The technological revolution has elevated “data” to one of the most contested and vital resources in the modern global economy. Data driven business models necessitate the collection of vast amounts of information that result in increased risk and exposure for companies. Alarmingly, data breaches can be immensely damaging to companies as the average cost of a data breach is estimated at $3.86 million
. In addition to financial damages, a data breach could result in loss of reputation, waning faith in a brand, and potential legal challenges and costs. Digital resilience, or the ability to sustain operations while responding to a breach, is critical for crisis management, rapid recovery, and customer communication. For these reasons, building data protection digital resilience is a necessity for companies around the world.
Engage the C-suite to Integrate Data Protection into Business Operations
The rising sophistication of cyberattacks requires adaptable and collaborative governance to effectively prepare, respond to, and recover from. Scattered communication and over-reliance on security teams can leave companies exposed to higher risks. The C-suite can play a pivotal role in a company’s data protection posture by helping align business priorities with data protection priorities and establishing a common vocabulary with IT teams to raise awareness of cyber threats across the company. Increased C-suite engagement can also enhance communication with key stakeholders and their understanding of the threat landscape.
For example, C-suite participation in cyber table-top exercises can help create a coordinated and prepared response to real-life scenarios such as ransomware attacks.
Remain in Compliance by Engaging the C-suite and Board
The General Data Protection Regulation
(GDPR) and the California Consumer Privacy Act
(CCPA) have obliged C-suite officers to restructure their perception and approach to data protection, or face fines and reputational costs. In 2019, the Federal Trade Commission (FTC)
recommended that a company’s security team present their C-suite officers with the organization’s written information security program. The FTC also recommended the senior leadership of the company to provide their annual certification of compliance to the agency. The FTC believes this will increase the boardroom’s attention towards oversight and data safeguarding.
Gain Visibility into Core Processes, Assets and Dependencies across the Organization
To minimize the mayhem caused by malicious cyberattacks and disruptions, companies must identify and fully understand their high value data assets to effectively secure them. Nonessential applications of data protection controls across all critical data assets can lead to productivity loss and waste. By developing an inventory of assets
, senior management can individually assess each high value asset and determine the appropriate security controls required. For example, by identifying critical value assets, companies can implement stronger access controls or employee backgrounds checks. This helps prioritize investment to ensure the continuous accessibility of high value assets during a potential disruption. An automated inventory of assets can provide a company’s key stakeholders clear visibility into its critical data points, assets, and networks, and the security controls required to protect them.
Build Resilience throughout the Organization
In an environment where aggressive actors have highly sophisticated tools at their disposal, companies should regularly assess and monitor their operational resiliency. This starts with clear cut communication from senior leadership, and the following measures to identify and address potential gaps and weaknesses:
- Data backups: Regularly update and test data backups policies and procedures to ensure they are occurring in a timely fashion. During a disruption, operational downtime can be minimized if effective backup procedures are set for data retrieval and access.
- Training & Awareness: Develop and conduct cyber tabletop exercises to effectively train all key stakeholders during a cyber event. This includes procedures on how to stop and maintain operational capacity during attacks. Annual cyber-tabletop exercises raise awareness and ensure all relevant stakeholders fully understand their roles and responsibilities to respond and recover from disruptions and restore business operations.
- Risk Management: Develop a risk management model that is informed by your business priorities. This holistic approach will aid in the identification of potential high-risk vulnerabilities emanating from third parties, insider threats, and international operations.
- Testing & Monitoring: Regularly test the effectiveness and readiness of all data protection policies and procedures to promptly address any gaps and vulnerabilities. This includes monitoring of third parties to ensure they are complying with regulatory and technical requirements.
Adapt to Uncertainty and New Requirements
In the information era, data is, and will continue to be, one of the most valuable strategic resource. As such, companies should adopt a proactive data protection resilience strategy rather than a reactive response strategy. Regularly testing data protection, establishing continuity policies, and training personnel will provide long-lasting value. Clear-cut communication and participation from senior leadership will help advance your goals even further. While the lack of a comprehensive federal data protection law leaves a great deal of uncertainty, a resilient data protection strategy can assist with reducing the need to apply one-off changes to comply with the evolving regulatory landscape. By bolstering or implementing these components, companies will be better equipped to navigate and adapt to an increasingly volatile threat landscape.