In a time where ransomware attacks, cybersecurity and data breaches make headlines, how can organizations stay protected?

In a recent virtual panel discussion hosted by BSI technology partner Exonar, Stephen Bowes, Global Practice Director, Data Management & Security Technologies at BSI joined Gareth Tranter, Head of Customer Success at Exonar and other experts to discuss measures organizations will need to consider to avoid data breaches.

The discussion highlighted how avoiding data breaches goes beyond the IT team, addressing multiple departments, people, and processes. The 7 key actions surfaced from this discussion are:

1. Invest in people and technology

Invest in data professionals, governance teams and technology tools. Without the right skills and tech, you end up with very manual processes to try and manage data which increases the risk for the organisation.

Give staff the training they need on an ongoing basis, to create awareness, and give them the ability to spot a phishing email. The biggest challenge is to get people to care and to keep them caring. Ensure people understand that the data governance and security teams are trying to help them. And that they are part of a bigger process that’s contributing to the security of the organisation.

Try gamification of security awareness to keep people interested and bring the subject to life. Keep it fresh and varied, otherwise people will stop engaging. Use metrics to measure what’s working and what’s not.

2. Get the right processes in place

It’s absolutely critical that there’s a solid data governance structure in place with data owners and data stewards in the business. They need to be the people who manage the systems that are used, and the data they produce.

Data owners need to be able to make decisions around the security of data. Crucially, this needs to be part of their job description, recognised as a key area of responsibility and time allocated for it. Don’t tack it on to their day job and hope it will be done. In addition, make it realistic – you can’t give someone responsibility for 100,000 unstructured files and expect them to take any meaningful action.

Embed data privacy, protection and security by design. For example, the process by which data is shared in your organisation or where data is shared in an ecosystem.

3. Turn data protection policies into practice

Formulate your policies – they are the guide to how people in the business should manage and handle data – but don’t leave them as paper-based policies. Look at how to turn those policies into practice so they remain front and centre. Embed the principles and policies in process. It’s a step that most organisations fail to take.

4. Get the boards buy-in

Organisations have seen data breaches and cyber security raised board level due to the highly publicised ransomware attacks this year. Yet there can be a syndrome of “this will never happen to us – we’d rather take the risk than spend” so it can be hard to have the conversation around investment in risk mitigation with the execs, especially if you haven’t had a breach. Talk to the board in their own language, find out what will make them listen.

Leverage phishing, ransomware attacks or other significant events in associated organisations that are close to home so heighten the sense of the threat level.

Find software vendors who will let you ‘try before you buy’ so you can get a sense of how bad the problems in your data are so you can put together the business case for investment.

5. Use simulation exercises to demonstrate what would happen if a breach occurred

Simulation exercises help execs to understand that if you don’t have the funding or tools to mitigate a breach, the Chief Executive will end up in front of the camera defending the business to the customers who’ve been breached.

Conduct tabletop exercises to calculate what the impact would be. Figure out what’s an acceptable level of risk to the businesses? Consider internal costs, what the regulatory implications are and the impact of the reputational damage in the event of a breach with quantitative and qualitative analysis.

6. Learn from mistakes

If your organisation is the subject of a data breach, learn from what went wrong. Most times organisations can turn a breach to their advantage if they handle it right. And if it happens again, it will be easier to contain. A situation that looks particularly dark and gloomy can reap benefits in the long term.

7. Find out what data you’ve got

If you don’t know what your highly sensitive data is you can’t find it and can’t secure it. Run a programme of discovery to expose the risks as well as the organisation’s valuable ‘crown jewel’ data. It’ll show you whether you could improve security if you changed something as simple as permissions, for example. You’ll be able to auto-classify your data.