Zero Trust Networks

How to Build and Implement a Data Protection Strategy

Share with your network!

There is no silver bullet in the world of cybersecurity. No single tool, control or protection can prevent every attack. That’s why it’s vital for IT teams to have the means to identify and safeguard sensitive information—wherever it is and whoever needs to access it. 

This is only possible with a comprehensive information protection strategy—one that can classify and ringfence sensitive data, reduce your attack exposure and lower compliance risk, so you can defend your data and protect your people without disrupting your business. 

To help you achieve these aims and more, here are five key considerations to keep in mind when building and implementing your data protection strategy:

1. Get total visibility  

Any successful data protection strategy must be tailored to your business and its risk profile. Off-the-shelf information protection tools may be powerful, but they’re not enough alone. So, before looking for solutions, determine what you’re trying to accomplish. That means gaining visibility into:

  • What you’re trying to protect—your customer data, IP, business processes
  • What you’re protecting it from—data loss, negligent and malicious insiders, encryption
  • What the risks are—accidental exposure, account compromise, IP theft, employee churn 

Only when you know what you want to achieve can you start to make a business case and build a strategy to accomplish it. So, the task now is to work with key stakeholders to demonstrate what is at risk, what is creating that risk and the resources you need to mitigate that risk. 

2. Start small 

In the early stages of building a data protection strategy, it can be easy to feel overwhelmed by the potential scope of the operation. There’s likely a wealth of information you’d like to protect, but it’s important to keep things in perspective. And remember, perfect is often the enemy of good. 

There’s no need to stretch your budget over 20 use cases when one will do the trick. If you have the budget to fix one problem right now, start with that. This one use case can act as a cost-benefit analysis, helping you to start small, prove the concept and then add to your defenses over time. 

3. Building vs. implementing

Building and implementing a data protection strategy are two very different tasks with very different challenges. There are few businesses out there that can build a strategy without expert guidance. With varying priorities and stakeholders, paralysis by analysis is commonplace. That’s why most IT teams need a security expert to say, “Let’s start here, and we can continue to have these discussions, rather than talking for six months before putting anything into action.”

The sooner you implement your strategy, the quicker you can access real-world data that will almost certainly influence your decision-making going forward. So, it’s always better to get the basics in place and adapt than to spend months planning based on what you think is happening within your organization. 

When it comes to implementation, once again, it’s important to keep in mind what you’re trying to achieve. There’s no worth in buying the best available tools if you’re unsure what you intend to do with them. But with a clear plan in mind, you can set about configuring tools—email, endpoint, cloud apps, web, on-premises and cloud protections—to defend your data. At the same time, you should also implement the other arm of your strategy to protect your people by flagging risky behaviors and reinforcing security best practices. 

4. Changing behavior

While tools and controls are vital parts of any data protection strategy, it’s your people who form the first and last line of your cyber defense. Think of cybersecurity technology as your safety net. It’s great to have it there, but you don’t want to test it out very often. 

Instead, you must educate your users to keep your business safe rather than rely on technology for protection. This requires comprehensive and ongoing security awareness training. There’s a saying in cybersecurity: Familiarity breeds commoditization. In other words, it doesn’t matter how sensitive your data is, if your people are working with it day to day, it becomes a commodity. 

So, it’s essential that you constantly remind them of the severe consequences of failing to protect that data and the role they play in doing so. The more they know about how they should treat information, the less likely they are to expose it to risk—and the smaller your attack surface becomes. 

5. Ensuring success

Against a constantly evolving threat landscape with users accessing data anywhere at any time, ensuring the success of any cybersecurity strategy is never easy. However, the best thing any organization can do to help its chances is to conduct an honest assessment of its people, processes and technology. 

By understanding your strengths and limitations in each of these areas, you can plug the gaps accordingly. For some businesses, this might mean looking to a security partner for nothing but guidance and advice. Others may have the best strategic minds but need more hands at the keyboards. Either way, the key is understanding where you need the most support and seeking it out at the earliest opportunity. Once every piece is in place, you can design and build a data protection strategy to get on with the job at hand—defending your data and protecting your people. 

Get your free copy of New Perimeters– Protect people. Defend data. 

Want to read more articles like this one? Access the latest cybersecurity insights in our exclusive magazine, New Perimeters. This publication is available to browse online, download to read later or receive in print directly to your door.

You can get your free copy of New Perimeters, the exclusive magazine from Proofpoint, here.