Data security is a growing concern for organizations of all sizes as sophisticated cyberattacks continue to increase rapidly every year. According to Mckinsey & Company, companies are planning to spend over $101.5 billion on security by 2025.
However, cybercriminals continue to compromise corporate data and systems. A data security policy, sometimes known as a cybersecurity policy, is indispensable for any business to handle sensitive data responsibly and earn trust. Creating a good data security policy helps prevent data leaks and data breaches, reducing the risk of financial losses.
1. The total amount of data created, captured, copied, and consumed globally reached 64.2 zettabytes in 2020. The number is projected to reach 180 zettabytes by 2025. Mobile platforms, remote work, and other digitalization needs depend on high-speed access to large data sets, aggravating the chances of a breach.
2. Hacking has become a $300 billion dollar industry and is operated like an organized business, with P&L budgets and hierarchies. Hackers are using AI, machine learning and other technologies to execute sophisticated data breaches.
3. Based on a report by Cisco’s Kenna Security, nearly 20,130 software vulnerabilities were reported in 2021 – that’s 55 vulnerabilities a day. The rate of vulnerabilities is significant, making it difficult for IT teams to fix all the vulnerabilities.
4. Humans by far have been the weakest link in an organization’s cybersecurity defenses. 82% of breaches involved human error and misuse of privilege and social engineering attacks. According to the latest data breach report by IBM Ponemon Institute, the cost of a data breach due to accidental data loss or lost devices costs businesses nearly $4.11 million.
5. Data security standards, laws, and regulations tend to catch up with both business and technological changes.
A breach lifecycle is the time between a data breach and its containment. In 2021, the average breach lifecycle was 287 days–212 days to identify the breach and 75 days to contain it. The more time to identify and contain a breach, the costlier it gets.
According to research by IBM, the top most expensive data breaches were:
The cost is further amplified by the increase in the remote work model. 5% of the data breaches last year involved remote workers with the average cost of a breach increasing by $1.07 million when remote workers are involved.
The remote work model has now become a part of the new normal. Organizations should address these data security risks in a way that improves security regardless of the location or mobile device employees work on.
To prevent intentional or unintentional breaches created by employee use of software or mobile devices, developing thorough data security policies is essential. The complexity of the business and the industry in which it operates influence security policies. However, there are a few key components that form the basis of a feasible data security policy.
The acceptable use policy defines proper and improper behavior when users access company network resources. For example, an employee wishes to download software from the internet to be more efficient at work.
However, downloading unverified software from a questionable website could install malicious software in the system. Using the company’s resources for personal business is also inappropriate and introduces risk.
A password policy should be established for all employees and temporary workers accessing corporate resources. To combat the dangers of password accessibility, establish a password policy based on job functions and data security requirements.
Passwords should be scheduled to be changed regularly, and should not be repeated in succession. Passwords should never be shared.
The costliest data breaches occur due to employee misuse of business email. It often results in the loss or theft of corporate data or unintentional downloading of malware and other malicious software.
Clear standards should be established regarding email usage, message content, encryption, and file retention to thwart phishing and other email-based attack vectors.
Employee misuse of the internet at work can create awkward (or even illegal) situations at work. However, defining a clear internet use policy can limit the websites they visit. Unrestricted access to the internet can tempt employees to spend time on non-work-related activities.
Companies may want employees to be productive, but security concerns should dictate how internet guidelines are formulated. For instance, downloading files from a file-sharing website can contain malware or expose a company to liability if the downloaded material is copyrighted.
Social media websites have now become a goldmine for hackers, with easy access to sensitive information and personal data. This gives bad actors the opportunity to carry out social engineering attacks.
A strong social media policy and active governance can ensure employees communicate within the parameters set by the company and follow data privacy best practices.
The data security policy should address incident response and reporting. There should be a procedure in place for employees and contract workers to report malicious malware imported into the system.
The policy should also specify how the data breach is handled and by whom, how security incidents should be analyzed and learnings shared to prevent future incidents.
Mobile device management is an important technology element to keep in mind when developing or updating data security policies. MDM can enforce the aforementioned people-side of data security policy as well as manage company-owned and personal (BYOD) devices.
Threat | Mitigation using MDM |
Theft and Loss | Remote Data Wipe: The MDM feature allows IT teams to remotely lock a device and delete data for protecting information from comprise when a mobile device is lost or stolen. |
Malware | Allow only approved apps: Irrespective of a company’s mobility (BYOD, COBO, COPE) strategy, businesses can specify a list of approved apps and leverage MDM to block or disable unapproved apps to ensure compliance and safety. Also, create a list of allowed websites that users can visit on their work devices. Schedule automatic OS updates on devices to protect against vulnerabilities. |
Public Wi-Fi | Setup VPN: Configuring virtual private networks to hide their internet protocol (IP) address and browse the internet with an encrypted connection. |
Weak Password | Remotely configure password settings–length, complexity, periodic updates–using MDM solution to push policies directly to devices. |
Email breach | Conditional Email Access: It is a data security policy that restricts user access to corporate inboxes. In the simplest form, this policy follows an if-then statement. For example, if a user device, especially a BYOD, is not enrolled then the user will not have access to its mailbox. |
Each new piece of technology brings with it the risk of a data security breach. There is a pressing need for enterprises to develop practical data security policies, particularly for mobile devices, to protect data and reduce risk exposure. Companies can utilize mobile device management to enforce data security regulations and reduce problems caused by employee use of software and devices.