Advertisement

Building Resilient Data Ecosystems for Safeguarding Data Integrity and Security

By on
Read more about author Tamas Kadar.

The term “big data” is no longer the exclusive preserve of big companies. Businesses of all sizes increasingly see the benefits of being data-driven. Various factors have moved along this evolution, ranging from widespread use of cloud services to the availability of more accessible (and affordable) data analytics and business intelligence tools.

Effective access to company data can enable businesses to make better marketing decisions, improve their customer service, streamline processes, and respond to trends. But with such power comes tremendous responsibility – the responsibility to keep the data accurate and safe from threats.

The total volume of data held across the world is projected to grow to 181 zettabytes by 2025. That’s a threefold increase on 2020’s total. For those unaware, a zettabyte is equivalent to a trillion gigabytes.

Unfortunately, it’s easy to find equally staggering statistics around threats to data. Global cyber-attacks reached an all-time high in the final quarter of 2022. Some countries saw jaw-dropping annual increases (77% and 57% in the U.K. and U.S., respectively). And it’s not just the cyber-attacks: Data breaches and related compliance shortcomings also see companies fined millions of dollars every year.

So how should companies go about making their data ecosystems secure and resilient? Let’s consider the essential steps.

Identifying Threats and Vulnerabilities

An essential starting point is to gather a true picture of all the data-related threats the business faces.

The most obvious are probably those that hit the headlines – ransomware attacks, viruses and phishing incidents being just a few examples. Such problems are incredibly common, to the extent that nearly 90% of businesses experience them in a given year. Each incident can result in data loss, financial impact, and reputational damage.

However, these incidents only form the start of the picture. It’s not enough to purely focus on threats that originate from malicious external actors.

According to Verizon, insider threats – both accidental and malicious – are now said to account for almost 20% of data breaches. Then there are the compliance failures that see companies being sanctioned by regulatory bodies. For example, Meta was fined 1.2 billion euros in 2023 for failing to properly adhere to GDPR guidelines.

Other data incidents may not cause direct financial impact but could still potentially compromise a business’s ability to make full use of its internal data. Accidental deletion or corruption of a data set can rob a business of its ability to properly analyze and profit from its collated information.

As should be clear from the above, it’s not enough to simply say “make sure we’re secure” and kick the problem in the direction of the IT department. The whole business has a part to play, and it begins with a top-down assessment of everywhere that threats exist.

Data Security Measures

Below is a (far from exhaustive) list of measures that businesses should consider to help protect their data:

  • Permissions and role-based access control: Increasingly, companies are seeing the value that can come from data analysis, and the use of tools like PowerBI to compile information from disparate systems. However, there’s a balance to strike. Firms must consider the need to lock down individual silos of information to only those who need them.
    • As AI systems such as Microsoft’s CoPilot continue to evolve, this will continue to create new challenges. The desire to gain insights from “all the data” mustn’t mean throwing open widespread access to all the data!
  • Encryption: Unencrypted data – both in storage and in transit – is a gift to cybercriminals. Encryption is crucial.
  • Multi-Factor Authentication: MFA is no longer just a desirable extra layer of security for financial institutions and government departments. The ubiquity of phishing means that passwords are easily compromised and cannot be relied upon as the only layer of protection.
  • IP Blacklist Checking: IP blacklists can alert businesses to online interactions with devices and networks that are known for suspicious or illegal activity.
  • Backups: Contrary to the opinion of some non-technical small business owners, having data stored “in the cloud” doesn’t mean backups are no longer something to worry about. Multiple layers of backup are particularly valuable for resilience to ransomware attacks.
  • Continuous Security Monitoring: Automated systems can consider the entire threat landscape and proactively alert businesses to anything from suspicious user activity to compliance risks and unpatched systems.

There are always more layers of security that can be added to a corporate IT system, with new systems and technologies constantly emerging that counter evolving threats. While many of these can gradually move from being “nice to have” to essential, it’s also important to consider non-technical steps.

The Human Factor

As alluded to above, some businesses succumb to the assumption that IT security is purely an IT department problem. This is wrong in several ways.

Data governance and compliance is a subject in itself – a subject that should involve the entire business and will often require a dedicated individual or department to manage it. Compliance with legislation like GDPR and CCPA is complex and spans areas such as data retention, classification, and access.

Then there’s the huge area that is user training and awareness. Not only are vast numbers of cyber breaches caused by human error (88%, according to a recent Stanford study), individual staff members’ actions can also directly impact the data ecosystem. “Simple” mistakes like saving data in the incorrect location can compromise security and result in compliance breaches.

Data protection training, like cyber awareness training, should never be a “one and done” thing. The threat landscape changes, the infrastructure grows, and the types of data used and processes continually evolve.

Planning and Testing

Just as training staff shouldn’t be treated as a task to zoom through and tick off, nor should the job of building protection for a company’s data ecosystem.

Regular penetration testing can help to shed light on shortcomings and risks, as mentioned by Vaultes. Incident response plans should be created, tested, and tweaked as needed. The time to work out how to deal with a breach shouldn’t be when one has just occurred. Statistics suggest that cyber-attacks and breaches are all but inevitable, and a lack of planning only serves to inflate the risk of financial and reputational consequences.

As is well documented, data can be immensely valuable – especially data that can help drive business decisions and increase profits. Some household name tech firms have built their entire models on such data, and even the smallest companies can learn from them.

However, both data storage and processing come with risks and responsibilities. This creates a double-edged sword. A business can delight (and profit from) customers by using their data to better serve them and predict their needs. Equally, they can alienate and anger customers when data is misused or breached. Ultimately, data, as with anything valuable, must be kept safe and treated sensitively.