Question: How does data literacy enhance data security in the enterprise, and why is it important to enterprise security?
Sam Rehman, SVP and CISO, and Taryn Hess, Ph.D., Principal, Business Consulting, EPAM Systems: The shift to cloud computing is perhaps the most significant tech trend of recent years, with the public cloud computing market expected to be worth more than $800 billion by 2025. From decreasing IT costs to increasing opportunities for innovation, the cloud holds many benefits for companies across every industry. However, many employees are unprepared to securely set up cloud applications or unaware of how poor configuration could affect data security. One of the main reasons why organizations struggle to secure their cloud environments is a companywide lack of data literacy.
In today's marketplace, a data-literate workforce — one that uses data as a company asset in decision-making, evaluates and questions data, knows how to find data, and confidently interacts with data to derive insights and tell a story about it — is critical to business success. In a 2022 survey by the Data Literacy Project, only 11% of respondents were fully confident in their data literacy skills. It is of the utmost importance that businesses engage in efforts to enhance data literacy, which will improve data security.
Data Handling and Classification
Fundamentally, data leaks are a result of insufficient data literacy. These incidents stem from someone not fully understanding the value of a particular data set and mishandling it by either sharing it with people who shouldn't have access or leaving it unprotected and exposed to hackers.
The consequences of not understanding and mishandling data can be costly, causing damage to brand reputation, and, should proprietary information be stolen, a company could lose market share to a competitor. Moreover, if an employee's potentially identifiable information (PII), such as their health records or religion, is leaked in a data breach, that person could be in danger.
From a data literacy perspective, everyone within a company should consider themselves a data security ambassador. Indeed, a sufficient understanding of the data an employee uses regularly will empower them to secure it properly. Of course, there are layers to data literacy within a business, as some roles require greater literacy than others — i.e., data scientists and architects compared with legal or HR personnel.
One of the main ways people can increase their data literacy is by learning data labels. In particular, people must be aware of a data set's classification and have adequate knowledge to handle that information accordingly.
Today, commercial businesses leverage data classifications similar to those the government uses, including public, internal, confidential, and restricted levels. Public data is nonsensitive information available to anyone via the company website. Internal data, such as the employee handbook, is reserved for those within the organization. Confidential data, like pricing or marketing materials, must remain limited to select teams. And restricted data, such as trade secrets or PII, is highly sensitive and could be disastrous should it be disclosed.
Data Maturity Assessment and Culture Transformation
Improving data literacy is a multifaceted process. To establish a baseline, brands can conduct a data maturity assessment or map data security competencies (knowledge, skills, and abilities) across every role in a company. Organizations can determine their data maturity by checking what isn't working, be it a lack of communication or misunderstanding from not speaking the same language, such as the same term meaning different things for different departments.
From there, businesses can build growth plans and create opportunities for everyone in the organization to upskill on data security based on their roles. Likewise, a data maturity assessment will reveal whether an organization needs to look outside of itself for talent.
Though the previous methods are critical to improving data literacy, almost 92% of executives rate culture as the greatest barrier, making it the top priority in this area. Shifting a culture to one that embraces data literacy can be tricky; however, by involving the right leaders and stakeholders, companies can ensure alignment across the enterprise.
Once leadership has bought in, organizations can engage everyone with data security through various means, including newsletters, project meetings, town halls, online learning, workshops, etc. Likewise, it's critical to drive awareness of potential threats, like phishing attacks, data loss, or cloud misconfiguration.
Data Literary Undergirds All Security Efforts
Although various strategies, such as deploying policy and encryption to protect cloud environments, are necessary to minimize the impacts of data breaches, companywide data literacy undergirds the effectiveness of such methods and must remain a priority. Indeed, data handling and proper attention to the different classifications will empower people to use data safely, driving innovation and business success.