Define, educate, prevent: Avoiding data loss is easier than you may think

Most organizations believe they aren't in danger of losing data, but as recent news demonstrates, the threat is real and no organization is immune.

In a recent CDW report on threat prevention, data loss emerged as the No. 1 cybersecurity challenge faced by medium and large businesses. Fully 37% of IT security decision makers surveyed for the report cited data loss as "the next big security threat" their organizations face, naming it a bigger threat than viruses, worms, malicious attacks and botnets.

Just envisioning the potential consequences of data loss is enough to keep executives up at night. Data loss of any kind can damage an organization in countless ways. From a simple hard-cost standpoint (forensics, notification, credit protection, etc.), data loss is expensive, costing an estimated average of $200 per record breached, or an average of $6.8 million per total breach, according to a recent Ponemon Institute survey.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Most organizations believe they aren't in danger of losing data, but as recent news demonstrates, the threat is real and no organization is immune.

In a recent CDW report on threat prevention, data loss emerged as the No. 1 cybersecurity challenge faced by medium and large businesses. Fully 37% of IT security decision makers surveyed for the report cited data loss as "the next big security threat" their organizations face, naming it a bigger threat than viruses, worms, malicious attacks and botnets.

Just envisioning the potential consequences of data loss is enough to keep executives up at night. Data loss of any kind can damage an organization in countless ways. From a simple hard-cost standpoint (forensics, notification, credit protection, etc.), data loss is expensive, costing an estimated average of $200 per record breached, or an average of $6.8 million per total breach, according to a recent Ponemon Institute survey.

SECURITY THREAT: Too many data loss prevention tools become shelfware, says analyst

The true cost, however, is much harder to measure when considering factors such as lost competitive advantage, loss of revenue, litigation and company reputation.

The first step to prevent data loss is to accept that data loss is a real problem. Truly solving the problem can be boiled down to three simple concepts: define/baseline, educate and enforce.

Define data and create a baseline

This is not the typical, monstrously large (and perpetually doomed-to-failure) information classification project that so many IT organizations have undertaken and then abandoned. The key to success is to draw a distinction between confidential information (e.g. Social Security numbers) and confidential documents (such as a file containing Social Security numbers).

In today's IT world, nearly everyone is an information worker. In the course of business, people make copies of files, create reports, post them to SharePoint sites, etc. Trying to categorize information at the document level is typically prohibitively difficult because these documents are rapidly moving targets.

That said, the definition of "confidential" is usually straightforward. The simple data points that allow for fraudulent monetization of data (first and last name, address, Social Security number, credit card number, driver's license number, banking information, etc.), as well as data protected by regulation (e.g. HIPAA), are the minimum any organization should protect.

But every organization also has business critical data. Examples include the trading algorithm that was almost stolen from a well-known investment banking firm, the next quarter's sales pipeline for a reseller, pre-product-launch research data for a biomed firm or the source-code for a product at a software company.

Your next step should be to define what "business critical confidential" means to your organization. In the simplest terms, that definition should be measured against three standards:

➢ Would the loss of this information materially affect revenue and profitability?