Glassdoor reported recently that 35% of hiring decision makers expect more employees to quit in the upcoming year than in the previous year, with the most common reason for quitting being salary dissatisfaction.
In light of this expected turnover, it's especially critical for companies to protect confidential business data and intellectual property which could be utilized for malicious purposes including being sold or accessed by competitors, utilized in blackmail, or negatively impacting company operations or reputation. As the saying goes, once data walks out the door, it's gone.
The foundation of proper data protection should begin with a combination of company requirements and system controls to mandate acceptable behavior.
Policies can set a framework of expectations for appropriate user behavior and how to address security concerns.
(For a variety of downloadable policies on these topics, see our sister site, Tech Pro Research.)
In addition, system controls involving the securing of data through permissions, blocking access to external hard drives, utilizing encryption, leveraging monitoring and alerts and implementing data loss prevention mechanisms can also be helpful.
However, policies and controls aren't necessarily sufficient to achieve success in data protection endeavors - companies need an overall data governance mindset; a comprehensive perspective which should apply on a daily basis to the use of and access to information.
I spoke with Peter Merkulov, CTO of Globalscape, regarding the topic. According to Merkulov, data theft is more common than IT pros might think. He related a tale regarding a research scientist who was sentenced to an 18-month prison term for stealing proprietary company information from chemical giant DuPont, data valued at $400 million.
More troubling, Merkulov pointed out that "while an employee can take information with them maliciously, they may also do so unknowingly." In other words, malicious activity as well as careless or ignorant behavior can increase the risk of compromised data to an organization. This is why it's important for IT leaders to be proactive about their data management and protection strategy, he added, and explained how the following three techniques can assist.
1. Develop a top-level data governance strategy that fits regulation requirements
Compliance mandates like the EU's GDPR and NIS Directive will require organizations to know exactly where their data lives in order to stay in compliance and avoid major fines.
PCI, Sarbanes-Oxley and HIPAA regulations also have specific criteria for managing data which should be investigated and applied depending on the relevance to your organization.
Focus on the personnel and tools available or which can be designated for utilization. Developing a successful data governance strategy requires IT leaders to assemble the right team and resources then to be willing to enforce rules and restrictions across the entire organization.
SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
2. Understand which data is critical and which is not
Data classification is critical when managing a secure storage infrastructure. Take a deep dive into the different data types your organization handles. Identify what your data is used for, who needs access to it, how much control is required and the amount of monitoring that is manageable for all important aspects.
It will be a lot easier to identify potential issues or gaps in your system through this methodology of data evaluation and classification. For instance, since you want to focus your resources on analyzing only critical data and the use thereof; applying a data loss prevention mechanism to non-confidential or public data is wasteful and produces a cumbersome scope of focus which may result in missed alerts when actual data theft scenarios occur.
3. Utilize automation as a powerful tool
The average organization today has over 1,400 cloud applications in use, which is concerning from a data governance standpoint - especially when you consider the threats that shadow IT presents. If your employees are using unapproved devices and applications in the business, this leaves your IT infrastructure (both cloud and on-premises systems) and data far more vulnerable to cyberattacks. Worse, it also allows employees to access rogue applications and export data whenever and wherever they please, even after they exit the organization. Employees engage in shadow IT activities because they want to accomplish their business objectives in the most efficient way possible or because they consider company rules to be onerous or cumbersome. But the lack of visibility shadow IT presents to internal IT departments is a serious security risk, especially as employees exit the company.
As stated, policies and technology controls can restrict or provide visibility into employee activity
Shadow IT can't be monitored or controlled as easily as company-sanctioned equipment, however. The good news is that you can prevent some types of data loss through the implementation of automation capabilities, such as those which maneuver data into appropriate locations or silos (such as archives or highly secured systems) or restrict access from unauthorized devices.
SEE: Cybersecurity in an IoT and mobile world (free PDF) (ZDNet/TechRepublic special feature)
By eliminating the manual component of moving certain types of data, you will have a better control over data movement from point to point as well as heightened understanding of when an unauthorized movement is made. It is recommended that organizations automate data transfer processes to not only help meet service level agreements (SLAs), but ensure greater accuracy among critical business processes, while also saving a great deal of time in comparison to manual processes.
It's also important to continuously verify full operational visibility, control and governance over your entire company's data exchange environment. There is no "set it and forget it" when it comes to successful governance operations.
- Why ex-employees may be your company's biggest cyberthreat (TechRepublic)
- 5 steps to securely transfer G Suite data when an employee leaves your company (TechRepublic)
- The top 6 reasons why employees leave, and how you can stop them (TechRepublic)
- Passwords: Workers say they will hand them over for next to nothing (ZDNet)
- Report: 32% of IT pros plan to switch jobs in 2018, most for better pay and training (TechRepublic)
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.