Preventing the loss or leakage of data is crucial for any modern business. Today’s customers are accustomed to near-instantaneous transactions that are only possible because of the vast amounts of data that businesses store: inventory data, billing data, customer data (phone number, address, email, etc.), and countless other pieces of information that enable transactions.
If a business suddenly loses its data, its operations can come to a grinding halt—causing severe impacts to the business as transactions fail to go through, accounts payable and receivable aren’t processed, and employees become suddenly unable to complete tasks that rely on stored information. It’s a true nightmare scenario.
This is why so many businesses develop data loss prevention plans to protect their most important information and avoid disruption. But, not every business enacts their data loss prevention strategy flawlessly, creating inefficient solutions that still leave them vulnerable to data loss.
What are some of the biggest mistakes that companies make when creating a data loss prevention (DLP) strategy? Here’s a list of some things to avoid:
1) Not Getting Executive Support for the DLP Strategy
For many business initiatives, getting the support of top-level executives in the organization is crucial for the success of the initiative. As noted in one Symantec blog on the topic of data loss, “Implementing DLP is not just an IT decision; it’s a business decision that impacts everyone from HR, audit and compliance to legal, engineering and sales. Support must originate from the top and early on.”
Basically, if the bigwigs aren’t buying it, why should anyone else? A lack of support from the top may see others in the organization not using the data loss prevention tools needed for the DLP strategy—which keeps the plan from achieving its intended effect.
Getting buy-in from the C-suite in the organization is key for ensuring that everyone else in the company org chart is aware of how important the DLP strategy is and why they should follow any procedures required by the data loss prevention policy.
2) Trying to Back Up EVERY Piece of Data On EVERY Endpoint
In many organizations, there exists a large amount of redundant data on different terminals. This is not ideal at the best of times because of cybersecurity reasons, but it happens. When setting up their data storage backups, some organizations try to back up every single piece of data on every drive in the business.
While this sounds like a good idea for ensuring a thorough backup, there are a couple of reasons businesses shouldn’t do this:
- Some Information Shouldn’t Be On Local Endpoints to Begin with. If there is sensitive information such as customers’ personally identifiable information (PII) or payment card data being stored on local terminals, that could cause issues for the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and other regulatory compliance standards. This kind of sensitive data should not be on every employee terminal or point of sale (POS) system where it could be accessed by anyone. This kind of data needs to be on a database that is more securely protected from physical access.
- It Can Bog Down Your Backup Solution with Extraneous and Redundant Data. While storage for data is getting cheaper all of the time, that doesn’t mean it’s a good idea to waste space on useless data. Having too much data to store and record between backups can make a data backup tool operate less efficiently or be more prone to malfunctions (such as failing to back up the important information you actually need). The more endpoints the data loss prevention tool has to sift through and back up, the more likely it is to malfunction or be interrupted mid-backup. The best practice is to identify the organization’s “mission-critical” data—that data which the business cannot operate without—and focus on backing up just that information. This saves data storage space, makes the backup process more efficient, and is more reliable overall. After all, a business probably doesn’t need three terabytes’ worth of copies of the same instructional PDF from each of its computers.
So, when setting up a data loss prevention strategy, businesses should first perform a thorough inventory of all the data on all of their systems, identify which bits of data are mission-critical, and clean up extraneous data on their system’s various endpoints.
3) Keeping the Backup in the Same Space as the Original Servers/Databases
While this particular mistake is becoming rarer as cloud-based data backup solutions become more prevalent, some companies opt to use a local backup system to store a copy of their mission-critical data. This is a bad idea for a data loss prevention plan for one major reason—it exposes the backup to many of the same physical threats that could cause data loss on the primary server/database!
For example, if a natural disaster, such as a hurricane, earthquake, or flood destroys the data center, the backup won’t do much good if it is destroyed in the same event! Events not on the scale of a natural disaster, such as a power surge or blackout, could also take out the backup if it’s in the same facility as the primary server.
In other words, a key piece of advice for optimizing a data loss prevention strategy is to “avoid putting all of your eggs in one basket.” If the proverbial basket is destroyed, there go all of the eggs—including the backups. Instead, it’s best to use a remote data backup solution that minimizes the risk of one event taking out both the primary database and the backup at the same time.
4) Failing to Train Employees Regarding Data Loss Prevention Tools
While many data loss prevention tools can be automated (which helps to ensure that data is backed up regularly enough to avoid major data loss), it’s still important to consider the human element that will be interacting with these tools. When data is lost, what is the proper procedure for each employee to follow? Who is responsible for managing the DLP strategy and tools?
Training employees in the company’s data loss prevention policy is crucial for ensuring that they can follow it correctly. It is especially important that they know what they should do and who they should notify if they think they have encountered a data loss event. These responses should be second nature to employees so that, if an emergency occurs, they can quickly restore any lost data.
5) Neglecting Recovery Time Objectives in the DLP Strategy
It’s easy to become so preoccupied with how thoroughly a data loss prevention tool can protect the business from losing vital information that the time it takes for the tool to restore normal operation is overlooked. However, when trying to ensure business continuity, the recovery time objective (RTO) of a data loss recovery tool is crucial for avoiding disruption to the business.
However, not every business needs instantaneous recovery from data loss. It’s important for an organization to assess its needs and weigh them against the cost of specific data loss prevention tools that enable faster recovery.
For example, large B2C organizations that have frequent customer transactions that take place using stored financial information would need to have a very robust and rapid recovery tool—one that would make recovery nearly seamless. On the other hand, a business that mostly needs data for handling monthly bill pay may be able to use a solution that takes a few hours to restore lost data without much ill effect.
When choosing tools for the DLP strategy, it’s important to consider what an appropriate RTO would be for the business’ needs and plan accordingly.
Need help setting up a robust data loss prevention plan? Contact the experts at Compuquip Cybersecurity for help optimizing your data loss prevention tools and policies.
