Every day, attackers aim to steal valuable and sensitive data from businesses, so data/information protection strategies focus on building infrastructure and policies to stop them. Protecting data is the main goal in cybersecurity, and it’s a primary component in compliance. The appropriate strategies and systems prevent attackers from stealing data and protect an organization from data loss. Data protection is a set of strategies used to safeguard data and provide business continuity to organizations.
What Is the Purpose of Data Protection?
Data loss and corruption cost organizations billions every year. A single cybersecurity event costs close to $100,000 per incident, and costs continue to rise. An organization that becomes a victim of a data breach must spend money to cover litigation costs, compliance fines, and new cybersecurity equipment, so it’s an overall cost-benefit to put the proper controls in place to prevent an event.
The purpose of data protection is to stop data theft before an organization suffers from the costly aftermath of a successful compromise. It also protects customers from losing their data to an attacker and possibly being a victim of identity theft and fraud. Avoiding a compromise isn’t the only benefit either. Data protection helps corporations find value in their data by cataloging it for future use.
Categories of Data Protection
While compliance drives the principles and practices in data protection strategies, organizations should be aware of two main categories before implementing procedures. The categories are further separated into their own principles that define a separate plan for protection.
The two categories are:
- Data management: Oversees discovery of data as well as the archives and backups necessary for disaster recovery.
- Data availability: Data should always be available for productivity, and this category oversees the methods necessary for day-to-day operations.
Why Should Businesses Care About Data Protection?
Business continuity depends on information protection. For businesses to sustain business continuity, they need ways to recover from a cybersecurity event. For example, a misconfiguration or unexpected system failure can result in data corruption. Data protection plans would then come into play after these events.
The time it takes for a business to recover from downtime impacts revenue. The longer the system suffers from downtime, the longer the business cannot sustain productivity. Without productivity, the business cannot maintain revenue. The downtime can affect future revenue growth and damage the brand.
Barriers to Data Protection
One difficulty businesses face during the implementation of data protection is the barriers and hurdles necessary to create an effective plan. As technology evolves and more businesses work in the cloud, the environment’s attack surface increases, making it more difficult to defend against attacks.
A few barriers to consider include:
- Expanded attack surface: Adding backups, archives, and other environmental components improve data protection but adds to the attack surface and increases risks.
- Common vulnerabilities: Misconfigurations are still common in an environment and are often the root cause for a compromise. Other common vulnerabilities persist and should be remediated to avoid a compromise.
- Evolving piracy and reporting requirements: Organizations must consider compliance when data protection is implemented, and this requires an audit and understanding of every compliance rule.
- Increase in IoT and mobile usage: Allowing IoT and mobile devices increases an organization’s attack surface and makes data protection more difficult, especially if the devices are user-owned.
How Encryption Helps
Data encryption is the first step in protecting data from attackers. Encryption should be implemented on data-at-rest and data-in-motion. When data is transferred across the internet, it should be encrypted to avoid eavesdropping and man-in-the-middle attacks. Compliance requires some data to be encrypted at-rest, such as sensitive information stored on mobile devices.
Cryptographically-secured encryption prevents attackers from reading any stolen data. Mobile devices with encrypted data-at-rest stop attackers from retrieving data on a physically stolen device. Compliance also regulates what data should be encrypted and how an organization protects information, so always check with regulations before creating a plan.
Principles of Data Protection
Protecting data isn’t just one step, and you’re done. Complete information protection involves several components. Most large organizations use several principles of data protection. Still, any organization under compliance regulations and with highly sensitive data (e.g., financial or healthcare) should implement all categories into their cybersecurity controls.
Categories in data protection include:
- eDiscovery and compliance: Discover data using that should be cataloged, tagged, and implemented access controls. This can be done with eDiscovery analytics solutions.
- Archiving: Store old data in a separate location to free up storage space but keep a copy of data should it be needed in an investigation. This can be done with archiving solutions.
- Backups: Take a copy of data for disaster recovery after a compromise or corruption.
- Snapshots: Snapshots are similar to backups but include all system configurations to recover servers.
- Replication: Data replicating across environments provides redundancy.
- Availability: Any production data must be available for daily business operations to sustain revenue growth.
- Disaster recovery: A disaster recovery plan remediates any lost data and returns the system to normal for continued business productivity and minimized downtime.
- Business continuity: To sustain productivity, every effort should be made to ensure data stability and availability.
Today’s system environment is comprised of multiple operating systems and platforms, including the cloud. To continue operations, data must be portable across each environment. However, the convenience of portability should also involve protecting data from eavesdropping, theft, and corruption.
One issue with data portability is ensuring that it integrates with the cloud. More organizations recognize that the cloud is perfect for backups and archiving, so any disaster recovery plan should include the time to migrate data from the cloud to on-premises storage. The cloud is secure, but administrators must properly configure migrated data for data protection and availability, including the access controls necessary to defend against theft.
Convergence of Disaster Recovery and Backups
Backups have always been necessary for business continuity, but they are now an integral part of disaster recovery. Instead of taking backups at a specific frequency, data backups are continual and more strategic to return the business to its same state before the cyber-event.
Storing large amounts of data is expensive and takes enormous storage space, so organizations typically leverage the cloud to avoid on-premises expenses. A good disaster recovery plan involves deduping data and ensuring that no data is lost during the migration of a backup to the affected system.
Protecting Enterprise Data
Small and large organizations benefit from data protection, but an enterprise has several moving parts, a large attack surface, and enormous amounts of data that must be protected. An enterprise data protection strategy can differ from a small business due to the large attack surface.
A few components in enterprise data protection include:
- Intelligent visibility: Enterprise administrators must be aware of all data across the environment so that it can be monitored and protected.
- Proactive mitigation: Reactionary cybersecurity is expensive and can severely damage revenue, but proactive mitigation tools and services detect and stop an ongoing attack before it becomes a full compromise.
- Continuous control: Administrators must create a data protection plan that gives them persistent control over access and visibility.
Any business struggles with an increasing attack surface and new threats in the wild. These issues make it more difficult for a business to create a good data protection plan. While planning for the infrastructure and procedures necessary to protect data, administrators must prepare for a few potential problems, including:
- Data corruptions: Backups must be secure and valid, which means any backups should be verified to ensure that they are not corrupted. Corrupted backups can destroy a disaster recovery plan when put into action.
- Storage system failures: Every storage system should be available to ensure productivity is always maintained, and backup storage locations should also be available so that disaster recovery can be executed immediately when needed.
- Datacenter failures: Organizations that work in the cloud or a datacenter need persistent and reliable cloud connections. A secondary ISP or failover connection is often necessary in case of connectivity loss.
Data Protection Trends
Cybersecurity changes daily as new threats are found, and attackers find new ways to bypass security, so trends also continue to change to keep up with threats. Administrators don’t need to implement every trend in data protection but adopting the latest technology often helps stop the latest threats.
A few trends to consider include:
- Hyper-convergence: Organizations now have a combination of virtual and physical machines, and all environments must be backed up. When designing a plan, ensure that virtualized servers and network devices are included.
- Ransomware: The only way to recover from a sophisticated ransomware attack is to recover from backups. Ransomware targets these backups, so data protection plans must include security on backup files and storage locations.
- Copy data management: Redundancy is necessary for good data protection, but having mismanaged backups can be a nightmare resulting in data loss and corruption. Planning should include the steps required to ensure backups are stored in one location and do not get overwritten by other backup systems in place.
Mobile Data Protection
The organization's devices and servers are more easily managed because the organization owns them and controls what can be installed. User devices are more difficult because corporate data must be protected without interfering with a user’s personal data and applications.
While allowing workers to use their own mobile devices improves productivity, it also increases risks. Administrators must take action to ensure that mobile data is protected with mobile security. However, this component of cybersecurity management is much more challenging to manage than internal servers and appliances. Data should be synchronized with backup strategies, and the device must protect data after physical theft.
Differences between Data Protection, Security, and Privacy
Every component in cybersecurity serves a purpose in protecting data, but compliance regulations distinguish between protection, security, and privacy. Organizations must understand these differences to implement the proper controls to stay compliant and avoid fines.
- Data protection: Any appliance or application that stops cyber-attacks and protects from theft is a part of data protection.
- Data security: Cybersecurity resources that protect from unauthorized access and data manipulation or corruption fit into the data security category.
- Data privacy: Auditing data and determining who should have access to it, along with monitoring access requests, are components of data privacy.
Data Protection and Privacy Laws
Every country has its own privacy laws, and organizations in these countries must comply with regulations. The two most prominent data privacy laws are the European Union’s General Data Protection Regulation (GDPR) law that went into effect in 2018 and the California Consumer Privacy Act (CCPA) in the United States. Both laws have severe penalties for non-compliance. The two compliance regulations have their own requirements, and organizations should ensure that they review and follow them.
Data Protection for GDPR
The EU’s GDPR is one of the most complicated laws to follow and holds the most severe penalties for non-compliance. The GDPR’s goal is to give consumers more control over their data and for these consumers to better understand the way organizations use it. If your organization stores personal information for European Union consumers, make sure you read the requirements. Here are a few broad specifications:
- Organizations must get explicit consent from users.
- Notify consumers within 72 hours after a data breach.
- Hire a data protection officer to oversee the governance of data when an organization manages large amounts of data.
Examples of Data Protection
Every organization has its own data protection plan that should follow basic standards to safeguard data. The tools and appliances used to protect data depend on the organization’s infrastructure and storage practices (e.g., on-premises vs. cloud storage).
A few examples of data protection include:
- Data security: Authentication is required to access data.
- Access controls: The user must be authorized to view data.
- Storage requirements: Is data protected at-rest and in-motion?
How Proofpoint Can Help
It’s challenging for organizations to audit data and determine the proper protection strategies across an environment. Proofpoint Information Protection solutions can help organizations audit and discover data, create a strategy that follows GDPR and other compliance regulations, and protect data from theft or destruction. We will streamline incident responses and create an environment that safeguards data from external risk, including threats that target cloud platforms.
Watch Our Live Demo to Ensure Data Privacy with a Cloud Security Platform
Join Proofpoint experts for a 30-minute live demo to learn how the Proofpoint Information and Cloud Security Platform helps organizations achieve data protection and privacy best practices.
Explore the Price of Data Protection with Ponemon Research
With Ponemon research revealing that the cost and frequency of Insider Threat breaches are on the rise, it’s no surprise that organisations are taking affirmative measures to tackle the Insider Threat.
Office 365 Modern Data Protection & Compliance Measures Webinar
As employees feel empowered to achieve more, what new considerations does this means for you to ensure security, protect data, and mitigate Office 365 compliance risk?
Download the Data Privacy Awareness Kit
Proofpoint is providing free tools in our Data Privacy Day Awareness Kit to help organizations educate their users on privacy fundamentals. Download your kit now.