Data loss prevention, or DLP, has moved from a nascent concern to a major priority for companies across industries—and understandably so. Data is growing exponentially, and at the same time, an unprecedented number of employees are now working remotely.
Even before the COVID-19 pandemic prompted dispersed work arrangements, the incidents of data loss—a company’s loss or compromise of critical private information, whether through malicious acts or by accident—was on the rise. And such incidents were costing companies an average of $3.9 million, according to the 2019 Cost of Data Breach Report from the Ponemon Institute.
As companies continue to support greater mobility, it raises the potential for both major data breaches as well as pervasive data leaks.
Meanwhile, the cost associated with data losses is increasing. Following the European Union’s introduction of General Data Protection Regulation (GDPR) in 2016, other regulators have rolled out their own protections, such as the California Consumer Privacy Act (CCPA). Still, fines and fees can be a drop in the bucket relative to the real cost of a data breach—diminished customer trust and brand reputation.
Following are the key elements for company leaders to understand about safeguarding data.
Make Data Protection a Priority
While company executives generally defer to IT teams when it comes to data, they should also understand the risks and potential solutions—and make data protection a top priority across operations. To be sure, the incidents of data loss occur 38 times more often than IT leaders presume, according to the State of DPL 2020 Report from email security company Tessian.
The top five types of data that were compromised in 2019, according to the study, were:
- Personally identifiable information (37%)
- Authentication credentials (35%)
- Intellectual property (33%)
- Corporate financial data (30%)
- Payroll/credit card data (27%).
Create a Company-Wide Plan
Data loss prevention today starts with creating a DLP policy that, among other things, identifies sensitive information, and outlines the rules and expectations around how it's shared and protected. This is particularly important in heavily-regulated industries such as health and finance. This policy should cover the entire company, including vendors and third parties.
While IT teams can create protocols around sharing and storing data, those measures only go so far. Companies that are serious about data protection take steps to onboard and educate employees about their responsibilities.
Employees and partners also need to be given clear instructions about what is and is not acceptable—with explicit guidelines for working on- and off-premise. In fact, nearly half of employees surveyed in the State of DPL 2020 Report said they were less likely to follow safe data practices when working from home. In a survey conducted by Forrester, meanwhile, respondents indicated that 48% of data breaches in 2019 involved insiders, such as employees and third-party partners.
Know the Weak Links of Email
The threats of data loss come from many areas, but email is one of the single biggest areas of concern for data security leaders. That's especially true now that more employees are working via email from home networks or computers with lower security profiles.
For one thing, email is vulnerable to phishing—when an outside entity tries to gain personal, private, sensitive or financial information by appearing to be a known entity such as a trusted financial institution or even the U.S. Treasury. In the case of business email compromise (BEC), or "CEO Fraud," criminals use compromised addresses, phished credentials, or look-alike accounts to trick key business stakeholders into completing fraudulent transactions.
Even when companies have strong protections, human error can create inadvertent issues, such as emails sent erroneously to unintended recipients or containing sensitive information.
Avoiding email-security issues is a matter of putting the right technology in place. For example, IT teams can monitor emails for suspicious activity, require multi-factor authentication, and take other steps. That said, one of the best defenses is training and education around the risks and best practices when using email to share data.
Invest in the Right Tech and Tools
There is no substitute for creating clear policies and raising awareness, but technology can help companies shore-up their data protection at many points along the way.
For example, multi-factor authentication is gaining traction across a wide range of industries and for companies of all sizes. Creating multiple security steps for gaining access to company networks is particularly important as more people are working remotely. It also offers an extra level of security in the event that mobile phones, laptops or other devices with sensitive information are stolen.
File protection is another safeguard since data loss can occur when employees send documents to their home computers and subsequently share or access it. Under the banner of DLP, many new apps provide file protection, file permission and tracking to secure employee and client files outside of the company’s boundaries.
Taking this further, some companies—particularly in highly-regulated areas—have deployed real-time surveillance. These programs, such as Bloomberg Vault, notify compliance teams when there is a possible breach. Just as many email services alert senders about forgotten attachments, these programs might include features that monitor employee communication to warn potentially sensitive emails or data transfers before they press send.
Data protection was a growing concern even before COVID-19 drove the need for more fluid work environments. Now, with more remote teams dealing with ever-increasing data, safeguarding these assets should be a top priority for everyone.
To learn more, contact your Fifth Third Bank Relationship Manager or Find a Banker.