Implementing a comprehensive information protection strategy

Why data protection

If data is an organization’s life blood, then more must be done to protect and secure it.

In today’s world, organizations must adapt to an increasingly dynamic business environment—where the market changes on a dime, digital rules all, and flexibility is king. This requires companies to build, strengthen, and secure their digital core so they can innovate, grow, and cater to rapidly evolving customer needs.

An integral part of this has to do with data and collaboration across the organization. Leaders must ensure corporate data and intellectual property aren’t compromised while promoting creative problem-solving and complying with regulations. It’s a tall order. Especially as 85% of breaches involved a human component. That’s according to the 2021 Verizon Data Breach Report. 

Clearly, there’s a critical need for information protection. So, what’s the way forward? Ensuring that our policies and technologies effectively prevent unauthorized access, use, disclosure, disruption, modification, or destruction of information is critical. But it’s not as simple as that.

Although most organizations have information protection measures in place, covering e-mail, file sharing, etc., these often fail in the face of sophisticated cyber attackers. The result: an ongoing trend of data breaches and misuse. 

Beware of roadblocks 

From blind spots to maintaining that fine balance between control and user liberty, the challenges are many. 

The biggest hurdles that organizations face in protecting information include:

• Blind spots: Grappling with limited visibility, classification, protection, and inadequate coverage of all locations where data is stored or actively used.

• Lack of user awareness: Dealing with insufficient user awareness of data protection policies and classification levels. This causes confusion, inadvertent data exposure, and potential breaches.

• Improper data classification: Defining the right taxonomy is critical for accurately implementing data classification. It also determines appropriate protection levels to ensure regulatory compliance and internal security standards.

• Stringent control versus user liberty: Striking a delicate balance between restrictive data protection controls and allowing individuals to explore and innovate with data is tough.

• Protection of externally shared data: Struggling to apply the right levels of protection while sharing data during collaborative processes.

• Multiple toolsets: Relying on multiple solutions can prevent a comprehensive, end-to-end view of data. It requires stitching together information from different solutions—a time-consuming and error-prone task.

Here are a few steps leaders can take to ensure their information is safe and secure, and that all the required controls are in place even as they give their people the freedom to use that information to innovate.

Securing your data

Protecting the entire information life cycle is key.

Data and document creation typically go through the following stages and it’s critical that the information is secured every step of the way:

• Creation: Label and apply policies based on the purpose, sensitivity, and data criticality when information is first created.

• Storage: Ensure structured or unstructured information, stored in multiple locations, is discoverable, properly labelled, and has enforceable data loss prevention (DLP) policies.

• Sharing: Apply the appropriate sensitivity labels and DLP policies with the right level of protection to ensure safe data sharing—both inside and outside the organization. 

• Maintenance: Ensure that there is restricted access to sensitive information. Additionally, only authorized users should be able to make modifications.

• Archival/destruction: Define processes that follow organizational policies and regulatory requirements around how to properly retire or destroy data.

A strategic approach

Organizations should have a comprehensive enterprise data protection strategy spanning the entire data life cycle.

We recommend a comprehensive strategy that focuses on the following:

• Ensure enterprise IT and security teams can quickly and efficiently locate data across platforms, on-premises and in the cloud, and from various vendors and sources. 

• Embrace a single comprehensive tool with built-in intelligence that improves information protection while ensuring end-to-end visibility and protection, centralized monitoring, and rapid remediation. 

• Make sure users are proactively educated on data classification, policies, and correct usage.  

• Define accurate taxonomy to ensure protection based on data sensitivity and criticality. 

• Roll out less restrictive policies at the beginning. More stringent protection based on data sensitivity is effective once information protection becomes an integral process. 

User awareness and the pace of information protection implementation are critical factors. So are monitoring activity and feedback to understand recurring issues. Once you have laid the foundation and taken the first steps to protecting your data, you can gradually bring in more stringent controls.