Data, a crucial asset for the modern business, is under attack. Data breaches, ransomware, employee theft, and mistakes can each cause significant harm to your company, customers, and reputation. There are four pillars of data protection for the modern enterprise. They consist of governance, assessment, training, and response.
Governance is the second pillar of data protection for it provides the direction for cybersecurity within the organization. Governance consists of the policies and procedures established by top management as well as the organizational systems and frameworks used to manage cybersecurity.
Curt Dukes, Executive Vice President for the Center for Internet Security, said on Modern Workplace, “The job of the C-suite is to make money and not have a material adverse impact.” However, the average employee should not have to determine as to whether their decision will have a material adverse impact because interpretations of that may vary widely with the knowledge each employee has of the company, associated risks, and the impact of the decision. Rather, the company determines what a material adverse impact is and defines policy to establish the requirements to avoid such an impact.
Procedures follow policies by outlining the specific tasks that will be performed to accomplish the goals set out in policy. Documented procedures assist in standardizing tasks so that they are performed consistently and correctly.
The last element of the governance pillar is the management framework that keeps the cybersecurity machine running within the organization. This includes those persons responsible for overseeing cybersecurity, those who provide input into cybersecurity such as steering committees, as well as external entities such as audit or independent testing or review companies.
Assessment is the first pillar because it is often the prerequisite for other controls to be effective. Assessment provides the context for implementing security controls. The primary goal of assessment is to clearly identify the assets and data that the organization has as well as where it is located. The next step is to determine what contractual and regulatory requirements exist surrounding the data. Business associates, companies working with the government, or those impacted by GDPR are required to handle data in specific ways, so it is essential to identify these requirements at the forefront.
Next, companies must define those who should have access to it. Various methods exist for this including discretionary and non-discretionary access control, but the most common practice is to define roles and determine the access associated with a role. When people are hired to perform a role, they are given those privileges. Depending on the granularity with which roles are defined and the size and level of specialization in the company, some roles may not adequately describe the activities that a person performs. Some may be too broad and others somewhat skewed. In such cases, a task-based approach may be used.
The last assessment element is a risk assessment. Organizations should review the risks to their data, the value of the data and cost of losing the data, and the cost of various solutions. Solutions may include implementing additional security controls to remediate the risk, transferring the risk through insurance, avoiding the risk by changing the process or utilizing some other method, or accepting the risk. Remediation options take into consideration best practices, standards, and regulatory requirements.
The third pillar of data protection is training. Employees are a potential weak point in many organizations. They are given access to sensitive data and attackers target them with increasingly convincing social engineering schemes or just happen to catch them when they are off-guard.
Evan Anderson, CEO of INVNT/IP, in the Modern Workplace episode, “Information protection: Guarding your digital assets,” highlights training as an important element of protecting digital assets.
Training keeps employees up-to-date with the skills to recognize and foil attacks targeting them and helps to maintain cybersecurity vigilance. Training also educates employees on company cybersecurity expectations through policy and procedure training. For example, each employee should know who they would contact to report a suspected cybersecurity incident and relevant incident indicators.
The fourth pillar is response. There will come a time when controls prove less than effective for a situation, and systems become unavailable, or data confidentiality or integrity is compromised. Business continuity and disaster recovery plans establish procedures for data resiliency to maintain systems at an organizationally-mandated availability level. If the company can only tolerate five minutes of downtime a year, systems will need to be put in place to stay operational when components, sites, software, power, or other pieces of the system fail. Additionally, maintenance activities will need to be constructed in such a way as to preserve availability.
Similarly, loss of data confidentiality through a data breach or other unauthorized disclosure or the loss of data integrity through an attack such as ransomware will require some response effort. Incident response includes investigating the incident, containing the situation, assessing the impact, notifying impacted individuals, restoring data, and remediating the issues leading to the root cause. Response efforts are far more reliable and less costly when there is an associated plan. Generally, the more refined the plan, the more effective the response.
Communication plans should also be developed for possible situations. Communication plans clearly identify what will be said, who will say it, which customers, partners, employees, or governing bodies will be notified, and appropriate channels to use. Organizations lacking a communication plan may find employees talking to the press or customer notifications sent out too early or too late or without a clear explanation. Recent breaches only serve to demonstrate the value a defined communication plan can have on customer perceptions, stock value, regulatory fines, and liability.
Eric Vanderburg is a cybersecurity leader, consultant, author, and thought leader. He is a continual learner who has earned over 40 technology and security certifications. He has a strong desire to share technology insights with the community. Eric is the author of several books and he frequently writes articles for magazines, journals, and other publications. Eric regularly presents at conferences, seminars, and events.
Business Insights and Ideas does not constitute professional tax or financial advice. You should contact your own tax or financial professional to discuss your situation.
Follow Microsoft 365