Data is both blessing and curse to the modern enterprise. Yes, when analyzed effectively it can surface intelligence to improve decision making, customer engagement, process efficiency and, ultimately, drive revenue. But it also represents a major business risk. It can be stolen, corrupted, and held to ransom—causing potentially significant damage to the organization in the process. That’s why most regulators urge data minimization as a core best practice.
Data security is therefore a critically important function for any enterprise IT team. But go too far, and they could do more harm than good. To calculate where your organization’s key challenges are in this area, it pays to look at the issue from both sides.
What should set alarm bells ringing for IT
The clearest indication there is that the organization has a problem with data security is that it suffers a high number of phishing attacks, credential abuse, and vulnerability exploitation attempts. These are the top three initial access vectors for data breaches, according to Verizon.
Especially when it comes to credential abuse and social engineering, it can be difficult sometimes to even know if/when unauthorized actors have accessed corporate data. That’s because they’re essentially masquerading as a legitimate user. This is when network monitoring comes in. If it flags unusual activity such as large data transfers or connections to unfamiliar external IP addresses, it could mean the perimeter has been breached.
However, other signs an organization may be exposed to data security risk could be harder to spot. That’s because they signify not a breach per se, but the conditions for one to occur in the future. Consider red flags such as:
- Lack of a clear data security policy. This isn’t as rare as it sounds. A recent UK government report found that 30% of large businesses do not have a formal cybersecurity strategy in place at all
- Legacy/unsupported systems, which no longer receive security updates from the vendor, exposing them to new exploits
- A lack of regular security audits and vulnerability scans, meaning risks go unremediated
- Poor identity and access management (IAM), including excessive privileges, lack of continuous monitoring, and inconsistent access controls. This can expose the organization to insider breaches and make it easier for unauthorized individuals to access sensitive data
- Slow incident response, which may allow threat actors to do more damage
- Inadequate employee awareness training, which can increase the chances of successful phishing attacks or accidental data leaks
- A lack of data security controls, such as encryption or tokenization,
The view from the business
However, for IT security to be effective, it must be managed in the context of the business. To that end, organizations need to carefully consider their risk appetite and data access requirements before deciding on security policy. Some signs of misalignment between security and business goals include:
- Access requests being denied to legitimate users, due to overly stringent security controls and compliance policies
- Lengthy approval processes for access to specific data due to IT bottlenecks
Both of these can work against the business, harming productivity, innovation and operational efficiency. While hard to quantify, the cost of this damage to business growth and reputation may theoretically be greater than that caused by a data breach.
A balancing act
The bottom line is that organizations need effective data security programs to build customer trust, support digital transformation projects, and potentially even enable expansion into new markets. But this shouldn’t come at the expense of employee productivity and business growth.
Technologies like tokenization are perfect in enabling organizations to strike the right balance. That’s because they replace sensitive data elements with unique tokens that preserve the underlying data’s analytical value and utility. It means end users can still generate business-critical insight from data analytics tools, safe in the knowledge that if hackers access it, they will have nothing of value to use.
The balance between security and business requirements will be different for every organization. But the first step is understanding whether there’s a problem or not.
comforte is offering your business a 30-day free trial of comforte Data Discovery and Classification, which features a new SaaS console manager. During the period, you’ll get a close-up look at how the product works in situ, and obtain a detailed understanding of where security and compliance risk exists across the organization. Most importantly, you’ll be able to see how the product could help to streamline your PCI DSS 4.0 compliance processes.
Get in touch today to start your free trial. We’re here to take the pain away from PCI DSS compliance.
