What Is Data Risk Management?
By Tobias Geisler Mesevage
You’d be in the minority if you haven’t seen a headline — or been personally affected by — one of the thousands of data breaches that have occurred over the last decade. To name a few:
- In 2013, Yahoo was breached, exposing more than three billion accounts on its servers, which included users’ names, birth dates, phone numbers and passwords.
- In 2018, 500 million Marriott guests had their names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, Starwood Preferred Guest loyalty program account information, arrival and departure times, and reservation dates exposed after a breach.
- Hundreds of millions of Facebook users have had their passwords exposed due to Facebook storing the information in plain text, which was visible to more than 20,000 employees.
While large organizations are the ones likely to catch headlines, research shows that 71% of ransomware attacks in 2018 actually targeted small businesses.
Though data breaches aren’t the only types of data risks an organization needs to manage, they are often the most visible. To avoid becoming another headline, lawsuit, or unsecured organization, data risk management has become an integral component of IT infrastructure.
What is data risk management, and how can you implement it in your organization?
What is Data Risk Management?
Data risk is the potential for business loss due to:
- Poor data governance: The inability for an organization to ensure their data is high quality throughout the lifecycle of the data.
- Data mismanagement: Weak processes for acquiring, validating, storing, protecting, and processing data for its users.
- Lackluster data security: Difficulties protecting digital data from unwanted actions like a cyberattack or a data breach.
Data risk management is the controlled process an organization uses when acquiring, storing, transforming, and using its data, from creation to retirement, to eliminate data risk.
A holistic data risk management system minimizes the ability of data that can be exposed or breached, and also promotes productivity in the workplace with well-organized and accurate information.
Why Data Risk Management is Important
When business data is exposed or put in jeopardy, there are both direct and indirect costs associated with the malpractice. When data is at risk, a company can be liable for expenses to cover:
- Repairing the damage an attack wreaked on its IT infrastructure
- Costs associated with leaked assets, including regulatory fines and costs for legal consultation
- Increased manual labor for the time taken to contain an incident
- Data center downtime and lost business continuity
- Decreased workplace productivity
- Lost brand value and reputation
Data risk that isn't known, managed, and mitigated often end up as data breaches, which are particularly costly. According to the 2018 Cost of a Data Breach Study by Ponemon, the global average cost of a data breach is $3.86 million, the average cost for each lost or stolen record containing sensitive and confidential information is $148 per record, and the costs for breaches have risen year-over-year.
As costs associated data risk continue to rise, protecting and maintaining data is essential for organizations.
Data Risks to Watch Out For
Gaps in a data risk management plan leave vulnerabilities in the following areas:
- Proprietary lock-in: SaaS vendors can essentially hold your data hostage if you decide to switch vendors. Specifically, proprietary lock-in, also known as vendor lock-in, can put your data at risk when vendors limit or make it exorbitantly expensive to perform data transfer, application transfer, infrastructure transfer, human resource knowledge, upon switching vendors.
- Storage device failure: Anything from a mechanical issue to a malware attack can cause data loss if your storage device fails. Mitigate costs and risk by implementing data backup and fail-safe storage.
- Data corruption: Between human error, data breaches, and database malfunctions, data corruption can occur at your organization. And, inaccurate or corrupt data is dangerous for your brand reputation and overall productivity.
- Data remanence: Data that remains in your organization, even after attempts to scrub it, is called data remanence. This leftover data is particularly dangerous because your organization might not realize it exists, and can easily be exposed without your knowledge.
- Data compliance: Failing to govern data appropriately, or in accordance with industry laws and regulations will result in fines and legal ramifications.
- Weakness in security: Cybercriminals look for weaknesses in your security, whether it’s an unpatched software or employees who are likely to fall for a social engineering attack, any weakness in your security is a risk to your data.
- Unused data: Also known as dark data, are the assets an organization collects, processes and stores, but doesn’t utilize. Storing dark data beyond its shelf life can unnecessarily open up security risks, compliance issues and storage concerns.
Backing up your data is one way to help minimize the damage done by each of these risks, should they occur as it makes it quick & easy to restore a single file or an entire data store, regardless of the risks you faced.
Data Management Best Practices
The number of data management models is continually rising to keep up with the ever-changing regulatory and business demands, and the accumulating amount of input data. Staying at the forefront of data management best practices is critical for your organization’s success.
According to the National Institute of Standards and Technology, the current best practices for data management include:
- Define the scope of risk analysis based on infrastructure and technology
- Identify and define threats and risks
- Assess the likelihood of occurrence and impact of risks
- Evaluate the quality of existing controls
- Assess risks and determine responses
- Develop, test, and implement plans for risk treatment
- Provide ongoing monitoring and feedback
- Address the opportunities identified
Additionally, ensure your organization has a backup and disaster recovery solution (BDR). BDRs can take snapshots of your data, multiple times a day, so you can eliminate downtime and promote business continuity as your information can be reverted back prior to data loss in a matter of seconds.