How to tackle hidden risk in unstructured data

x-icon

The insights shared within this summary were acquired during a virtual webinar panel discussion run by Exonar and chaired by our Head of Customer Success, Gareth Tranter. We were joined by a select group of security, governance and data management specialists who are all at the frontline of data security and protection working within some of the world's biggest global organisations.

In this 1 hour discussion our experts shared views and opinions on how to Beat the Breach and what organisations are doing to tackle the hidden risk in their unstructured data. Furthermore our panellists explored the impact on reputation, customer loyalty and the ability to make the right business decisions.

Our expert panel included:
• Maritza Curry, Head of Data at RCS Group (BNP Paribas)
• Tim Harrison, Senior Data Security Specialist at Global FS Organisation
• Stuart Codack, Head of Security at West Midlands Trains
• Stephen Bowes, Global Practice Director, Data Management & Security Technologies at BSI

1. Invest in people and technology

Invest in data professionals, governance teams and technology tools. Without the right skills and tech, you end up with very manual processes to try and manage data which increases the risk for the organisation.

Give staff the training they need on an ongoing basis, to create awareness, and give them the ability to spot a phishing email. The biggest challenge is to get people to care and to keep them caring. Ensure people understand that the data governance and security teams are trying to help them. And that they are part of a bigger process that’s contributing to the security of the organisation.

Try gamification of security awareness to keep people interested and bring the subject to life. Keep it fresh and varied, otherwise people will stop engaging. Use metrics to measure what’s working and what’s not.

“It really depends on an organisations value proposition. So, for example if you’re a retailer and your process are the lowest value in the industry then your customers may not have any expectation on you to protect their data or any of their unstructured data.”
- Maritza Curry, Head of Data at RCS Group (BNP Paribas)

 

2. Get the right processes in place

It’s absolutely critical that there’s a solid data governance structure in place with data owners and data stewards in the business. They need to be the people who manage the systems that are used, and the data they produce.

Data owners need to be able to make decisions around the security of data. Crucially, this needs to be part of their job description, recognised as a key area of responsibility and time allocated for it. Don’t tack it on to their day job and hope it will be done. In addition, make it realistic – you can’t give someone responsibility for 100,000 unstructured files and expect them to take any meaningful action.

Embed data privacy, protection and security by design. For example, the process by which data is shared in your organisation or where data is shared in an ecosystem.

“It’s about shifting the mindset and doing things as legislated, as we should be.”
- Stuart Codack, Head of Security at West Midlands Trains

 

3. Turn data protection policies into practice

Formulate your policies – they are the guide to how people in the business should manage and handle data – but don’t leave them as paper-based policies. Look at how to turn those policies into practice so they remain front and centre. Embed the principles and policies in process. It’s a step that most organisations fail to take.

“Making people understand the ownership they have and that security is trying to help them manage the data to keep the company’s reputation intact."
- Tim Harrison, Senior Data Security Specialist at Global FS Organisation

 

4. Get the board's buy-in

Organisations have seen data breaches and cyber security raised board level due to the highly publicised ransomware attacks this year. Yet there can be a syndrome of “this will never happen to us – we’d rather take the risk than spend” so it can be hard to have the conversation around investment in risk mitigation with the execs, especially if you haven’t had a breach. Talk to the board in their own language, find out what will make them listen.

Leverage phishing, ransomware attacks or other significant events in associated organisations that are close to home so heighten the sense of the threat level.

Find software vendors who will let you ‘try before you buy’ so you can get a sense of how bad the problems in your data are so you can put together the business case for investment.

“It would be nice to solve a problem, without something having a massive impact first that encourages the board along.”
- Stuart Codack, Head of Security at West Midlands Trains

 

5. Use simulation exercises to demonstrate what would happen if a breach occurred

Simulation exercises help execs to understand that if you don’t have the funding or tools to mitigate a breach, the Chief Executive will end up in front of the camera defending the business to the customers who’ve been breached.

Conduct tabletop exercises to calculate what the impact would be. Figure out what’s an acceptable level of risk to the businesses? Consider internal costs, what the regulatory implications are and the impact of the reputational damage in the event of a breach with quantitative and qualitative analysis.

“It’s extremely important to get Execs into a room and do a table top exercise to demonstrate what would happen if a breach occurred to get their buy-in and the funding needed to get ahead of the breach before it happens and stop it.”
- Tim Harrison, Senior Data Security Specialist at Global FS Organisation

 

6. Learn from mistakes

If your organisation is the subject of a data breach, learn from what went wrong. Most times organisations can turn a breach to their advantage if they handle it right. And if it happens again, it will be easier to contain. A situation that looks particularly dark and gloomy can reap benefits in the long term.

“With an increase in data breaches, its bringing those topics to the forefront.”
- Stephen Bowes, Global Practice Director, Data Management & Security Technologies at BSI

 

7. Find out what data you’ve got

If you don’t know what your highly sensitive data is you can’t find it and can’t secure it. Run a programme of discovery to expose the risks as well as the organisation’s valuable ‘crown jewel’ data. It’ll show you whether you could improve security if you changed something as simple as permissions, for example. You’ll be able to auto-classify your data.

“The starting point is definitely data classification and understanding what the value and risk of your unstructured data is and then focusing on the data with the highest risk first."
- Maritza Curry, Head of Data at RCS Group (BNP Paribas)

 

If you want to find what data you’ve got and how much of it contains risk, talk to us – it’s what we do!