What Decision Makers Can Do About Data Protection

No decision maker wants to be profiled in major media as being asleep at the wheel while a massive data breach, ransomware attack, or malicious insider incident unfolds at their organization. Careers rise and fall on a decision maker’s ability to deftly guide an organization through the stormy seas of cyber threats, vulnerabilities, and security incidents, as does the reputation of the organization itself. Protecting data to ensure appropriate usage and avoid unauthorized or inappropriate usage is a major task for decision makers with responsibility for protecting the integrity of corporate data assets.

KEY TAKEAWAYS

• The term “data protection” encompasses a range of offensive and defensive plays to ensure that data is used by the right person for the right task at the right time – and nothing else. The growing number and variety of cyber threats and attacks makes this challenging to achieve.
• Organizations have been and are being impacted by cyber incidents including phishing attacks, ransomware (newly combined with data exfiltration), zero- day malware threats, mis-configuration of cloud services enabling massive data breaches, and account takeovers. Targeted attacks are especially pernicious and challenging to detect. Figure 1 illustrates just how serious this problem has become.
• Employees are a frequent cause of data loss for organizations. So-called insider threats include inadvertent data loss from mistakes and negligence, as well as malicious data loss by disaffected employees undertaken due to a range of motivations. For organizations paying attention, however, the signs of upcoming data protection issues can be seen in advance.
• A growing panoply of privacy regulations around the world is contributing to the drive for heightened data protection approaches. GDPR, CCPA, HIPAA, PCI- DSS and others impose requirements on how personal and sensitive data is handled by organizations, and the principle of extra-territoriality redraws the lines of jurisdictional applicability.
• Shadow IT services, the use of personal devices, the adoption of a “cloud-first” or “cloud-only” strategy, and merger and acquisition activity, among others, represent a collection of other threats to data protection. Decision makers must evaluate the relevance and magnitude of these threats and develop appropriate counter-measures.
• Addressing the data protection challenge requires proactivity by decision makers. Engage the board, conduct a thorough audit across the organization, implement best practices, and use training and technology to strengthen defenses, elevate protections, and mitigate the major data protection risks facing your organization.

This white paper has been prepared by Osterman Research and looks at offensive and defensive plays thats can be used to mitigate an organizations risk from attack.