GUEST ESSAY: Leveraging best practices and an open standard to protect corporate data

It’s an irony often noted about wealth: The more money you have, the more you have to worry about money – managing it, protecting it, nurturing it for further growth.

Related: Using employees as human sensors

For businesses, the same is now true about information. Data has become critical to your organization’s success. At the same time – in fact, as a direct result of data’s central importance – more adversaries are working harder and finding more nefarious ways to steal or otherwise compromise your data. As just one measure, the number of data breaches in the first nine months of 2021 exceeded all those in 2020, a new record.

As the economy grows increasingly data-driven, and as cyber threats proliferate, business leaders recognize they must find a more effective approach to protecting their intellectual property, financial records, employee and customer information, and other sensitive data — while also ensuring their employees’ access to that data is not hindered.

The good news is that there’s a simple way to safeguard your vital information assets, and it’s within reach of virtually every organization.

Proliferating cyber challenges

More than one-half of organizations expect a surge in cyber incidents in 2022. In response, well over two-thirds say they’ll spend more on cybersecurity. But the challenges are accumulating on multiple fronts:

•Cloud computing. One-half of corporate data is now stored in the cloud. Organizations are equipping workers with cloud-based applications like Microsoft 365 and Google Workspace, and running enterprise workloads on cloud platforms like AWS. You need to balance giving employees and customers easy access to data against keeping that information safe.

•Regulatory compliance. Evolving privacy regulations like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) mean ongoing headaches for cybersecurity, compliance and risk management teams. At least 10 additional states have enacted or are considering data privacy laws. Two-thirds of the global population will be protected by privacy regulations by 2023, and 70% of organizations say such regulations make cloud migrations and analytics more difficult. Also, it’s not unusual for regulators to assess multi-million dollar fines to companies that don’t properly protect customer data.

•Outmoded cyber solutions. Until now, organizations have relied on firewalls, intrusion detection and similar techniques to protect their data. Such a layered approach is still wise. But as cyber-crime groups and adversarial nations invest money, time and effort in cracking these defenses, traditional protections are no longer adequate. It’s time to rethink your security stack and priorities. Security and privacy are more than just adding on to what you have historically done: It’s a constant re-evaluation of your approach, where nothing is sacred except for the data you are entrusted to protect.

Best data management practices

As business leaders, you set the tone and the pace for your organization’s momentum. For this reason, it’s important that data privacy becomes part of your core values. Meet with your team to map out how trust and reputation impact your brand and bind this to a new core value you can align the company with.

Of course, data protection requires effective cybersecurity solutions. But data management begins with strategy, not technology. Follow these eight best practices to lay a firm foundation for keeping your data safe:

•Get key stakeholders on board. Data protection isn’t just the domain of your CIO. All business leaders and the board of directors need to recognize the critical nature of data and be willing to invest time, strategy and budget in protecting it — or accept the fact that you may lose it.

•Inventory and map your data. Understand what data you’re collecting, where it’s stored, how it’s being used, and with whom it’s being shared. Create a data map to show its flow across on-prem data centers, private clouds and public clouds.

•Create a data catalog. Once you know where the data is, how it got there, and its worth (and risk) to your organization, take the time to create a catalog so that your investment in these exercises can immediately generate value for those who need the data to do their job.

•Conduct risk analysis. Some regulations require a proactive approach to identifying and mitigating data risk. In any case, risk analysis is the smart thing to do. It underlies organizational accountability and is necessary to identify threats and uncover deficiencies. And remember: The risk of data changes as it moves. Ensure you understand these boundaries and include them in your calculation.

•Understand data protection standards. Data regulations have legal, financial and reputational implications. Become familiar with the standards that affect your industry, such as GDPR, CCPA, SOX, HIPAA, the Gramm-Leach-Bliley Act, Payment Card Industry Data Security Standard (PCI-DSS), Federal Information Security Management Act (FISMA) and Children’s Online Privacy Protection Rule (COPPA).

•Assign roles and responsibilities. You probably already have a CIO. You almost certainly need a chief information security officer (CISO). GDPR requires a designated chief privacy officer (CPO). Your investment in data-focused leadership should reflect the value of data to your business.

•Create a data protection policy. Data protection is so central to your business that you should think of it the way you do your mission statement. Start with your core values, and then be specific about how you’ll protect data and privacy.

•Implement data protection procedures. Policy should lead to action. Document
data handling and processing, data monitoring, auditing mechanisms, breach response and data recovery. Additionally, ensure you reset and communicate expectations with your down-level managers about the importance of data protection, so they can incorporate these practices into their day-to-day work. Anything short of this will result in employees becoming overworked and burned out.

•Educate employees. Every employee has the ability to make data security stronger – or weaker. Make sure team members understand how to safely create, store and share data, and make sure they know that you see this as a critical organizational pillar, and not something to do in addition to their primary work. This is part of everyone’s mission.

An open data protection standard

Ultimately, though, you need digital mechanisms for keeping sensitive data safe. In light of today’s cyber-crime realities, that requires achieving security at a more fundamental level. Rather than armoring the data center, or the cloud, or the network, or your increasingly remote operations, you need to secure the data itself.

The solution is data encryption, which uses mathematical algorithms to scramble data, replacing plaintext with ciphertext. The data can be decrypted only by an authorized entity that holds the cipher key. Even if cyber criminals steal the data, share or sell it, no one without the key can read it.

The trouble is that most encryption methods aren’t universal. What works for email doesn’t necessarily work for images; what works for raw data doesn’t necessarily work for PDFs. So, traditionally, different users have needed to use different encryption in different contexts – adding cost and slowing operations, collaboration and innovation.

The solution is an innovative open standard, Trusted Data Format (TDF), that allows for a single approach to encrypting many types of data. Developed by experts at the National Security Agency (NSA), TDF is actively used by the U.S. intelligence community and other government organizations. TDF enables fine-grained access control for files and attachments such as emails, business documents, PDFs, photos, videos and more.

Because TDF is an open standard, it’s available for anyone to use. It already underlies encryption solutions for platforms that businesses use every day, including Google Cloud, Google Workspace, Google Drive, Gmail and Microsoft Outlook. And it’s being used by organizations from budget-strapped school systems to successful retailers, healthcare providers, investment firms, utility companies and more.

Data will continue to grow in importance to your organization. Cyber criminals will always chase the most valuable asset they can gain access to, and for the foreseeable future, the market is red hot for your data. You have to protect your organization’s data, be good stewards of your customers’ data, and ensure the collaboration and enrichment activities that use the data move at the pace of innovation. Fortunately, TDF provides your organization with a simple and comprehensive way to protect, share, and manage your most sensitive data while still respecting the owners of it.

About the essayist: Rob McDonald is executive vice president of Virtru, a global provider of data encryption and digital privacy solutions.

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/guest-essay-leveraging-best-practices-and-an-open-standard-to-protect-corporate-data/