1 – Not knowing who uses what data and where it is located.
You cannot secure data without knowing in detail how it moves through your organization’s network. Begin by doing a thorough inventory of sensitive data. Then develop a “Sensitive Data Utilisation Map” with your findings. Also consider building a series of diagrams to show where and how data moves through your system. All the parties involved should check these diagrams, and this process will raise awareness of both the value and the risk to sensitive data.
2 – Treating all data equally
IT directors and IT managers need to classify data according to its sensitivity and its worth to the organisation so they can accurately evaluate and fund different levels of protection. “Data Asset Valuation” is a very worthwhile ROI-type of activity. The objective is to correlate a variety of criteria, including regulatory compliance mandate, application utilization, access frequency, update and competitive vulnerability to arrive at both a value for the data and a ratio for determining justifiable security costs.
3 – Focusing solely on regulatory compliance concerns
Virtually all government and industry privacy and security regulations boil down to the most basic practices of data security. However, being able to pass a regulatory audit does not automatically ensure effective security.
Instead of trying to protect your organisation’s data assets by striving to meet individual regulatory requirements, a better strategy is to focus on complying with security-centred processes, policies and people, reinforced by security solutions such as automated policy enforcement, or role-based access and system auditing. Simply stated, do the right things instead of just the required things.
4 – Keeping what you don’t need
You can reduce the risk of retaining sensitive customer data by removing the electronic and paper data from all systems and files. However, simply deleting files with infrequently accessed, highly sensitive data won’t work; as it would violate multiple data retention regulations not to mention annoy your marketing department. A much better way is to look at the specific data retention and protection regulations governing each of the sensitive data elements that need protecting, working in conjunction with legal department and the data librarian who will usually know the relevant regulations.
5 – Security triage
You have to move beyond dealing with the crisis of the moment and focus on securing data holistically and consistently. While it might be difficult to free up the time and budget to institute a comprehensive data security plan, ultimately a unified approach will be significantly more effective than the fragmented practices present at too many companies, increasing security and saving you time and money.
6 – Outsourcing responsibility
Just about all data protection and privacy regulations state that firms can’t share the risk of compliance, which means that if your outsourcing partner fails to protect your company’s data, your company is at fault and liable for any associated penalties or legal actions that might arise from the exposure of that data. Laws concerning data privacy and security vary internationally. To lessen the chance of sensitive data being exposed deliberately or by mistake, you have to ensure that the company you are partnering with takes data security seriously and fully understands the regulations that affect your business.
7 – Putting too much faith in risk assessments
The simplistic Yes/No questions focus on whether a particular technology, policy or control is in place, and not how effective those controls can be against careless or malicious insiders or outsiders. Risk assessments typically look at one item at a time, and don’t offer a holistic view of the system. Each component might look secure, but risk can occur at the interface points or the points of inconsistency across systems. You should think holistically to secure a system, considering the flow of data through the entire system rather than testing individual points.
8 –Settling For Less Than Real Security
Knowing what enterprise data protection technologies, policies and procedures are “reasonable” relative to peer organisations is useful information, but don’t let others’ actions determine your security plans and goals. Instead, model your policies and processes after the best practices of the most secure organisations in your industry, rather than those used by the common denominator.
9 – Fragmented processes and policies
Despite claims that protecting data assets is strategic to an organisation, the scope of data protection projects is usually either regulation or department-specific. Look at developing an enterprise-wide data protection strategy instead. The objective of the project is not to produce a report, but to build awareness and executive support for the treatment of sensitive data with technologies, policies and procedures that match with the regulations, the utilisation and the potential loss if the data were to be compromised.
10 – Retaining sensitive data without balancing risks against rewards
Retaining sensitive data can be very valuable for analytic, marketing and relationship purposes. The rewards can be very high, provided you can properly secure the data and reduce the risks of storing it. Be sure that your organisation’s risk reward ratio is balanced toward reward and the data is being used in a way that brings real benefits to your organisation. And if securely storing data is costing more than its value to your organisation, it’s time to refine your data retention policy.