[BreachExchange] A Single Data Breach Can Ruin A Business, And CEOs Can't Ignore Their Responsibilities

Destry Winant destry at riskbasedsecurity.com
Mon Feb 8 10:52:01 EST 2021


https://www.forbes.com/sites/forbestechcouncil/2021/02/05/a-single-data-breach-can-ruin-a-business-and-ceos-cant-ignore-their-responsibilities/?sh=7c8080c76970

Data breaches most often occur due to human error and data
mismanagement. Can you blame IT? No, because many CEOs haven't taken
data threats seriously enough to set the standards.

Turning a blind eye to intelligent data management should end in 2021.

Firms are regularly required to handle endless amounts of data and
manually classify sensitive or private data for compliance purposes.
More concerning with remote work is how easily data can be replicated
and stored on an employee's desktop computer and cellphone, putting
the company at extreme risk of breaches, loss of intellectual property
and massive regulatory fines.

Without more sophisticated data management software using data
intelligence and automation, managers don't have the tools to know
where data is and what has been copied and stored locally. To
compliance experts, you're leaving the company's entire data
compliance policies up to each individual employee — a disaster in the
making.

CEOs Must Ask IT These Three Questions

1. Does your organization know the unstructured vs. structured data
volume and how it is distributed on systems?

2. How much data is dark or redundant, outdated and trivial (ROT) data?

3. How much would the IT spending decrease if primary data could be
reduced by 30%?

A CEO's plausible deniability doesn't count for laws and agencies
enforcing data compliance. Existing laws allow regulators to make
companies liable for breaches, often costing millions of dollars.
Morgan Stanley was recently fined $60 million by the U.S. Treasury
Department's Office of the Comptroller of the Currency for failure to
secure customer data after decommissioning two data centers. IT did
not handle it well, and C-level executives were not guiding and
controlling.

Data security laws and enforcement is expected to increase in the U.S.
with the passage of the California Privacy Rights Act (CPRA), and much
more is to come all over the world. Here are a few tips on how
companies can get their data act together:

1. Know what data you have. Conduct a data deep-dive. Learn what data
your company is storing, who has access and whether it is secure.

2. Make a plan. Create internal workflows to check where data might be
replicated outside the company's secure data storage infrastructure
and create data policies to prevent future risk.

3. Reduce your data footprint, increase visibility and reduce data
risk. Knowing exactly what data you have and where it's stored allows
data managers to delete — yes, delete — redundant, obsolete and
trivial data. With less overall data, companies have more control over
access and limit the risk of breaches and leaks, reducing compliance
headaches.

The Takeaway

C-level executives must stop delegating the problem and ignoring the
facts: Governments on the local and federal level are in debt,
following data privacy regulations could soon become a key source of
income, and the internet gives access to everything. For example, the
recent SolarWinds hack exposed hundreds of firms to major damage.
Orchestrated security layers and solutions from data intelligent
software and service vendors can allow you to elevate your protection
shield.

I believe data intelligence and automation must become a key component
of business planning. Not IT planning — business planning.


More information about the BreachExchange mailing list