We use the word “enterprise” for a good reason. Big companies or enterprises with more than 500 employees represent complex ecosystems with incredible resources, structures and more importantly, substantial know-how and data. Information security in these organizations is quite challenging and requires significant efforts from several departments and business unit managers, not only the IT department. But does the joint effort really exist? Or it is only a desire of the idealistic IT security vendors? What other recommended practices are not followed in enterprises?
Let’s see what are the 5 most common data security mistakes enterprises can’t afford to make:
1. Failing to make information security a business component
In an enterprise, let’s say, in the clothes manufacturing industry, having a data breach with the unreleased clothes designs is as bad as delaying with the production or partnering with the wrong stores. Most businesses are not aware of this and fail to treat data protection with the same importance as marketing, HR, business development, R&D, etc. Instead, they assign this job to the IT department which usually is overwhelmed by its complexity.
IT security doesn’t mean only to install X software solutions and supervise their effectiveness. It is built out of multiple processes, business cases, employees’ working tools and models, and business objectives. A solid data protection strategy starts from a business need – to ensure all business activities are securely performed, without risks of data loss or theft – and from top management – that must clearly communicate the goals to employees, especially to department managers and to establish a procedure in case employees do not adhere to the company policy.
2. Not preparing a response and recovery plan in case of a breach
If a breach happens, all hell breaks loose in many enterprises. The PR responsible is caught off guard, top management gets defensive and immediately turns to IT departments in search for someone to blame, and the IT staff is baffled that something like this could have happened, even with all measures they implemented. To avoid this crisis, a response and recovery plan should be prepared, answering questions like “If we suffer a leak what is the first thing that we do to minimize damages and isolate the incident? If the leak ends up in the media, how do we respond? How do we inform affected users? ” etc. A data breach is usually the consequence of a series of bad decisions made by more people in the company and the sooner the top management acknowledges this, the better.
3. Allocating most resources to cloud data security
It’s true that the cloud is an essential component of most enterprises. Making sure data is secured on cloud file sharing services or avoiding confidential data to be uploaded/copied on cloud apps is crucial. However, concentrating all resources to cloud data security and disregarding other exits points, like USB sticks, external HDDs, internal memory cards, desktop apps, smartphones and tablets, and even CDs and DVDs is a big mistake.
USB flash drives have now reached a 2TB capacity and can easily store entire databases, websites, or more than a laptop’s hard drive can store. Failing to enforce security policies for the use of portable storage devices, to encrypt them and to grant access only to trusted users could lead to data theft, leakage or loss.
4. Not giving enough importance to insider threats
In a big company, chances of finding disgruntled employees are bigger than in smaller ones. Relationships with the management are more impersonal, internal regulations are stricter, and getting promotions is more difficult since the competition is higher and getting noticed is more challenging. That’s how discontent emerges, leading to situations such as stolen databases with customers, Intellectual Property, disclosed confidential information, etc.
Not giving enough importance to employees’ attitude and the data security implementation focused on user behavior and data transfer patterns, and putting the spotlight on external threats, instead, leads to loopholes in data security. Besides the intentional malicious actions, there are also the negligence and human error factors that are part of the insider threats and need to be addressed with proper tools and policies.
5. Not making use of Big Data
Enterprises generate enormous quantities of data from hundreds of users, apps, devices, and platforms, but fall short in getting insights and exploiting data they collect. Reasons are diverse, from a shortage of skills (e.g data scientists), vision, and others. Many activities of the company could be optimized based on Big Data analysis and interpretation, including data security, e.g. predicting security incidents at an early stage. Very few companies use tools like Hadoop to make use of the overwhelming volume of data and improve their IT security implementation and processes.
Conclusion
Some might believe that for enterprises is easier to purchase and implement security tools. The reality is that things get complicated for companies surpassing a certain size and without proper IT security and business protocols they leave room for errors, mistakes that can ultimately cause irreversible damages. Avoiding the above mistakes can diminish chances of experiencing data breaches and, moreover, can enhance information security in the long term.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.