About Critical Data Protection

 

Introduction: Gaining a Deeper Understanding of Information Security in a World of Increasing Data Protection Regulations

Historically, organizations have focused on securing the perimeter of their environment with firewalls, intrusion detection and prevention products, and similar technologies to prevent data leakage. While perimeter security remains important, treating all data assets as if they have same value through a blanket approach to security can cause significant detriment to the effectiveness of a security program.

Increased costs, a lack of focus on prioritizing incidents, and resource constraints are some of the drawbacks to a blanket approach to security. The design of such programs is just one reason there is such a long gap between when an incident/breach happens and when it is detected, averages more than 200 days*.

Organizations around the world have identified the limitations of blanket security programs and have begun to focus on a multi-layer approach to security that combines perimeter security with additional protection of their most critical data assets.

Not only do multi-layer security approaches help support data protection programs, they help organizations build, manage and enforce programs that will meet the increasing oversight of international data protection regulations such as the European Union’s Global Data Protection Regulation (GDPR) and those currently being developed by countries such as Brazil and Chine come into effect.

Assecurity continues to gain visibility at the national, executive and board levels, security leaders are also being asked about the return on investment (ROI) of the increasing spend they are being allocated to security. Blanket security programs can only go so far in providing a substantiated ROI. Identifying one’s critical data assets provides a definitive way to show value of a security program.

Critical data assets are mostly determined based on their economic value to the organization. These assets, or the expenses tied to the assets, can be found on the organization’s balance sheet. Knowing the value placed on the assets allows you to compare the cost of protection against the value of the assets to determine the full economic impact to the bottom line if the assets were ever leaked. While some organizations may not identify client information as a critical data asset, international privacy regulations are making them so.

 

Defining Critical Data Assets:  The First Step

Critical data assets are those assets that if lost, stolen, or otherwise exposed, would cause severe and irreparable harm to the financial standing, reputation and/or brand of an organization. They are those assets that are the most critical to the health of an organization based on revenue, income, reputation and core operational impact. Critical data assets vary depending on the organization, industry and sector. Examples include:

  • Intellectual Property including unfiled patents, manufacturing processes, product designs, and drug formulae.
  • Research Data at various stages of completion having the potential to generate future revenue through patents and other competitive advantages.
  • Market Strategy around what products companies are going to market with, as well as when, how and pricing, are valuable to a competitor looking to gain the upper hand.
  • Geographical Data such as land surveys for the purposes of resource exploration or simply for expansion planning critical to an organization’s long-term viability.
  • Personally Identifiable Information (PII) within various industries. In healthcare, this would be a patient record; in finance, personal banking information; in e-commerce, a customer record.

Focusing on one’s critical data assets does not mean perimeter security goes away.  Security programs focused on critical assets do not abandon the perimeter. When securing a house, there should be locks or a security system that provides basic protection, but more high value items are generally protected by additional security such as a safe. This same structure is the basis of security programs focused on securing critical data assets.

 

Taking the Next Step: Developing a Critical Data Protection Program

This Critical Data Protection Benchmark Survey is based on InteliSecure’s more than 10 years’ experience developing and implementing Critical Data Protection programs for global organizations.  To build a more effective security program for one’s critical data assets, the identified assets should be evaluated on their:

  • Content, the actual information that makes up the asset;
  • Community, who should and should not have access to that data;
  • Channel, how the asset is allowed to move throughout an internal network and whether or not it is allowed to leave the perimeter of the organization.

The process for developing a Critical Data Protection program should include a cross-functional group that includes both security teams and individual business units from across the organization. These business units are better positioned to help identify critical assets as they are the ones who handle key assets or track value on a daily basis.  All of these essential elements of a Critical Data Protection program are reflected in the questions asked by this survey.

The results of your survey contained in this report will help you better understand where your organization sits compared to others regarding developing and securing those assets critical to the success of your business.

 *Business Insider, July 13, 2016

 

About InteliSecure, Survey Sponsor

With headquarters and 24/7 Security Operations Centers in Denver and London, InteliSecure protects over 500 enterprise clients and more than one million users globally with managed security services tailored to safeguard critical data from the escalating frequency and scale of global cybersecurity threats. InteliSecure challenges the cybersecurity industry status quo with unmatched human intelligence protection through its acclaimed Critical Asset Protection Program™ methodology, comprised of specialized managed security services, penetration testing, security assessment, consulting, technical, and GRC services.

InteliSecure has ranked on the Inc. 5000 list of Fastest Growing Companies in North America for the past four consecutive years; #2 on the Denver Business Journal’s fastest growing companies, and in 2016, was named a Gartner Cool Vendor in Communications Service Provider Security Solutions (published April 20, 2016). InteliSecure supports leading security solutions from Symantec, McAfee, Forcepoint, IBM, Proofpoint, LogRhythm, TITUS, Boldon James and Qualys, among others. To learn more visit www.intelisecure.com and follow @InteliSecure.