Cloud computing, social networks and the marked increase in the use of mobile devices connect everyone and everything. The days when company data remained within the physical borders of the company network are long gone and as a result, they are much harder to protect. At the same time, data protection legislation is becoming much stricter – the new European General Data Protection Regulation (GDPR) is a good case in point. How can your company deal with this new reality? A good data protection policy starts with a step-by-step plan.
Step 1: Place data protection (high) on the agenda
The crucial first step is realising the vital importance of data protection. Having and creating such a platform is necessary if you’re going to allot the proper internal resources and launch projects. Today we see that large companies are generally more acutely aware of the importance of data protection. Positions such as Chief Security Officer (CSO), Chief Data Officer (CDO) and Chief Privacy Officer (CPO) are being created with the aim of developing and fine-tuning data protection and data privacy policies and integrating them into the overall IT security policy. New legislation, such as the above-mentioned GDPR, is obviously a driving factor but the agenda is also influenced by the generous (social) media attention for major data leaks and the resulting damage claims.
Awareness grows slower amongst SMEs, and in any case it is still much too low. Still, they are subject to malicious attacks resulting in data loss just as often – or even more frequently. SMEs often have a ’false’ sense of security. They are convinced that technology alone – such as a firewall or antivirus protection – will keep them out of harm’s way. They are not always convinced of the importance of good management… until it’s too late. That is why SMEs are best advised to consult a specialised partner who can develop an effective approach.
Step 2: Needs analysis
The next step consists of identifying the risks and needs in terms of data protection. These are different for every company. The main vulnerabilities and needs are defined through a risk-based analysis. What are the crucial processes, applications and data? What is the impact of data loss? If your company uses a lot of tablets then their protection will require extra attention. Incidentally, one of the major risks is always the end user, which means that raising end user awareness is a top priority in any security policy.
Step 3: Implement an integrated policy
An integrated policy is formulated based on the risks and needs. This not only includes technological choices but also processes, management and responsibilities. After all, data protection affects the company as a whole, it is not the sole responsibility of the IT department. Keep in mind this is not a one-off project or operation; it is a process that must be continuously protected and monitored.
By the way, adequate data protection doesn’t have to cost an arm and a leg. For many SMEs, a few basic but indispensable security measures would make a real difference, for instance installing the right software and hardware patches. More and more often, both large and small companies elect to store data in professional data centres or with a cloud services provider, who can also perform management tasks related to, amongst others, data traffic, backups and IT security. Many companies no longer have all the in-house expertise and tools to properly configure, monitor and manage their data protection.
The security of company data has become a basic condition for business continuity and even an absolute necessity if your company is going to be considered a reliable business partner or supplier. Compromised or lost data not only inflict economic damage but it also has a negative impact on your reputation and your competitive position. More than enough reason to invest in data protection…