Virtually every organization recognizes the power of data to enhance customer and employee experiences and drive better business decisions. Yet, as data becomes more valuable, it’s also becoming harder to protect. Companies continue to create more attack surfaces with hybrid models, scattering critical data across cloud, third-party and on-premises locations, while threat actors constantly devise new and creative ways to exploit vulnerabilities.
In response, many organizations are focusing more on data protection, only to find a lack of formal guidelines and advice.
While every data protection strategy is unique, below are several key components and best practices to consider when building one for your organization.
What is a data protection strategy?A data protection strategy is a set of measures and processes to safeguard an organization’s sensitive information from data loss and corruption. Its principles are the same as those of data protection—to protect data and support data availability.
To fulfill these principles, data protection strategies generally focus on the following three areas:
Data protection’s emphasis on accessibility and availability is one of the main reasons it differs from data security. While data security focuses on protecting digital information from threat actors and unauthorized access, data protection does all that and more. It supports the same security measures as data security but also covers authentication, data backup, data storage and achieving regulatory compliance, as in the European Union’s General Data Protection Regulation (GDPR).
Most data protection strategies now have traditional data protection measures, like data backups and restore functions, as well as business continuity and disaster recovery (BCDR) plans, such as disaster recovery as a service (DRaaS). Together, these comprehensive approaches not only deter threat actors but also standardize the management of sensitive data and corporate information security and limit any business operations lost to downtime.
Why it’s important for your security strategyData powers much of the world economy—and unfortunately, cybercriminals know its value. Cyberattacks that aim to steal sensitive information continue to rise. According to IBM’s Cost of a Data Breach, the global average cost to remediate a data breach in 2023 was USD 4.45 million, a 15 percent increase over three years.
These data breaches can cost their victims in many ways. Unexpected downtime can lead to lost business, a company can lose customers and suffer significant reputational damage, and stolen intellectual property can hurt a company’s profitability, eroding its competitive edge.
Data breach victims also frequently face steep regulatory fines or legal penalties. Government regulations, such as the General Data Protection Regulation (GDPR), and industry regulations, such as the Health Insurance Portability and Accounting Act (HIPAA), oblige companies to protect their customers’ personal data.
Failure to comply with these data protection laws can result in hefty fines. In May 2023, Ireland’s data protection authority imposed a USD 1.3 billion fine on the California-based Meta for GDPR violations (link resides outside of ibm.com).
Unsurprisingly, companies are increasingly prioritizing data protection within their cybersecurity initiatives, realizing that a robust data protection strategy not only defends against potential data breaches but also ensures ongoing compliance with regulatory laws and standards. Even more, a good data protection strategy can improve business operations and minimize downtime in a cyberattack, saving critical time and money.
Key components of data protection strategiesWhile every data protection strategy is different (and should be tailored to the specific needs of your organization), there are several solutions you should cover.
Some of these key components include:
Data lifecycle management (DLM) is an approach that helps manage an organization’s data throughout its lifecycle—from data entry to data destruction. It separates data into phases based on different criteria and moves through these stages as it completes different tasks or requirements. The phases of DLM include data creation, data storage, data sharing and usage, data archiving, and data deletion.
A good DLM process can help organize and structure critical data, particularly when organizations rely on diverse types of data storage. It can also help them reduce vulnerabilities and ensure data is efficiently managed, compliant with regulations, and not at risk of misuse or loss.
Access controls help prevent unauthorized access, use or transfer of sensitive data by ensuring that only authorized users can access certain types of data. They keep out threat actors while still allowing every employee to do their jobs by having the exact permissions they need and nothing more.
Organizations can use role-based access controls (RBAC), multi-factor authentication (MFA) or regular reviews of user permissions.
Identity and access management (IAM) initiatives are especially helpful for streamlining access controls and protecting assets without disrupting legitimate business processes. They assign all users a distinct digital identity with permissions tailored to their role, compliance needs and other factors.
Data encryption involves converting data from its original, readable form (plaintext) into an encoded version (ciphertext) using encryption algorithms. This process helps ensure that even if unauthorized individuals access encrypted data, they won’t be able to understand or use it without a decryption key.
Encryption is critical to data security. It helps protect sensitive information from unauthorized access both when it’s being transmitted over networks (in transit) and when it’s being stored on devices or servers (at rest). Typically, authorized users only perform decryption when necessary to ensure that sensitive data is almost always secure and unreadable.
To protect their data, organizations first need to know their risks. Data risk management involves conducting a full audit/risk assessment of an organization’s data to understand what types of data it has, where it’s stored and who has access to it.
Companies then use this assessment to identify threats and vulnerabilities and implement risk mitigation strategies. These strategies help fill security gaps and strengthen an organization’s data security and cybersecurity posture. Some include adding security measures, updating data protection policies, conducting employee training or investing in new technologies.
Additionally, ongoing risk assessments can help organizations catch emerging data risks early, allowing them to adapt their security measures accordingly.
Data backup and disaster recovery involves periodically creating or updating more copies of files, storing them in one or more remote locations, and using the copies to continue or resume business operations in the event of data loss due to file damage, data corruption, cyberattack or natural disaster.
The subprocesses ‘backup’ and ‘disaster recovery’ are sometimes mistaken for each other or the entire process. However, backup is the process of making file copies, and disaster recovery is the plan and process for using the copies to quickly reestablish access to applications, data and IT resources after an outage. That plan might involve switching over to a redundant set of servers and storage systems until your primary data center is functional again.
Disaster recovery as a service (DRaaS) is a managed approach to disaster recovery. A third-party provider hosts and manages the infrastructure used for disaster recovery. Some DRaaS offerings might provide tools to manage the disaster recovery processes or enable organizations to have those processes managed for them.
Whenever organizations move their data, they need strong security. Otherwise, they risk exposing themselves to data loss, cyber threats and potential data breaches.
Data storage management helps simplify this process by reducing vulnerabilities, particularly for hybrid and cloud storage. It oversees all tasks related to securely transferring production data to data stores, whether on-premises or in external cloud environments. These stores cater to either frequent, high-performance access or serve as archival storage for infrequent retrieval.
Incident response (IR) refers to an organization’s processes and technologies for detecting and responding to cyber threats, security breaches and cyberattacks. Its goal is to prevent cyberattacks before they happen and minimize the cost and business disruption resulting from any that do occur.
Incorporating incident response into a broader data protection strategy can help organizations take a more proactive approach to cybersecurity and improve the fight against cybercriminals.
According to the Cost of a Data Breach 2023, organizations with high levels of IR countermeasures in place incurred USD 1.49 million lower data breach costs compared to organizations with low levels or none, and they resolved incidents 54 days faster.
Data protection policies help organizations outline their approach to data security and data privacy. These policies can cover a range of topics, including data classification, access controls, encryption standards, data retention and disposal practices, incident response protocols, and technical controls such as firewalls, intrusion detection systems and antivirus and data loss prevention (DLP) software.
A major benefit of data protection policies is that they set clear standards. Employees know their responsibilities for safeguarding sensitive information and often have training on data security policies, such as identifying phishing attempts, handling sensitive information securely and promptly reporting security incidents.
Additionally, data protection policies can enhance operational efficiency by offering clear processes for data-related activities such as access requests, user provisioning, incident reporting and conducting security audits.
Governments and other authorities increasingly recognize the importance of data protection and have established standards and data protection laws that companies must meet to do business with customers.
Failure to comply with these regulations can result in hefty fines, including legal fees. However, a robust data protection strategy can help ensure ongoing regulatory compliance by laying out strict internal policies and procedures.
The most notable regulation is the General Data Protection Regulation (GDPR), enacted by the European Union (EU) to safeguard individuals’ personal data. GDPR focuses on personally identifiable information and imposes stringent compliance requirements on data providers. It mandates transparency in data collection practices and imposes substantial fines for non-compliance, up to 4 percent of an organization’s annual global turnover or EUR 20 million.
Another significant data privacy law is the California Consumer Privacy Act (CCPA), which, like GDPR, emphasizes transparency and empowers individuals to control their personal information. Under CCPA, California residents can request details about their data, opt out of sales, and request deletion.
Additionally, the Health Insurance Portability and Accountability Act (HIPAA) mandates data security and compliance standards for “covered entities” like healthcare providers handling patients’ personal health information (PHI).
Best practices for every data protection strategyHaving secure data starts with knowing what types of data you have, where it’s stored and who has access to it. Conduct a comprehensive data inventory to identify and categorize all information held by your organization. Determine the sensitivity and criticality of each data type to prioritize protection efforts, then regularly update the inventory with any changes in data usage or storage.
Maintain strong communications with key stakeholders, such as executives, vendors, suppliers, customers and PR and marketing personnel, so they know your data protection strategy and approach. This open line of communication will create greater trust, transparency and awareness of data security policies and empower employees and others to make better cybersecurity decisions.
Conduct security awareness training across your entire workforce on your data protection strategy. Cyberattacks often exploit human weakness, making insider threats a significant concern and employees the first line of defense against cybercriminals. With presentations, webinars, classes and more, employees can learn to recognize security threats and better protect critical data and other sensitive information.
Running ongoing risk assessments and analyses helps identify potential threats and avoid data breaches. Risk assessments allow you to take stock of your data footprint and security measures and isolate vulnerabilities while maintaining updated data protection policies. Additionally, some data protection laws and regulations require them.
Documenting sensitive data in a hybrid IT environment is challenging but necessary for any good data protection strategy. Maintain strict records for regulators, executives, vendors and others in case of audits, investigations or other cybersecurity events. Updated documentation creates operational efficiency and ensures transparency, accountability and compliance with data protection laws. Additionally, data protection policies and procedures should always be up-to-date to combat emerging cyber threats.
Monitoring offers real-time visibility into data activities, allowing for the swift detection and remediation of potential vulnerabilities. Certain data protection laws may even require it. And even when it’s not required, monitoring can help keep data activities compliant with data protection policies (as with compliance monitoring). Organizations can also use it to test the effectiveness of proposed security measures.
While strategies will differ across industries, geographies, customer needs and a range of other factors, nailing down these essentials will help set your organization on the right path forward when it comes to fortifying its data protection.