“Data is the new oil” is a phrase you may have heard bandied around in recent times. In our increasingly connected lives both at home and work, and with the rise of Artificial Intelligence and automation, data is everywhere and data security is integral to the successful functioning of many parts of businesses. Where there is data, there is a need for Cyber Security.
It could be easy to lose sight of the reality that the field of Data Protection is not just about consent and website cookies! There are so many aspects to data protection whether it be protecting your own business data, that of your employees, customers, clients or patients – the need to place significant value on data is very real.
Most business are run on data. The value of data is often underestimated or not really even considered until you either don’t have it when you need it, it’s wrong, or someone has it who shouldn’t. When one of those things is true, it tends to focus the mind pretty quickly on its value.
In most cases, if one of these things occurs in a business, it costs you money. If you don’t have data that you need to provide services to your customers, you lose trust and possibly sales (think Garmin!). If data is wrong, you may well make the wrong business decisions. If your intellectual property finds its way to a competitor – you get the picture.
As most data nowadays is captured, processed, stored and exchanged electronically, the issues described above are most often the direct result of some kind of data security incident and represent what is commonly referred to as a “data breach”. A data breach can be broadly described as a compromise of either the Confidentiality, Integrity or Availability of data. This can come about in a number of ways such as ransomware, business email compromise and many others.
Most companies are aware of and have thought about these types of potential issues and at least put some basic protections such as antivirus in place. Some have done more, maybe putting more sophisticated technology in place, or even considering other aspects of data security like policies, processes and training. But sometimes, I’d venture quite often in fact, they might be investing in the wrong areas, for two main reasons.
Firstly, the focus is often on protecting systems, rather than data. We clearly need to protect systems, but for most organisations the very reason we protect systems is to protect the data they store and process. Secondly, many businesses don’t yet fully appreciate the value of their data and either don’t do enough to protect it, or apply the same level of protection to everything, sometimes over-investing.
The value of data varies, and is different for different people, and in different contexts. It’s not until you really consider and understand the data you have, it’s value, and the impact of compromise of it, that you can make good, informed decisions about your data security.
If you’re evaluating, or re-evaluating your security, start with data. Ask yourself and your team some key questions:
- What data do you have?
- Why do you have it?
- How do you use it?
- How reliant are your business processes on it?
- What are the implications to your business if you don’t have it, someone has it who shouldn’t, or it’s altered?
For the last point, try to put some tangible metrics around this question if you can. For example, how long could your business survive without customer data? How much might it cost in fines, refunds, lost revenue if confidential data was made public?
We appreciate this isn’t always easy, but it’s important to do what you can. Just the action of going through this process gives you a better appreciation of the value of your data and will give you a starting point for where to focus your data security efforts.
Organisations should also not assume that their data is safe and secure once the systems and processes are as tight as they can be, as the human element presents an ongoing risk and challenge which has to be addressed regularly. The best way to approach this is to embed regular training sessions and workshops for staff at all levels. Showing that you are making investments in protecting your business and educating your staff sends a powerful message both internally and out to your customers and potential customers too. To add to this it is important to understand that putting your data in cloud environments does not make it inherently more secure, to ignore this reality could create additional risks to data security.
With an informed and engaged workforce you have an additional line of defence in place, and this should always in our opinion be further bolstered by putting in place an Incident Response Plan developed with experienced security professionals. All organisations should have such a plan in place to ensure that in the face of a data breach or cyber-attack the right people know what to do to mitigate the impact and get operations back to where they need to be as soon as possible. Also, following this approach will increase the likelihood that you will recover the data you most need to continue operating as you were before an attack.
As was recently commented on in an article published by LinkedIn when talking about the essential nature of a Cyber Security strategy for businesses: “it’s a tool for survival. If companies don’t invest in cybersecurity training, technology, and best practices, they open themselves up to unpredictable attacks that can carry staggering costs.” We couldn’t agree more!