Several recent high-profile instances of data loss serve as cautionary tales for organizations handling sensitive data — including a recent case where the personal data of nearly half a million Japanese citizens was put in a compromising position when the USB drive on which it was stored was mislaid.
Regardless of industry, all businesses handle sensitive data — whether it's storing HR or payroll files that include bank information and Social Security numbers or securely logging payment details. As such, enterprises of all sizes should have a data loss prevention (DLP) strategy in place that encompasses the entire organization. Organizations should update their DLP strategy frequently, to account not only for the evolution of how we store, manage, and move data, but also for advancements in cybercrime.
Some enterprises have added information security professionals to focus exclusively on DLP, but the entire cybersecurity team should share in the responsibility to protect sensitive data. A strong DLP strategy protects customers and maintains the integrity of data operations. Here are some best practices to guide organizations as they work to deploy a new DLP strategy or improve an existing one:
1. Know What Data Is Sensitive
It may be tempting for organizations to apply a universal standard for data security across their business, but putting guardrails up for all information and every process can be an expensive and onerous task. By reviewing the different types of data employees work with and have access to, leaders can determine what data qualifies as sensitive and tailor their organization's strategies to protect the data that matters most. When leaders become familiar with the flow of their organization's data, it allows them to identify the people and departments that need to emphasize cybersecurity measures the most.
2. Backup, Backup, Backup
An ounce of prevention is worth a pound of cure — and when dealing with sensitive data, it may even be worth millions should an organization's data be held for ransom or result in a costly loss of IP. Once businesses have identified the specific types of data deemed sensitive, employees should back it up in multiple places, all under secure protocols. Backups protect against damage from corrupted files and accidental deletion, and they make the company less vulnerable to extortionists who may try to hold data for ransom. Backups on air-gapped storage devices or servers are the most secure as they are physically separated from the Internet and can be properly secured.
3. Empower Your People
Even the most secure data loss prevention strategy can be foiled by a successful phishing attempt or a password written in plain text. Uninformed employees can fall prey to the latest scam or social engineering, unwittingly exposing their organization's data to bad actors. When leaders empower all levels and people in their organization to be an active part of security efforts, it safeguards against data loss and theft. It's critical to provide consistent training about cybersecurity risks so that employees — from the CIO to the newest intern — are aware of the newest threats to data.
4. Consider the Whole Data Journey
Even when an organization invests to create a highly secure data infrastructure, whenever sensitive data leaves that environment, those protections can unravel. For businesses using a cloud storage solution, sensitive data can be vulnerable as soon as employees use unsecured public Wi-Fi. A robust data security approach should account for all the ways employees share sensitive data, inside and outside of established platforms.
5. Have a Rapid Response Plan
Following data protection best practices can make breaches, hacks, and data loss less likely. However, there's always the possibility that they may happen, so you have to have a plan in place if something does go wrong. By having a plan in place, leaders can act swiftly to mitigate damage. The specifics of each rapid response plan depend on the nature of the data that has been compromised, but a plan may involve starting a data recovery process, remotely revoking access to shared storage solutions, promptly notifying employees or customers of a vulnerability, or alerting the proper authorities or customers that a data breach has occurred. It is important to already have a rapid response team in place to quickly conduct forensics, determine what data may have been compromised, follow laws and regulations about notifications, and also direct the proper resources to ensure the correction of any identified cybersecurity vulnerability.
These best practices provide a strong baseline for how to implement a new DLP plan, and can make existing strategies more resilient and effective. While the specific protocols in a DLP plan should be designed to fit organizations' individual needs, they should always drive toward the same goal: preventing data breaches and maintaining personal and professional privacy.