Data is everywhere. We store it in our internal business systems and in the cloud. We collect it from our clients and share our data with business partners. Leaders need data, value it, and are able to amass it. We carry data with us and leave a digital footprint every day. Technology providers help us store it forever and share it globally. In the data breach era, leaders face greater risk if they fail to protect data throughout its lifecycle.
As data breach consequences grow, leaders must understand their data security risk. Companies face increased scrutiny from regulators, litigants, business partners, and their customers so leaders must make timely data security decisions. A data security strategy helps leaders make risk-informed decisions before their actions are reviewed after a breach. To form your strategy, you must first understand your environment by asking the right questions.
1. How Do We Create, Modify, and Collect Data?
Businesses generate large amounts of data from various sources. What are your key data sources and what security controls allow you to trust them? Are controls implemented to ensure only authorized changes are made by authorized employees? As the lifeblood of most operations, understanding data flows, security controls, and dependencies allows a leader to assess risk and the impact if trusted data sources are unavailable or compromised.
2. Where Do We Store Our Data?
Armed with a credit card, time, and opportunity, employees can place data anywhere in the world. Do you own or control the locations that store your sensitive data? Are you allowed to keep your data on and off-shore? Cloud services offer leaders cost-effective solutions, but careful planning is needed because leaders remain accountable to protect data regardless of its location.
3. How Do We Use Our Data?
Leaders demand timely and accurate data to make informed decisions. Do you understand the critical data sources that support your business processes? Are you confident in the controls that protect the confidentially, integrity, and availability of the data? Active leadership of business continuity, disaster recovery, and crisis management programs is essential to ensure critical data and services remain available. Understanding how your business uses data will help you assess business impact if key data sources are unavailable, lost, or compromised.
4. How Do We Share Data?
The opportunity to share data globally is unprecedented. Data loss prevention is necessary to ensure your most sensitive data remains in your control. For example, do employees use file sharing services to exchange data? Do you inspect outgoing email for sensitive data? Understanding how, why, when, and where data transfers occur and who is authorized to transmit sensitive data are key to understanding this risk. Sharing data through authorized channels for authorized purposes without severely impacting operations requires careful planning.
5. How and When Do We Archive Data?
Archiving data to long-term storage may help mitigate your risk and lower storage costs. While retaining data to meet business needs is necessary, leaders should make such decisions strategically. Removing data from active use to secure long-term storage may lower your exposure if your primary data set is breached. For example, archiving records for closed accounts after one year helps counter internal and external threats. Implementing a data retention policy empowers your employees to help lower this risk.
6. How and When Do We Destroy Data and Media?
Destroying data and media securely and implementing a data retention policy are necessary to prevent data loss. Internal policies should require secure disposal, clearing, purging, and destroying of all media. For example, organizations should sanitize electronic media before reuse or physically destroy it, and shred hard copy media when it is no longer required. Storing sensitive data without a business need unnecessarily increases your risk, exposure, and liability. In fact, regulators1 are focusing on retention and destruction of non-public information.
7. Who Has Access to Our Data and How Can They Access It?
Understanding who has access to your data, how they can access the data, and with what level of permissions are key questions. Leaders should provide only the minimum access to data that is necessary for the business need. For example, if all employees can access your most sensitive client data from their personal devices, you are likely not enforcing least privilege. Finally, understanding how access is approved, granted, revoked, and reviewed is necessary to address this risk.
The decisions you make to adequately protect your data will likely determine the long-term success of your business. In some cases, data breaches are existential threats to a business. If data is your article of trade, it is likely your Achilles’ heel. Asking the right questions about your data security and making security decisions will help you demonstrate you took reasonable action to protect your data. Managing data throughout its lifecycle requires active leadership involvement and accountability at all levels.
New York Department of Financial Services (23 NYCRR 500): “… Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information … that is no longer necessary for business operations or for other legitimate business purposes....” (See:https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf)
National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law (proposed version 6): “A Licensee’s Information Security Program shall be designed to: … Define and periodically reevaluate a schedule for retention of Nonpublic Information and a mechanism for its destruction when no longer needed.” (See:http://www.naic.org/documents/cmte_ex_cswg_final_model_law_v6_clean.pdf)