Data is the lifeblood of any organization. Incorrect or poor use of data can severely impact an organization’s operations and expected outcomes. Risk has to be identified, understood, quantified, and parsed into categories, including avoid, transfer, mitigate, and so forth. Acceptance of risks to data and dealing with its consequences should be an “eyes-wide-open” endeavor. In other words, Data-driven risk management is a necessary capability for all organizations.
Data risk management includes all practices for identifying risks, assessing risks, and reducing risks to an acceptable level. This has always been important, but now the stakes are higher with new remote work, cyber security breaches, and cloud security risks. The annual cost of a Data Breach Report, conducted by Ponemon Institute, found that data security breaches now cost companies $4.24 million per incident on average – the highest cost in the 17-year history of the report. Ponemon states that security is lagging rapid IT changes such as remote work and cloud-based activities. And, the results come with significant consequences. Nearly 20% of organizations studied reported that remote work was a factor in the data security breach, and these breaches ended up costing companies $4.96 million (nearly 15% more than the average breach). Companies in the study that experienced a breach during a cloud migration project had an 18.8% higher cost than average.
Reflecting on the above trends and the reality that cloud and a remote workforce are here to stay, you’ll need to focus on securing them as part of your data risk management strategy, understanding their potential risks and threats, their likelihood of occurring and potential impact, your current security posture, and your remediation steps. Indeed, each comes with unique challenges that you will need to address. Cloud risks are complicated by lack of cloud visibility, risks of big data, data migration risks, cloud storage security risks, cloud misconfigurations, and more. On the other hand, remote work security concerns stem from data leakage, low visibility into users operating outside the corporate network, and phishing attacks, to name just a few issues.
Data Risk Management
Data risk management Is the practice an organization uses with governance, process, procedures, and compliance for acquiring, storing, processing, transforming, and using data to manage and eliminate data risks. Risk analysis involves looking at organization assets, possible threats, and vulnerabilities to determine risk then putting in countermeasures relative to managing risk.
Data risk is due to:
- Poor data governance – Organizations have to ensure that their data is of high quality to support organizational decisions. Good data governance balances the need to democratize data against the need to know and need to use data.
- Data mismanagement – The entire lifecycle of data has to be protected as data moves from one stage to the next, including data at rest and in transit. All practices for acquiring, storing, transforming, loading, and processing of data have to be managed appropriately.
- Inadequate Data Security – Organizations have to keep up with protecting their environment from cyberattacks and unintentional internal data compromises, with patches, education, a zero trust model, etc.
- Bad patch management – System patches have to keep up to date and be timely; a window of opportunity for cyberattacks can happen if patch management is not done effectively and efficiently. As much as possible, patch management should be bulletin-based and automated.
- Continuous Diagnostics and Mitigation (CDM) – In accordance with US-CERT, organizations should implement an automated, risk-based IT security program, covering all infrastructure, applications, and data both on-premises and across their cloud deployments. Rarely is either the hardware or applications environment permanently damaged or have downstream, unpredictable ramifications; the same cannot be said for data risks. A Prevent-Detect-Respond risk analysis must focus on data risks as the core for a CDM cyber-security program.
Some benefits of managing data risks:
- Reduce cost to an organization in many ways, including regulatory fines, time wasted, customer retention, and so many other ways.
- Reduce risk by being proactive instead of reactive with a strategy for managing all risk.
- Increase agility of the organization to move quickly. Data risk assessment and management is a proactive practice to support the organization’s business availability based on reacting swiftly to challenges.
- Organizational longevity is maintained by having the ability to deliver and support services and products. Without managing data risk appropriately, organizations are in danger of failure.
- Customer happiness is based on an organization’s ability to perform securely by protecting the shared data to conduct business. Good customer satisfaction surveys and net promoter scores have as a foundation the organization’s ability to manage data risk.
The benefit of data risk management is worth the associated costs. With this as a practice and discipline within an organization, the success of the organization increases. The following data risk management guide will give some tips and guidance on how to proceed with data risk management practice within your organization.
Data Risk Management Guide
Data risk management can not be an afterthought within any organization. There needs to be strategic intent, executive sponsorship, and cultural change for data risk management to be successful. Start by creating a team with accountability and responsibilities for data risks. Produce an overall RACI matrix relative to data risk management Policy. Hire a Data Protection Officer (DPO) to be accountable for creating a data risk management framework. Include in the framework goals, objectives, and measurements.
Some data risk management tasks, tips, and guidance:
- Identify risk, threat, vulnerability – perform a data center risk assessment.
- Assess probability and impact perform a business impact analysis – It may be helpful to use third-party support. Address financial implications, and impact over time to determine priorities and actions to address data risks.
- Define governance, policies, regulations, and compliance needs, including identifying and adopting best practices for data risk management
- Assess current controls in place and continuously do this activity relative to the changing risk landscape. Implement controls in practices, processes, and work instructions across the organization.
- Risk response strategy and plan – Avoidance, mitigation, transference, acceptance. Purchasing Cyber security insurance is a way to transfer data risk resulting from cyber data attacks. Make sure to have a plan for each aspect of risks management.
- Test the plan to make sure it works; if not, adjust the plan and redefine any other aspect of data risk management.
- Monitor risk and provide feedback, use automated tools as much as possible, and get feedback from people around the organization.
- Continual improvement plan and activities, risk management is forever a needed capability of the organization.
Some potential risks to identify and manage:
- Data corruption can happen to data anytime, during reading, writing, transmission, loading, processing, etc. Make sure to identify the data replication, duplication, backup and recovery and manage risk related to each stage in the data management lifecycle.
- Device failure on-premise and cloud where the data resides is essential. Organizations should understand the complete IT device stack and associated data and prepare data risk plans and actions.
- Data compliance be sure to be compliant with both customer and partner-facing as well as industry- and region/nation-specific regulations such as General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Criminal Justice Information Services (CJIS), Family Educational Rights and Privacy Act (FERPA), International Traffic in Arms Regulations (ITAR) and California Consumer Privacy Act (CCPA). Data privacy and trust have to be managed, and risks accounted for—each one of these regulations emphasizes the necessity for Data risk management.
- Vendor lock-in for data management can be costly. Review contracts and understand cost relative to value.
- Data remanence through data retirement practices, if not done correctly, can result in a risk to the organization. Be sure to verify that this is happening appropriately.
- Identification of security flaws and weaknesses can be done with audits. Data audits are always a good thing to do within organizations for managing risks.
- Long-term storage and management of unused data is costly. Any unused data has no value and, if being managed without a purpose, is a waste of time and effort. This includes governance and compliance issues.
- People policy and behavior – malware, phishing, spyware, etc.
- Cloud SaaS, PaaS, and IaaS risks for each service should be identified and managed. Many organizations do not use all the cloud services but still should be aware of how the other services can affect them related to managing the risk of data.
- Contingency planning for denial of service, data breaches, loss of data, and other issues should be identified and planned.
- Major incident response is critical to have in place when a data management issue occurs. This activity should also be practiced or simulated to ensure it is effective.
- Physical security must always be identified and understood relative to human breaches or environmental breaches, including on-premise and cloud physical security. Organizations should not only understand themselves but how a vendor addresses physical security – particularly in office environments that are oscillating between work-from-home and return-to-office policies.
- 3rd party software and infrastructure risk should be identified. Any 3rd party vendor is subject to a data breach that can affect its customers. Data breaches that result in software being hacked and then installed in their customers’ environments can have lasting effects on the organization. All organizations should understand how their vendors secure their data, especially the data about their customers.
Some Data Management areas to be aware of:
- Backups’ importance can not be underestimated for the organization and for us personally. They provide data recovery in case of power failure, hacking, environmental disasters, human error, etc. This is essential for managing data risk.
- Redundancy improves the availability of your organization to do business. Redundancy of data helps manage the risk of data loss from unexpected and expected outages that may occur.
People Risks related to data management should be identified and managed. An essential tactic is to educate people and make them know how to manage data risks within the organization. Make sure people understand and can act when needed for data risks. The practices that they learn at work can also help with personal data leakage and personal data risks.
Today, with organizations adopting Big Data practices and technologies. The risks of big data implementations in an organization need to have a data risk management strategy. An organization should review its Big Data architectures and identify data risks in its on-premise, cloud, and hybrid cloud environments. Cloud Data migration risks and Cloud storage security risks of data should be reviewed carefully. Cloud architecture adjustments may be necessary to address cloud data risks and costs. Big Data risk management should be a component of an overall data risk management strategy.
Data risk management is the responsibility of all functions across the lines of business, marketing, sales, human resource, operations, applications, legal, etc. Taking a proactive approach by identifying risk, adding controls, and preparing for action can make a world of difference when needed. Do not make data risk management an afterthought and something that is not worth investing in. Data risk management is a part of the cost of doing business and should be understood as such. Be careful of shortcuts and not be strategic and comprehensive with the approach.
In addition, you should seek out frameworks and best practices; in particular, NIST is one of the foremost experts on risk management with extensive frameworks for Cybersecurity, Risk Management, Integrating Cybersecurity and Enterprise Risk Management (ERM), Privacy, and more. NIST Guidelines for Managing the Security of Mobile Devices in the Enterprise (Draft NIST SP 800-124 Rev. 2, Guidelines for Managing the Security of Mobile Devices in the Enterprise) is another recent resource to help you get started. You can also pull from the 2021 DBIR Master’s Guide (2021 DBIR Master’s Guide | Verizon).