The Driver Behind This
The fines and penalties, as well as brand impact for data violations (e.g., PII, PHI, Credit Card) can be severe as well as being very, very public. Legal requirements frequently differ greatly between states, and considering most now operate with our global marketplace, it is important to understand that this is especially true when operating between countries. In 2020, most employees rely on a variety of methods and means to support routine operations, systems which are comprised of components such as smartphones, laptops and tablets, all of which carry an inherent risk of being either lost or stolen. To not be prepared on addressing this threat is sheer folly.
Processes, Practices, and Activities That Address This Question
Conduct a full-on data inventory and get to ground truth so you know where your data is. Understand the data lifecycle within your organization; why, how and by whom is it being used? If you’re not already, you should be encrypting sensitive/regulated data at rest and in transit. Having (and enforcing) a data classification standard which is periodically audited is a definite plus. Additionally, ensure all staff have received appropriate training and fully understand the requirements on how to properly handle sensitive/regulated data, as well as the steps to report a potential violation. Technologies such as Data Loss Prevention systems can be employed to enforce proper handling and reduce the amount of sensitive/regulated data that is being exposed.
Common Pitfalls:
- “It’s too difficult to inventory what we have.”
- “We don’t have that much… (PII/PHI/Credit Card) data”
- “We’re not that big of a target, no one would bother themselves with us.”
- “Our employees are smart and know what to do”