[BreachExchange] In-House Advice for Tackling Data Security Risks

[Audrey McNeil]

http://www.securityinfowatch.com/article/12337851/in-house-
advice-for-tackling-data-security-risks

Organizations are increasingly challenged to support the modern workplace
environment – mobile phones, remote employees, cloud collaboration sites,
social media, IM platforms and chatrooms – while keeping this data secure
and easily retrievable for legal or regulatory needs. In response, counsel
has become more involved in driving information governance initiatives and
providing guidance on how to address data security challenges in the
context of strong legal and compliance standards. They are beginning to
consider how to create an information governance framework that protects
data while staying adaptive to the rapidly evolving business landscape.

In a recent study into the security practices of Fortune 1000 companies,
dozens of information security, risk, legal, IT and compliance executives
were asked for their advice on tackling these challenges. Seven key themes
emerged among the respondents, providing an insightful glimpse into how
today’s most sophisticated in-house teams are navigating anti-fraud, data
privacy, regulatory compliance, information governance and other risk
management activities. Their recommendations included the following.

1)     Start with a Data Assessment: For many, the process of beginning an
information governance program can be daunting. Figuring out where to
begin, who should be involved, how to secure executive buy-in and how to
keep momentum moving in the right direction can be overwhelming, and
inhibit a team’s ability to get the project off the ground. To help answer
these questions and focus the project, a third of the study’s respondents
recommended starting with a data assessment. Experts pointed out that it is
important to recognize that it is impossible to boil the ocean, and
therefore teams need to figure out a clear roadmap with incremental steps
that will enable prioritization of efforts and progress toward broader
goals.

 2)     Engage Internal and External Experts: Because of the risks
involved, data security is now an enterprise-wide endeavor and not just the
concern of IT or information security teams. External data breach threats
are rapidly evolving, and recent research from Forrester indicates that 35
percent of data breaches are caused (accidentally or intentionally) by
internal employees. To help offset this, most study respondents recommended
recruiting expert analysis to determine weaknesses and gaps, given that it
can be difficult to do that internally. Subject matter experts can ensure
programs are up-to-date and internal leaders can aid in company adoption of
best practices.

3)     Prioritize Data Remediation: Across the board, respondents expressed
frustration at runaway data volumes, with over 90 percent saying they do
not know how much data they are managing. Keeping redundant, outdated or
trivial (ROT) information can make it harder to find and protect the truly
sensitive information under the company’s care. Respondents recommend
creating or updating an organizational data map, especially as part of the
initial assessment, and using data remediation to regularly cull out
unimportant information. Less data means lower storage costs and the
ability to focus on protective sensitive information.

 4)     Prepare for GDPR: The impending General Data Protection Regulation
(GDPR) regulation that goes into effect in May of 2018 is top of mind for
respondents with employees, customers or partners within Europe. This law
will harmonize collective European data privacy laws to ensure that data
transferred from Europe to the U.S. is appropriately handled and that
personally identifiable information (PII) remains secure. Respondents
recommended conducting an analysis of the law to understand how it will
impact current processes and systems. Some suggested the development of a
cross-functional task force that works with outside counsel to evaluate the
different options. Obtaining an understanding of and acting in compliance
with GDPR from the outset can help avoid costly reactive efforts and
reputational risk.

5)     Use Migration to Microsoft Office 365 as an Opportunity: According
to a recent Gartner survey, 54 percent of organizations will move to Office
365 in the next 1-3 years. The migration from one archive to another
provides an opportunity for an organization to take stock of its email and
data management practices and potentially update policies and remediate
data for greater efficiency and security. Cloud solutions have created new
information governance concerns, including expanded individual storage and
retention challenges, but there is also better ability to search and manage
the data, which is an advantage. From legal holds to data retention and
security policies, respondents in the process of migrating agreed that it
provides an opportunity to make additional process and policy improvements.

6)     Right-Size Your Solutions: Some organizations have faced major data
breaches, regulatory investigations or large-scale litigation that warrants
a complete audit and update of existing processes and technology. Other
organizations may not have the same pressures, budget or appetite to make
anything other than small changes to key processes. Study respondents
repeatedly stressed the importance of fine-tuning any information
governance and data security program to the particular needs of the
organization. Knowing the company culture helps with figuring out how to
make compliance a value-added part of employee activities, which will
improve overall adoption and long-term enforcement.

7)     Take a Multi-Faceted Approach: Given the complexities of the
corporate data environment, there isn’t a silver bullet technology, process
or executive that can solve the immense problem of keeping data secure.
That said, a broad range of actions are recommended to ensure that an
organization’s people, processes, and technology are all working in
alignment to address various internal and external threats. The adage
“hackers only need to get it right once, whereas organizations have to get
it right every time” is true, but implementing the right programs can help
ensure better security. This includes regular employee training, using
outside third parties to test the system, creating a tiered architecture to
better secure sensitive information, and developing a data breach response
plan.

Any of the practical approaches suggested by the study participants can
better position corporations in securing their most sensitive data.
Although there is no one-size-fits-all solution to preventing data breaches
or ensuring regulatory compliance, these actionable recommendations provide
some important steps in the right direction.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170615/01a907c5/attachment.html>