If an organization does not have a data risk profile, it needs one. Data is more valuable, which means it is also more vulnerable, and organizations that suffer a breach will not be able to recover the trust of their customers.
Managing data risk can be overwhelming. Data now sprawls across the globe in more applications and in more places. End-users are exercising their privacy rights, and cyber criminals are ruthlessly targeting every new attack vector. Meanwhile, new regulations around personal health information and artificial intelligence are changing the risk profile of the data companies hold.
To regain control, organizations must create a data risk profile by finding, classifying, and protecting their data. Those that manage their risk will build trust and confidence with their customers. The remainder will fall further behind.
Data sprawling out of control
How many organizations can find all their data? As data moves to cloud applications, endpoints, and cloud infrastructure, the data center is no longer the center of the data. Covid-19 has made keeping track of data even harder as employees copy data while they work remotely. Using personal devices or cloud storage accounts helps “get the job done,” but it increases data sprawl – data moving out of the reach of corporate security and data policies. In fact, data may not even be online because it has been retained for an extended period of time to meet any number of industry-specific regulatory requirements. Data in backups or offline archives are still subject to search and regulation.
With more applications in more locations held on more types of storage, small data sprawl is the new normal.
Privacy rights become more important
End users are exercising their privacy rights more frequently because of legislation such as the General Data Protection Regulation (GDPR). It protects customers and employees, giving them the right to be forgotten, and to gain access to copies of all the information held on them.
Of course, if an organization cannot track all its data, it cannot claim to find all the data pertaining to a given customer or employee. Customer data goes beyond marketing records and purchase orders. It includes logs showing the services they use, financial information, and more. Personal employee data can be found in even more places: internal documents, emails, or conversations in messaging applications. Data can easily be forgotten in massive unstructured data stores (NAS and object), violating regulations for years.
Cybersecurity threats become more vicious
Small data sprawl has stimulated cybercrime, and attacks are now launched every 11 seconds, according to research from Cybersecurity Ventures. The combination of “Ransomware as a Service,” an increased number of threat vectors, and the difficulty of securing data makes ransomware most organizations’ number one threat. Even worse, cyberattacks have become more vicious. In addition to deleting backups and encrypting data, they now extract a company’s most private information and threaten to post it on the Internet. Ransomware is no longer a threat, it is now the threat and risk to organizations’ data.
Personal health and AI change the game
In response to the pandemic, countries and businesses are collecting more health data. As businesses re-open, they will need to test employees and customers, store that data, and potentially reference it as part of tracing programs. Since there is nothing more private than personal health information (PHI), organizations will need to prove that they can securely store, retrieve, and, most importantly, eliminate that data.
Meanwhile, artificial intelligence and machine learning are coming under intense scrutiny because of concerns about racial and other biases caused by the algorithms. Regulators and courts will no longer accept companies telling them that they cannot explain how AI decisions are made. Instead, they will be expected to provide both data and algorithms and to reproduce their results, so regulators and customers can investigate when a concern is raised. We will see many more legal cases that question the conclusions drawn by AI systems.
Creating a data risk profile
Different data carries different levels of risk, and companies need to create a risk profile to guide their data management policies. There are three key components to creating a risk profile:
1) Define classes of data and the policies that go with them. Those policies should include service levels for: protection, security, retention, search and retrieval, and access management. Regulations like GDPR set valuable baselines.
2) Discover the data across your environment. Data backups are often an excellent way to track datasets across an organization.
3) Assign the policies to the data via metadata and/or content-based rules. As data sprawl continue, risk profiles need to be managed automatically, or they will not work.
Once the data risk profile has been defined, take it to be ratified by the IT, business, legal, compliance, and security teams. With a data risk profile, teams can begin to take action to monitor and manage their risk. More importantly, as new threats or regulations arise, they can adjust their approach, staying ahead of risk and protecting the organization and its customers.
It’s more than just risk protection, it's a differentiator
Protecting data can secure people’s trust at a time when the public is bombarded with stories about data breaches and data exploitation. Some B2C businesses are making their data risk profiles public, explaining exactly how data is used, stored and shared with third parties. B2B businesses are also finding that being more open about data policies and protection can make the difference between winning or losing a customer. From publishing certifications to bolstering teams with data management specialists to appointing a Chief Data Officer (CDO), demonstrating a mature approach to data risk management and data protection sets an organization apart.
It’s a matter of trust
Data protection regulations are only going to get stronger. Individuals are gaining greater control over their data, cyber criminals are growing bolder, and AI will continue to spread. By acknowledging and weighing all the elements that give each piece of data different levels of risk, businesses can better protect their customers, employees, and themselves. As data gains more power, it is our responsibility to secure the data for the people we serve – ultimately, it's a matter of trust.
Stephen Manley, Chief Technologist, Druva