The good news is the majority of companies have made cybersecurity a higher priority and are more proactively securing their data and systems. The bad news is most remain unnecessarily vulnerable by neglecting an important first step — understanding what data needs to be protected and to what degree.
It is nearly impossible to effectively secure information that is poorly managed.
Organizations need to inventory their important data if they stand any chance of protecting it. This means determining what data is sensitive and then identifying where it is, how it moves around, who touches it, and how long to keep it. These are tasks that commonly don’t receive much attention, and it’s the #1 reason companies develop a false sense of security and think they’re ok. It’s like declaring your home safe without knowing how many doors and windows are in the house or where they’re all located.
Getting your data more organized doesn’t have to be overly complicated or expensive. And it can be done in phases, on a timeline that aligns with your resource availability. Taking the following first steps will put you in a much better position to then determine how specific information should be protected:
- Identify every department where sensitive data is generated, collected or stored.
- Categorize each set of data set in some manner – highly confidential, sensitive, internal use only, etc.
- Document how each data set is currently being managed. For instance:
- Who has access to it?
- What devices is it stored on?
- How does it move around?
- How long is it archived and why for that long?
- Does it make business sense to manage it this way?
- Identify the broken or inefficient business processes involved with data collection, transmission, reporting, storage, etc.
This last bullet is especially pertinent because, in addition to understanding what data should be protected and how, this exercise will shine a light on workflows and businesses processes that are manually intensive, error-prone and inefficient. Fixing the worst of these problems will usually result in cost reductions and productivity gains that will more than fund any needed cybersecurity investments.
A final suggestion: Do not make this an IT-led initiative. This is a risk management and process improvement initiative. Wait until after this first phase is completed to get the IT people more involved.