As we’ve discussed before, data visibility and asset management should be a key priority for risk and security leaders. This refers to having total visibility of all the assets in your environment and being able to account for where your data is housed and where it’s properly secured before
As companies expand, adding devices, employees, locations, servers, containers, databases, and cloud-based infrastructure, or work with multiple third-parties who may have data-sharing or integration relationships, their data may be in multiple places and it can be difficult to know where it’s all housed.
Without the right visibility strategy or priority in place, organisations will be exposing themselves to risk beyond just simple data exposure or breach.
It may be easy to simply consider this challenge as a cybersecurity one but the risk spans beyond just IT and cybersecurity. If you’re looking to get the right resources or tools, it’s important to know and communicate this appropriately.
Here’s what’s at risk if you can’t account for your data and assets:
This is the biggest risk you’re incurring by not being aware or accounting for your data and all your assets. Nearly all threats and cybersecurity risks centre around your data. If you don’t know where your data is housed, it’s difficult to secure and keep it out of malicious actors’ hands.
Losing your data, whether to a data breach or an accidental exposure can devastate a company’s organisation, even if the damage is relatively minimal.
*For example, Uber recently suffered a data breach that, ultimately, resulted in no loss of customer data and minimal damage, despite the internal breach. However, from a PR perspective, the damage was much more critical.
Not having complete visibility of your assets can exacerbate the damage a potential attack may have and may even compromise a company’s ability to perform its services to its customers.
Earlier this year, a ransomware attack on a third-party supplier caused Toyota to shut down its factory productions in several locations. This was done as a safeguarding mechanism to avoid costly downtime and risk any assets from being infected by the ransomware.
Without having the right asset visibility or data monitoring, you may not be able to take the appropriate action in the face of a potential threat, which may affect your organisation’s business continuity.
New data security and privacy policies like GDPR and the US-based CCPA are more firmly requiring organisations to properly store and secure data (this responsibility even extends to the organisation’s third-parties). These regulations have driven multiple investigations, liability, and costly legal fines if the organisation is found to be culpable in a data breach or negligent, which could have resulted in a breach.
Customers are more and more aware of their own security and it’s become more crucial that their data is secured. Not securing or keeping track of your data can directly result in a loss of customers for both B2B and B2C companies. A study found that 1 in 4 of customers would not do business with a data-breached company.
The aforementioned regulations have also given customers additional control and power over the data companies have. Customers can now ask to retrieve their data or to have their data deleted. If you’re not aware of where this data is stored, you may not be able to fulfil their request, putting your relationship at risk and potentially risking regulatory action.
Many of these risks can jeapordise a company’s pockets in multiple ways. We’ve already mentioned how regulatory fines levied on an organization can impact a company’s finances and data breaches overall are costly. On average, the cost of a data breach in the US is $9.4M, the highest it’s ever been. Any losses in customer or business continuity can be a significant drain on a company’s revenue and costs associated with any legal investigations can rack up quickly.
When it comes to asset management and data visibility, it’s not a matter of “if,” it’s when. An organisation will need to eventually address the challenge and the longer the company takes, the more costs and resources it will take to get up to speed. It’s much easier to set in place certain policies and processes and implement key tools while a company is smaller, has fewer assets and data to account for, and has a smaller vendor ecosystem.
If a company is too large, however, it’ll require many more resources to implement company-wide processes and to bring in new tools and technology to an environment. You’ll also have to bring in multiple departments and stakeholders. The entire process would take much longer and you’ll be taking up a lot of your team and other department’s time.
To improve your asset visibility and data management, you’ll need to leverage a mix of tools, processes, and policies to enforce.
Here are a couple of key steps to take:
Because this affects the entire organisation, you’ll need to get the approval of multiple departments and stakeholders in order to effectively operationalise your data management strategy.
By communicating this as a risk beyond just IT and security, you’ll be able to show the priority needed and be able to obtain the right resources and support.
If there isn’t one, work on developing a process and policy that ensures you and/or your IT leader is aware of any new change that would affect where data is stored, who has access to it, and if the data itself changes.
This may be due to a new SaaS app, a new employee, or a new way of communicating information. This will allow you to maintain up-to-date asset and data visibility.
Technology can be utilised to monitor your environment and keep track of your data for you. This can’t be a manual process as an organization’s environment is too wide.
As you look for tools that can help, prioritise those that can look at all pockets within your environment such as your cloud-based databases (such as Google Drive), as well as third-party apps with an integration in your environment (such as Slack).
Download our handy infographic to find out more about the rise of SaaS apps and how you can stay compliant.