In my earlier article, ‘Is Data Protection significant?’ we clearly established that data protection is important, even more so than data security, at least in dollar terms. Now the question arises as to who should sit up and take notice and how should they go about the business of incorporating data protection in their organisational diet?
We partly answered the former with
my last article but here is where the critical mass question arises. Say, I’m a small NBFC or a microfinance company and my turnover isn’t in the hundreds of crores; or let’s say that I am a large human resource intensive firm with way too many people (sometimes externals like agents or franchisees), and thus how can I, in either case, afford the solutions (which, to be honest, are not inexpensive). Also Read: Data protection: Who cares? If you are a listed company, you should
In real terms, each of your employees cost you approx. Rs 54,000 in damages due to data mismanagement, and so it follows that can I mitigate this loss with a lower-than-real cost. Yes, you can. Realistically the RoI on the Comprehensive Data Protection Investment is between 1.5-2.5 years. I don’t know of any business that gives you that kind of return, do you? So why aren’t most CXOs sitting up and taking notice? Either its short-sightedness, lack of compliance requirement, lack of knowledge, too many things already on the plate, sheer laziness, or a combination of all of the above; I really don’t know. But in any case, it translates to negligent inefficiency.
You have the opportunity as a CXO to change that and that too with real data to back your argument to the powers that control the finances for such acquisitions. Functions of data security do not have such data to back them up, not to say that they aren’t required, they most certainly are, but there is no real data in terms of monetary sum to back them.
The cost is per head in most solutions so even small and medium enterprises cannot afford to miss the wave that is hitting the big guns right now. I hope that gives you food for thought because if it does it means you are a thought leader. Thought leaders drive organisations.Let’s come to the second and more complicated part of the question, incorporating the solutions into your organisational diet, how do you go about it? Easier said than done, so let’s look at it piecemeal.
First, you must understand the data your organisation already has and how you want to treat it. This usually involves consultants (of which I am one) or best practice manuals that already exist. Nothing too expensive, you don’t really need the Big 4 to tell you what to do. You already know, in bits and bytes, what you need to do. So you put together a list of your data and how you want to treat that data (access, storage, movement, destruction, etc. with respect to your organisational structure) and decide policies internally with your business heads. Once that’s done, call in an expert to advise you on best practices. This may be a time-consuming effort, and it usually is, but it need not be. I know of one firm that put together its entire team of business heads in one room, teleconferencing and all, without any external electronic interference and got this done in 6 hours, this is an example of ‘Deep Work’ in tandem.
In large and complex organisations, it becomes critical to take the decision making out of the hands of the users and make the same an
Prevent embezzlements and data theft
organisation-wide policy-driven decision which can be enforced through role / user-based access control policies.Now how do we do that? In short, you have enterprise security in place for external threats, you must simply complete the ‘Data Protection Puzzle’ as follows.
Organisations have already existed for X number of years and so have loads of legacy data. How do you find and consolidate that data for implementation of data protection? There are 2 ways to do this. 1) You can use a data discovery tool, which is a brute force algorithm-based software that locates and collates your data wherever it is, or 2) You could use the data discovery tool already present in your DLP software. The former is highly specialised and therefore very efficient but terribly costly, even for the one-time users who will migrate to the latter solution for incremental data that is created. The DLP discovery tool is not half as efficient but to be honest, it’s already there, so it’s free, you just need your DLP guy to come in and give you your AMC money’s worth. Your expert and your DLP team will take care of the rest. Then you implement what is known as a data classification tool, often forgotten, but the most crucial element of the data protection puzzle. Essentially what this tool should do is to embed metadata into your data / document giving the signal to the remaining tools as to how that piece of data should be treated or handled (access, storage, movement, destruction, etc.). Without knowing what to do with the data, the (following) RMS and DLP solutions are rendered either inefficient or useless altogether. Those who have implemented RMS and DLP without data classification know what I am writing about. Without data classification, you will wind up making your RMS redundant and your DLP overloaded. With it, you create a zero-click environment, which serves to implement all your policies. Next comes rights management software, which simply put, encrypts your data and allows access based on the classification of the data. This, as the next stage of data protection can be done in tandem with Data Classification, just like the rest of the tools. Usually it is best to find solutions, which work together already and not try and make them work after buying them. Last should be, but usually first - data loss prevention. It is the guardian at your gates, which either allows or prevents data going outside the organisation based on, once again, classification. Last, but not least, gauge your policies over time and make changes wherever necessary. This allows for flexibility.
The data protection puzzle is crucial in the implementation of UEBA, or User Entity Behaviour Analytics. It tracks the behavioral patterns of your employees. Well-implemented puzzles have prevented embezzlements, data theft,
insider cyber-attack and even alerted management to attrition; all ahead of time.
Finally, you will gauge that you have increased security, improved compliance, decreased costs, and improved productivity…not to mention reduced monetary loss arising from security breaches.
The work has already been done for you, now it becomes a matter of ‘
organisational will’. Will you / your organisations take lead? Utkarsh Morarka is co-founder and business development head of
IndusOne Business Solutions.