According to The Ponemon Institute, data breaches cost companies an average total of $2.1 million to $6.7 million (around £1.7million to £5.4million) – a sum that could cause serious harm to a business.
Yet everyday we hear about another organization being hit by a data breach – from O2 to TalkTalk to Target to many others. With the total number of data breaches having increased by 30 percent since 2015, it begs the question: will 2017 see an even greater increase in data breaches or will organizations finally start taking data protection seriously and commit to compliance with security regulations and industry guidelines?
As our recent study on data protection regulations and guidelines found, 28 percent of global organizations admitted they have been hit by a data breach in the last 12 months. Organizations need to understand that an important strategy to minimize the chances of a data breach is to create a robust data governance program.
Data governance can help organizations protect their most important assets before data can be exposed or breached. The key to building a sound data governance program is to create a defined set of procedures that mitigate data security risks and then map out a plan that allows the organization to execute those procedures.
As our study indicates, data governance isn’t a top priority for all organizations. In fact, 17 percent of companies still don't have a data governance program in place and another 4 percent don’t even know if they do. One explanation for this could be that some organizations don’t have sufficient budgets, resources, personnel and access to technologies to build a comprehensive data governance program.
Another explanation could be that some IT teams are more focused on executing day-to-day data security practices. This could be happening because they may not possess the larger strategic vision or foresight to build a data governance program.
Whatever the reason might be, failing to build out a data governance program will only be detriment to organizations. Businesses – and their IT teams – should think of it in the same way they’d go about building a new house. You cannot ask an architect to build a house without a detailed blueprint. It’s the same for data protection – without a data governance ‘blueprint,’ organizations will not be able to properly mitigate data security risks and ensure regulatory compliance.
Just look at Yahoo. They have admitted to not one, but two, data breaches this year – one of which is the largest data breach ever recorded. It revealed that 1 billion account details were breached in 2013 and 8 million in 2014, leaking users’ names, email addresses, phone numbers, dates of birth, hashed passwords and security questions onto the internet for anyone to access. Seeing as there are only 3 billion people using the web, this figure is pretty significant.
Whilst Yahoo was a huge email service when the internet was in its nascence, according to Google Trends, it reached its peak around 2010 but has since been completely dwarfed by Microsoft’s Hotmail and Google’s Gmail – so why on earth were so many old unused accounts still around gathering dust?
Yahoo isn’t the only company that is hoarding a data mountain to rival Everest, which suggests that the record for world’s largest data breach won’t be a title they hold for very much longer.
With so much at risk, why do so many businesses neglect to erase data properly from their IT assets/equipment and establish a larger data governance program to ensure data is managed, stored and erased in accordance with their internal policies and regulatory requirements? Sadly, this is because proper data removal methods are not understood, or IT departments lack access to effective tools to help them effectively wipe data from their IT assets and environments.
Data erasure has been a minuscule portion of the larger technology/software allocations in IT budgets due to the fact that organizations often perceive threats such as malware, spyware, backdoor attacks and extortion hacks to be more dangerous than security threats resulting from insecure data storage and improper data removal. As corporate priorities and budgets shift towards regulatory compliance, organizations will benefit in multiple ways, including improved decision-making abilities, improved risk mitigation and improved brand protection.
Companies need to start thinking about data and devices across their entire lifecycle in order not to get too hung up on any one single activity at the expense of others that are equally as important. Yes, protecting live corporate, employee and customer data is of major strategic importance.
However, by implementing data destruction as an important and final act within the data lifecycle management plan, it is possible to significantly reduce the total volume of data that needs to be protected. This has two benefits: firstly, it enables time, budget and resources to be refocused only on that data which has ongoing value to the business. Secondly, it minimizes the impact and damage if a data breach does occur.
Not only will these methods add an extra layer onto organizations’ existing overall security programs, it will ensure that they aren’t bitten by regulatory fines, such as the whopping penalty they could expect to pay if non-compliant under the EU GDPR.
In today’s digital world, every second sees huge volumes of data being generated and collected by everyone and everything. In this environment, many organizations can barely make it past base camp in their effort to scale the data mountain in their system as it expands precariously closer to a devastating breach.
It’s important for companies to remember that while there is no single technique or solution that can guarantee 100% data protection, data removal is a crucial part of a comprehensive information security strategy.