A company’s database and data repositories contain its most valuable asset: information. This information, if compromised, could negatively impact an organization’s assets, finances, and reputation.
Data protection is the means of securing your digital information to prevent or reduce the risk of information loss, compromise, or corruption. The right tools, controls, and processes help protect enterprise databases and other critical data assets from unauthorized access and cyberattacks.
Protecting enterprise databases and other organizational data is important not just for cybersecurity, but also to ensure business continuity and maintain a competitive market advantage.
In this article, we’ll look at how companies benefit from data protection, the consequences of inadequate data protection measures, and the various ways you can protect organizational data and company databases.
The importance of protecting company data
Enterprise-level organizations collect, store, and manage large amounts of data. Some of this data is structured, which means it is organized and easily accessed by users.
However, 80% of all enterprise data is unstructured, which cannot be analyzed or processed using structured data procedures. From documents to images, videos, and audio streams, your company’s unstructured data also contains sensitive, business-critical information, including (but not limited to):
- Intellectual property.
- Financial records.
- Cardholder data.
- Third-party contracts.
While databases can be controlled with access privileges and managed by IT admins, unstructured data has fewer controls available to ensure its security.
Unstructured data is user-generated content that may be stored on-premises, in cloud-based storage systems, or in cloud-based applications. As such, controlling access and management of unstructured data falls on internal users.
If your employees are not well-educated on the risks associated with sharing and managing data, they are more likely to operate outside of your company’s security standards. This can lead to what is known as shadow IT, where employees use devices and/or technology for work purposes without their IT team’s knowledge or approval.
Whenever a user accesses a shadow IT application, your data is stored in an unknown and unauthorized location. These unapproved solutions are more common than you might think—80% of employees admit to using applications without IT approval.
This lack of awareness regarding data protection contributes to human error, which is a top threat to your company’s information security. Cybersecurity incidents are pervasive, with cybercriminals always looking for new access points and attack vectors.
Negligence, lack of cybersecurity awareness, and poor access control are key problems associated with human error. Fixing human error issues starts by understanding your security risks, developing appropriate security controls, and mitigating cybersecurity risks.
Having a comprehensive business data protection strategy in place can help your organization minimize or avoid system vulnerabilities. Effective protection strategies are data-centric, going beyond regulatory requirements to also consider and plan for real-time security threats.
The cost of inadequate data protection
In 2021, there was a sharp increase in data breaches and ransomware attacks, compromising sensitive information of millions of victims. By October 2021, the number of data breaches for the year had already sailed past the total for 2020.
Ransomware also experienced record-setting attack volumes, with a reported 304.7 million attempted hacks in the first half of 2021. The entirety of 2020, by comparison, saw a total of 304.6 million ransomware attempts.
Once an organization experiences one ransomware attack, the next may be right behind it. Reports find that 80% of companies that previously paid ransomware demands were exposed in a second attack.
Direct and indirect costs
When databases and data are not properly protected, there are direct and indirect costs that can impact your company’s bottom line.
- Direct costs are those associated with handling cybersecurity events, such as:
- Investigation costs.
- Reimbursement to affected parties.
- Indirect costs are connected to resources spent to recover from the data breach. For example, operational downtime leads to financial loss.
Reputational damage is another indirect cost of inadequate data protection. When you lose customer loyalty and trust, you also face the risk of losing potential customers as people share their experiences.
Insider risk is a prime vulnerability for every organization. A 2021 survey found that 94% of companies were subjected to an insider data breach in the last year. Most of these incidents were caused by human error.
While human error is not malicious, it is costly—data breaches caused by human error average a cost of $3.33 million per incident. In the US, a data breach cost the affected organization an average of $4.24 million in 2021. This amount is 10% more than the average cost in 2019.
Industry-specific data protection considerations
Organizations that operate in heavily regulated industries will pay more in non-compliance fines. For example, healthcare data breaches are significantly more expensive than other data breaches due to the industry’s stringent data privacy policies.
In the US, the Health Insurance Portability and Accountability Act (HIPAA) regulates the use of and access to Electronic Protected Health Information (ePHI). Its rules and regulations are based on three primary components:
- Privacy Rule. This rule standardizes the protection of individually identifiable health information, which is information that can be linked to a specific person.
- Security Rule. This rule is specific to ePHI and identifies the administrative, physical, and technical safeguards needed to protect the confidentiality, availability, and integrity of ePHI.
- Breach Notification Rule. This rule requires organizations to report the discovery of a breach of unsecured PHI and notify the affected individuals, the Department of Health and Human Services (HHS), and the media (in certain situations).
In 2020, the Premera Blue Cross health plan received a $6.85 million HIPAA penalty due to a data breach that exposed 10.4 million individuals’ ePHI. This penalty was in addition to a $10 million settlement to resolve a multi-state lawsuit and a separate $74 million settlement stemming from a consolidated class action lawsuit against the health insurer.
Any breach that includes customers’ Personally Identifiable Information (PII) will be more expensive than other data sets. The average cost per record for all data types in 2021 was $161, compared to $180 per records containing PII.
In addition to increasing the cost of the breach itself, compromised PII can lead to costly lawsuits. For example, Morgan Stanley faced a class-action lawsuit stemming from data exposure that impacted around 15 million individuals.
The banking and financial services company agreed to a $60 million settlement in 2022. This settlement amount is in addition to the $60 million fine imposed by the Office of the Comptroller of the Currency (OCC) for its data protection failures.
The benefits of a comprehensive company database protection Plan
A comprehensive data protection strategy establishes controls and policies related to an organization’s personnel, processes, and technologies. This is a multistep process that safeguards the integrity, availability, and confidentiality of organizational data.
Database protection plans are based on three primary goals:
- Data security. The controls, policies, and procedures that protect data from malicious or accidental damage.
- Data availability. The process of making data available through redundancy and backups to ensure quick restoration following damage or loss.
- Access control. The means of restricting access to data to only those who need it.
Some of the most important elements of a database protection plan include:
1. Customize access controls
An access control system restricts access to data and/or resources based on the required task. This helps prevent unauthorized access and ensures that people have the access necessary to perform their jobs.
Access requirements should follow the principle of least privilege (POLP), which grants access rights based on what is necessary for the users’ job functions. It is also important to conduct regular reviews of your access controls to identify and correct unnecessary permissions.
2. Secure endpoints
The endpoints that connect to a corporate network are especially vulnerable to cyberattacks and breaches. From laptops to smartphones, workstations, servers, and other network access paths, endpoint security ensures that organizational data cannot be lost or stolen.
Endpoint protection starts by identifying all devices that connect to your network resources. Then, the devices should be secured using antivirus software, data encryption, firewalls, and application and access controls.
3. Educate users on security protocols
When employees do not have enough information about how their actions (or inactions) impact cybersecurity, it increases the risk of human error. From reusing passwords to not keeping applications up to date, there are several ways in which your employees can inadvertently set the stage for malicious cyber activity.
Educate employees on best practices to protect organizational data and databases, which include:
- Implement multi-factor authentication.
- Install software updates and patches as they become available.
- Identify and report suspicious activity, such as emails with attachments from unknown sources.
4. Encrypt your files
File-level encryption restricts access to authorized users and can only be decrypted with the right password or encryption key. If the data cannot be read, malicious actors cannot decipher what they’ve stolen.
Encryption can protect organizational data in several ways:
- Removable storage media. Encrypting data stored on a thumb drive, memory stick, or other portable device prevents unauthorized access if the device is stolen or lost.
- File transfers. Unsecured and wireless networks can expose sensitive data to bad actors. Encrypted files will be protected even as they move between various users, devices, and networks.
- Backups. Backups make it possible to restore data that has been lost, damaged, or stolen. Encrypting backup data adds an additional layer of protection and ensures that only authorized users can access the files.
A solution like WinZip® Enterprise offers a fully customizable set of enterprise-grade tools to secure, manage, and protect enterprise databases and organizational data. It features military-grade encryption for secure file sharing and collaboration with end-to-end data protection.
With WinZip Enterprise, IT administrators have complete control over the data environment, making it easy to implement and enforce policies related to file security, sharing, and backups.