With the rising tide of data protection regulations and the continuous onslaught of malicious attacks that have swept the globe, data protection has become a mandatory part of every company’s security strategy. But as organizations struggle to come to terms with complex compliance requirements and new threats, they often overlook some key and, in hindsight, obvious blind spots in their data protection policies.
In today’s increasingly digitized business environment, most data is collected and processed in an electronic format on endpoints connected to the internet, two things that, while making the use of data easy and flexible, also opens it up to loss or theft. It is a company’s duty – and, as of late, its legal obligation – to ensure that any sensitive data it collects is protected. Failure to do so can have catastrophic consequences: public embarrassment, loss of customer trust and, thanks to the enforcement of strict new data protection regulations, heavy fines.
It is therefore important for companies to build effective data protection strategies that cover all the bases. Oftentimes though security strategies focus so much on the threat of cyberattacks that they overlook more mundane, but just as dangerous threats to data security. Let’s see what the most prevalent mistakes are!
1. Keeping it basic
The first thing any how-to guide to security will tell you is that you need to keep operating systems up to date and install firewalls and antivirus solutions. Going one step further, some will suggest antimalware software as well. These however, while they are an indispensable part of any security strategy, are the most basic measures a company can take to protect its network and the sensitive data stored on it.
Many times, headlines-grabbing data breaches are the result of malicious outsiders, but only part of these cyberattacks are made using brute force and what are now considered conventional hacking methods. Many of them happen because of weak password practices or gullible employees that fall victim to social engineering.
It is therefore essential for companies to both educate their employees and put additional safeguards in place to mitigate potential outside interference in the workplace.
2. Forgetting about human error
A company’s employees are often its weakest link and not only when it comes to outside threats. This is perhaps the biggest mistake companies make when they develop their data protection strategies: they don’t take into consideration human error and the havoc it can wreak.
Employees can be negligent in the way they handle sensitive data, whether it’s its transfer, storage or use. They can accidentally email important data to the wrong sender or hit reply all on a long email chain that includes outsiders. They can post something publically, leave their computer unlocked where others can tamper with it or forget altogether about sensitive data they at one point stored on their computers.
And while in some cases these can be minor errors with no consequences, other times they can cause significant problems. For example, storing sensitive data after it’s no longer needed or consent for its use has been revoked or its deletion requested is in direct violation of regulations such as the GDPR or CCPA.
Which is why it’s important that organizations also adopt Data Loss Prevention (DLP) solutions that focus on the protection of specific data rather than the overall system, making it easier for them to control its transfer and use.
3. Disregarding shadow IT
Another consequence of an overly-eager work force is shadow IT or the use of unauthorized applications and IT services in the work place. Whether aware of it or not, most companies suffer from shadow IT. From popular messaging apps to co-working spaces in the cloud, employees eagerly adopt new methods that will help them perform their tasks faster and more efficiently, oftentimes neglecting or, in some cases, consciously circumventing data protection measures. As a remedy, many companies block the installation of new programs on endpoints or the use of specific websites deemed insecure, but many times, they fail to catch them all.
The reason for the proliferation of shadow IT is fairly simple: employees prefer to ignore data protection measures if there are tools available that will lighten their workload. This of course can have disastrous unintended consequences: sensitive data can be stolen by third parties, made public or fall into the hands of unauthorized individuals, all major breaches of data protection regulations.
Unfortunately, because of the prevalence of internet-based services, completely getting rid of shadow IT is a daunting task which is why it’s easier for companies to simply adopt tools that directly protect sensitive data, rather than trying to guess the many tools their employees might be using behind their backs.
4. Ignoring data on the move
Today’s working environment is more flexible than ever. Portable computers allow employees to work from home or while on business trips, making it easy for them to perform their duties or deal with emergency situations regardless of where they are. However, it also means that endpoints and all the data they contain are taken out of the security of company networks, making them vulnerable not only to physical theft, but also insecure internet connections and tampering.
Companies sometimes focus all their attention on securing company networks and either completely disregard the threat posed by data on the move or enforce policies such as hardware encryption and VPNs that focus on outside threats. DLP protection on the endpoint can help organizations secure sensitive data even when their employees are on the move.
5. Not making the most of security solutions
Good security represents an investment for every company which is why they should make the most of what it has to offer. Unfortunately, that is not always the case. When it comes to DLP solutions for example, organizations that implement them company-wide sometimes fail to use their full capabilities. They do not define sensitive data clearly or misconfigure levels of authorization and exceptions, making it hard for DLP tools to be as effective as they can be.
Luckily, some DLP solutions do come with predefinitions for the most common types of sensitive data such as personally identifiable information (PII) or sensitive data protected under particular data protection regulations, but most companies also have their particular type of sector-specific sensitive data which DLP tools can help them protect if it’s properly defined through customizable policies.