The 10 Most Common Data Security Issues and How to Solve Them

#4 – Keeping what you don't need
You can reduce the risk of retaining sensitive customer data by removing the electronic and paper data from all systems and files. However, just deleting files with infrequently accessed, highly sensitive data won’t work - it would violate multiple data retention regulations not to mention annoying your marketing department. A better way is to look at the specific data retention and protection regulations governing each of the sensitive data elements that need protecting, working in conjunction with legal department and the data librarian who will usually know the relevant regulations.

#5 – Security triage
We have to move beyond dealing with the crisis of the moment and focus on securing data holistically and consistently. And while it may be difficult to free up the time and the budget to institute a comprehensive data security plan, ultimately a unified approach will be far more effective than the fragmented practices present at too many companies, increasing security and saving both time and money.

Data-driven security cannot be an occasional event sparked by a crisis; it needs to be an integral part of the organisation's daily routine.

#6 – Outsourcing responsibility
Virtually all data protection and privacy regulations state that firms can’t share the risk of compliance, which means that if your outsourcing partner fails to protect your company's data, your company is at fault and is liable for any associated penalties or legal actions that might arise from the exposure of that data.

Laws concerning data privacy and security vary internationally. To lessen the chance of sensitive data being exposed deliberately or by mistake, you must ensure that the company you are partnering with — offshore or domestic — takes data security seriously and fully understands the regulations that affect your business.

#7 – Putting too much faith in risk assessments
The simplistic Yes/No questions that are part of the generic ISO 17799 and PCI requirements focus on whether a particular technology, policy or control is in place, and not how effective these controls can be against careless or malicious insiders or outsiders.

Risk assessments tend to look at one item at a time, and do not offer a holistic view of the system.  Each component may look secure, but risk may still occur at the interface points or the points of inconsistency across systems. Think holistically to secure a system, considering the flow of data through the entire system rather than testing individual points.

Continued on next page Tags: Business Continuity, Compliance, Data Management, Information Life Cycle, Information/Data handling