One of the biggest obstacles for organisations is understanding where critical data resides and how it is currently protected. Apart from the production environment, copies of important or sensitive data is also stored in back-ups, data warehouses and test environments. These environments may be less protected than the production environment. Data risk is a growing risk for companies and a great opportunity for hackers.
Recently, a well-known travel agency was hacked and almost 1 million customer records were exposed. Although, the production environment was secure, the test environment which was less secure was also accessible from the internet which facilitated unauthorised access to sensitive customer data. Data Risk Management should therefore focus on the data, as recommended by the international security standard ISO27001:2013.
Company data is growing exponentially and after 10-20 years of data storage a huge amount of data exists: Big Data is no longer just a buzz word. By scoping we can reduce the size and complexity of our data risk management activities. Your scope should focus on large structured data sources related to Mission Critical Applications. These "data crown jewels" have an interface and/or are copied to other departments, business partners and locations. Understand where this important data flows to and record a physical address and/or IP-address for where the data is stored.
Data Risk Management (DRM) aims to help management become aware of the key data risk. A heatmap of all important data sources should help to decide where to spend money most effectively on the most risky data sources.
The Bottom Line
DRM will evolve as organizations continually look to balance protection of business data and costs. Understand your exposure and risk appetite and have a plan of action to mitigate your potential liability. Data Risk Management is an art and not a science.
Gerco Kanbier is Managing Director of Trust in People - the information protection company in The Netherlands. For more information, please visit www.trustinpeople.com.