protection program is a failure. That’s why it’s important to identify and classify sensitive data within your organization to “right-size” your data protection program.
Data analytics can help to identify sensitive data, such as PII and information about key entities. It can also help identify Redundant, Obsolete and Trivial (ROT) data that your organization can eliminate to make it easier to identify the important sensitive data you need to protect most.
Control Access to Sensitive Data
Once you’ve identified the sensitive data within your organization, you need to protect it with by controlling the access to it. Access controls can be physical or technical:
- Physical controls include everything from security on laptops and mobile devices (in terms of software to protect data and procedures like not using public Wi-Fi hot spots), network segregation, video surveillance in the office and more.
- Technical controls include access permissions, access control lists (ACLs), firewalls, proxy servers and more.
Create a Data Usage Policy
A Data Usage Policy is a legal disclosure of how your organization collects, retains, and shares personally identifiable information (PII). Strengthened data privacy laws like GDPR (which specifies principles for processing data in Article 5, including not keeping the data any longer than necessary for the purposes for which the data is processed) have established an expectation of transparency with regard to how organizations use personal data. A public Data Usage Policy helps achieve that level of transparency.
Document Your Cybersecurity Policies
While documentation ties into several of these mechanisms, it also is important to mention as an overall procedure as well. Your organization’s cybersecurity policies should be well documented, and that documentation should be kept evergreen and up to date as policies change. New employees should be required to read and understand the policies – some organizations even quiz new employees on their understanding after they have read them. Changes in policies should be clearly communicated to all employees and third parties working on your behalf.
Train Your Employees
In addition to well documented policies on data protection, employees need to be trained as well. This includes training for new employees and third parties as well as refreshers and updates for existing employees and third parties. Training should walk-through real-world scenarios and even test employees and third parties on how they handle various situations.
For example, some companies implement periodic phishing tests, which are used by security and IT professionals to create mock phishing emails and/or webpages that are then sent to employees to see if they will be fooled into clicking on the links within them. These fake attacks help employees learn to recognize and avoid clicking on links in phishing emails that can result in malware being installed on their devices. A good training program includes tests to confirm that employees understand best data protection practices.
Perform a Cybersecurity Risk Assessment
A cybersecurity risk assessment is an assessment of an organization’s ability to protect its information and information systems from cyber threats. It’s designed to identify, assess, and prioritize risks to information and information systems. It helps organizations identify and prioritize areas for improvement in their cybersecurity program.
There are several cybersecurity risk assessment frameworks and methodologies available, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the ISO 27001:2013 standard.
While this is the last item on the list, it’s really the first item that should be considered as it drives all the best practices and other mechanisms that your organization will implement.
In addition to the six best practices discussed last time, these six programs will help your organization adopt a comprehensive approach to data protection that is “right-sized” to protecting your organization’s (and your clients’) most sensitive data.
When it comes to data protection, staying compliant with ever-changing data privacy laws is extremely challenging. Next time, we will discuss the emergence of technology to automate addressing the continually changing requirements for privacy compliance!
For more regarding Cimplifi security, privacy, and compliance capabilities, click here.