Think about how to prevent data loss like you think about how to prevent a heart attack
Think about data loss prevention like taking care of your health. To prevent yourself from having a heart attack, you eat well and exercise. You sometimes have to make decisions between spending a little more time and money on eating salad and lean protein, rather than cruising through the McDonald’s drive through. You go for a walk or a run, rather than sitting on your couch for hours and days on end. You take steps to prevent yourself from having a heart attack and, at the very least, know it’ll help speed up recovery if those measures fall short.
How to prevent data loss is very similar. You take all the reasonable and necessary precautions you can. That way, you can be confident that just about every breach scenario is covered—whether it’s unintentional or malicious. But, if a data leak does occur, you have the proper tools and procedures in place to make it a little less painful for everyone.
In 2018, the average total cost of a data breach cost companies over $7 million. That breaks down to approximately $148 per record breached. Would your business be able to weather such a cost financially? What projects or investments could you give up in order to spend the time, money, and other resources on correcting a major data breach?
Would you rather eat health and pay for a gym membership or have to get a double bypass?
No organization is too small or too altruistic to be hacked. Ponemon Institute found that attacks and data breaches on small to mid-sized businesses is increasing, and K – 12 schools and districts are also experiencing a significant increase.
Smaller organizations may not have a lot of information in terms of volume, but they’re viewed as easier targets. This is because they don’t have a lot of resources to protect themselves, and because there is a misperception that they’re too small to bother with. Sadly, for many smaller and public organizations, the data breach is the result of an internal bad actor motivated by greed or revenge.
What is Data Loss Prevention?
What is data loss prevention? It is the set of practices which keep sensitive and protected information from getting into the wrong hands.
Many go straight to thinking about data loss prevention tools, but preventing data loss is much broader than that. Preventing data loss should start with internal human error (the most common cause of data leaks!). It requires planning and documented processes from those responsible for managing your organization’s sensitive information (including information regulated and protected by the government).
Then, yes, bringing in a data loss prevention solution helps your information security team manage people’s data-handling behavior, see what risks and/or threats exist in your company’s environment, and quickly patch leaks, mitigate behavior, etc. It’s like a FitBit for your IT infrastructure!
Causes of Data Loss
As mentioned above, the most common cause of a data leak is improper internal data handling behavior. Often, these incidents are accidental but they can also be intentional bad behavior. Either way, a data leak exposes your company’s sensitive information to potential criminals and can easily lead to more problematic data loss.
But your strategy to prevent data loss needs to be as broad as the causes of loss. These are some of the biggest ones:
- Human error. The majority of data losses directly involve someone’s mistake. Employees open sneaky email. They create easily guessed passwords and don’t guard them well. They log into lookalike websites. They walk away from computers without logging out, where unauthorized people could start using them.
- Inadequate access control. Many organizations give out access too freely. People who only need to read data are allowed to alter it. When too many accounts have access which is too broad, data thieves will grab the chance to compromise an account.
- Physical theft. We live in an increasingly mobile world, but mobile devices are easy to steal. If they aren’t well protected, thieves can pull volumes of valuable data from them.
- Malware. Infected systems send confidential information to criminals until the problem is discovered. The systems keep working normally otherwise, and there’s no obvious sign anything is wrong. Sometimes they keep doing it for months before being caught.
How to Prevent Data Loss
How to prevent data loss in your information infrastructure must take all of these causes into consideration. Just like taking multiple proper precautions to stay healthy, layering data loss prevention best practices and techniques provides a much better chance of success.
There’s no such thing as absolute safety. But a good strategy will keep out anyone who isn’t both very determined and lucky—and will help your team audit and report on breach incidents and impacts.
- Protect access to computers and mobile devices. Physical access is the simplest way for criminals to steal data. Avoid putting desktop systems where they can easily be stolen, and put proper security measures for mobile devices in place. Train employees to log out when they’re not using them.
- Use firewalls and anti-malware software. Cyber criminals would love to get their code running on your machines so they can steal data from the inside. Use up-to-date security software on all on-premise servers and workstations.
- Encrypt sensitive data. Thieves can’t get any value out of what they can’t decipher. Sensitive information should be encrypted in storage. Protecting it on mobile devices is vital. Everything should be encrypted, if possible, when transmitting it from one place to another.
- Secure cloud applications. Using cloud applications, such as G Suite and Office 365 has many benefits, both financially and in terms of productivity. But cloud applications have unique cybersecurity risks that must be addressed with a cloud security solution.
- Establish regular security training. Again, human error is the biggest cause of data loss. People trained in good security habits don’t make nearly as many mistakes. Follow up training with testing (e.g., sending an internal phishing email to see who falls for it) and make security part of the job ethic.
Data Loss Prevention is a Top Concern
It doesn’t matter if your organization is big or small. Chances are that you’re storing sensitive, personally identifiable information about customers and/or employees that is valuable to cyber criminals. Your company is legally required to secure and protect this data. But it’s also in your best interest from a financial and customer trust standpoint.
Having data loss prevention measures in place keeps your data secure, your business running, and your customers coming back for more. Don’t wait until open-heart surgery is your only option to staying on your feet. As they say, “An ounce of prevention is worth a pound of cure.”