Six questions to ask about data security

3 May 2018

In every industry, businesses are accumulating massive amounts of data related to their employees, sales and customer service. The volume of data is compounded by the increased growth of connected devices, which range from consumer wearable devices, smart home meters and voice assistants up to heavy machinery and vehicles.

So how much does your company know about data? Here are six questions you can ask to assess your enterprise data security.

1. Who's in charge of our data?

Forbes reports that in a 2018 survey, 63.4% of the respondents said their company has a chief data officer (CDO) in place, up from 12% in 2012. No matter their title, there should be someone in your organisation who knows exactly what data is being collected, and how it is stored and processed.

Employees often have more access to data than they need, and responsibility for data is often held in silos without an overview. With a central authority holding a clearly defined role, businesses can build a secure data architecture.

63.4% of surveyed companies now have a CDO

2. What data is being collected, and how is it used?

In the age of Big Data, companies are starting to realise that their data is valuable, though just exactly how it can be used is often unclear. Countless processes are tracked and data is stored in hopes that someday it will turn into a real profit maker.

A data architecture allows a business to know exactly what data is being collected from what sources. According to McKinsey, rather than an additional layer, security should be treated as a basic design principle of an enterprise data architecture.

Cyber attacks on industries worldwide 2017

Find more statistics at Statista.

3. Do we need all this data?

According to the Harvard Business Review (HBR), most businesses use less than 50% of their stored structured data in decision making, and more than than 99% of unstructured data is left unused and unanalysed. Cutting back on this unused data reduces the "attack surface" of what can be compromised.

But even deleting files and destroying documents need to be done with care. Best practices must be followed to ensure that both electronic and paper documents are destroyed without compromise.

99% of unstructured data is unused and unanalysed

4. What does regulation say?

While regulations vary around the world, in general rules are getting tougher. Setting the standard is the EU's General Data Protection Regulation (GDPR), which goes into effect May 25, 2018.

Rather than data collection, GDPR is focused on storage and processing. The regulation demands more transparency from any company doing business in the EU. With serious penalties threatened for violators, compliance is in the financial interest of all enterprises.

5. What cyber risks should we look out for?

According to the Massachusetts Institute of Technology (MIT), there is plenty to be concerned about when it comes to cyber threats. On the top of their list are the familiar threats from data breaches and ransomware.

Emerging threats come in the form of cyber-physical attacks which utilize digitized "things" that make up the Internet of Things (IoT), taking over computing capacity of devices to mine cryptocurrency, and the weaponising artificial Intelligence (AI) to find the best ways to take advantage of human nature. With such sophisticated threats lurking in the digital corners, businesses need to take ever-stronger steps to mitigate the risks of cybercrime.

6. What's our contingency plan?

Once there is a plan in place for the collection, storage and protection of your company's data, you need to plan for the worst. The Global State of Information Security Survey found that in 2017, IT security incidents caused more than eight hours of downtime for 31% of the impacted organizations surveyed.

This threat applies to enterprises large and small across all industries. Waiting for something to happen will be far more expensive than taking the time to prepare a plan.

Establishing a chain of command to deal with an attack is the first step (this is where your CDO comes in). Companies should then write a plan considering factors such as incident management, crisis communication and business interruption. As the businesses and threats change, this plan should be reassessed on a regular basis to minimise the risk of cybercrime.

HDI Global can help you answer these questions and more

The tactics of cyber criminals are diverse. To balance global risks with local requirements and specialised needs, HDI is expanding our range of offers for cyber coverage in several countries. In addition to a company’s own IT security, HDI provides insurance solutions against losses resulting from cyber attacks.