Senior delegates offer their advice on developing a data security strategy in a complex and unpredictable world.
Data security is a constant challenge for every organisation, but unstructured data brings challenges of its own. Add to this the complexities of today’s business world, whether from digital transformation or post-pandemic reorganisation, and the challenges become even greater. The difficulties in securing data in such an environment was the topic discussed at a recent teissEvents virtual roundtable featuring senior executives from major organisations across a range of sectors.
A key approach to securing data is to set rules for how it is handled. Certain files might be accessible only to people in certain roles, or who have completed the required training. Other file types might need regular reviews to check, for example, whether they can be deleted. The organisation just needs to determine who owns the file, who should have access, what rules should apply, and so on. Then it can be labelled accordingly.
With unstructured data, this can be a challenge because the file type is not necessarily recognised and may not even be able to accept labels. Attendees at the briefing said that the best way to deal with this was to put the files in a container and label the container. However, one or two delegates said that although this seems simple in theory, it often doesn’t happen in practice.
Autonomy with guard rails
Difficulties often arise because IT doesn’t know enough about how the files will be used and the rest of the business doesn’t properly understand the need for data security. Several times during the briefing, delegates said that this results in breakdowns in communication and increases the likelihood that something will go wrong.
There are two solutions to this problem, both of which are essential. First, IT needs to educate the rest of the business of the risks of data breaches and the importance of protecting intellectual property, as well as regulatory obligations and other concerns. Not every employee needs to understand every aspect of this, but it needs to be part of the training where appropriate.
The aim, as one delegate put it, is to “enable the business to run their own business”. That means maximising autonomy, but with “guard rails” in place to prevent catastrophe if someone makes a mistake or falls victim to a malicious actor.
Start with a risk assessment
“It all starts with a risk assessment,” said one attendee, describing his organisation’s process. Only the business can explain the business impact of certain types of risk. If these files are accidentally made public, will it result in fines? Reputational damage? A loss of intellectual property? It could be all, or none, of those things, but it isn’t for IT to determine.
The same attendee said he used these assessments to create a harm reference table that could be used in further risk analysis. IT could then use this to set up the appropriate controls and make sure that they are effective.
One consideration when putting controls in place is not to treat all data the same. One delegate explained that if trivial files are subject to extreme controls, then users will get frustrated and they won’t respect tight controls on sensitive data either. Making users aware of the data they are handling means applying progressively stricter controls as data sensitivity and risk increase.
Defence in depth
There’s no “silver bullet” for doing that, however. Attendees agreed that multiple tools are needed, both to ensure that the right controls are in place for the right data and to offer a backup if one tool has a weakness or a flaw is discovered.
Although securing data can be complex, attendees agreed that the cloud does not add complexity. So long as the data is under your control and you know the jurisdiction in which it is stored, then everything should be fine. All the security controls IT needs are available from most cloud providers and some attendees made the point that cloud security is likely to be better than you can provide on-premises.
A bigger risk is with shadow IT, where users put data into the cloud, either because they are frustrated with the corporate tools available or because they don’t know how to use the available tools. Attendees agreed that this is particularly common with users wanted to share data through services that they are comfortable with as consumers, such as Dropbox or WeTransfer. The answer, they agreed, is to offer the best possible services and provide training in how to use them.
The situation is complicated and constantly changing. However, a good risk assessment, solid training and a proper security toolkit can maximise data safety.