In 2016, Yahoo was finalising its sale to Verizon Communications, but in September of the same year, the web services provider found itself in hot water and was subject to numerous class-action lawsuits and public scrutiny. What was the reason behind Yahoo’s sudden fall from grace?
A significant data breach that had occurred in 2013 but had not been publicly disclosed until 2016. The data breach compromised the user information of over 1 billion user accounts and has been considered as one of the biggest data breaches till date. This cybersecurity incident resulted in Yahoo facing severe reputational damage and legal and financial ramifications.
Fast forward to 2023, data breaches continue to be on the rise, and according to IBM’s 2022 security report, cyber-attacks that exploit vulnerabilities have increased by 33% between 2020-2021. This explains why organisations are doubling down on building the capabilities required to prepare for and respond to cybersecurity incidents.
However, the continuous proliferation of digital networks and data volumes does not make this an easy task. With the added challenge arising from remote working, organisations must maintain a delicate equilibrium between enabling productivity and safeguarding data throughout the entire data lifecycle. This is where data governance comes into play.
In this blog post, we will take a look at how effective data governance can help organisations streamline their cybersecurity efforts.
Cybersecurity and data governance
To understand how cybersecurity and data governance is connected to each other, we need to start by understanding what they do. The focus of cybersecurity is on protecting the organisation’s infrastructure and data against unauthorised access, attack, or damage. However, how do you protect your data if you do not have complete visibility over it? Data governance is the key.
The role of data governance in an organisation is to help define what data assets it has, where the data is located, who can take actions with it, when they can, and under what circumstances. Knowing the value of the data that you possess, its location and who has access to it helps you to allocate the right resources to protect it. In simpler words, understanding the sensitivity associated with a data set could help organisations to assign the appropriate information security controls needed to protect it. Thus, data governance plays a critical role in your organisation’s wider cybersecurity strategy.
Leveraging data governance for an effective cybersecurity strategy
Effective data governance requires discovery and classification. By understanding what, where, and who has access to various data assets, you will be better equipped to use, manage and protect them. However, with the growing usage of cloud-based ‘as-a-service’ platforms and an organisations’ data no longer being located in just one place or even in a common format, this has become even more challenging to achieve.
Thus, the data discovery process requires tooling to help automate and scale the process in a way that a human cannot. The tooling should connect to any type of data source in multiple locations, work with multiple formats of data , and have different techniques to help identify data assets that are important for an organisation to discover. Without this, organisations could be exposed to significant risk in a situation where an unsecured data asset experiences a security or privacy breach.
Now let’s talk about the data classification process. As with the discovery process, the approach towards classification is critical with automation being the key to applying intuitive classification types to help understand compliance with regulations like GDPR and CCPA and contractual obligations, or understand whose and what type of PI (Personal information) and PII (Personal identifiable information) is stored where. Without the right data classification tool and processes, organisations will have to resort to manually processing and specifically isolating the more sensitive data, which can be both ineffective and time-consuming.
Having the right data discovery and classification processes in place will help organisations gain data governance insights that could be used to make more informed decisions in terms of determining the exact level of data protection and security controls that should be applied to each data set. These insights could also be used to enable smarter decision-making in terms of the allocation of security resources to support data protection goals.
Without them, organisations may adopt a blanket approach, applying strategies such as least privilege management to all data sets, regardless of their classification. While zero trust offers enhanced security, it should only be utilised for high-value or high-risk data sets. Implementing it universally can quickly become costly and hinder productivity. Conversely, some organisations have applied zero trust selectively, focusing on functions like finance and HR based on the nature of the data used and created. However, this approach risks overlooking other important data sources within the wider ecosystem – resulting in potentially serious governance blind spots.
Data governance: The key to implementing an effective cybersecurity strategy
Without an effective data governance strategy, organisations cannot guarantee the integrity and accuracy of their data and are at greater risk of failing to comply with regulatory requirements.
To add, data governance plays a vital role in protecting an organisation’s data by ensuring that the right people have the right access. Based upon the criticality or sensitivity of the data sets, it also ensures that the right security controls are in place to protect each system or service. It is these insights that help organisations to identify their high-value and high-risk data sets and allocate specific resources to protect this data, thereby implementing an effective cybersecurity strategy.
Summing up, a good data governance programme is a significant contributor to the effective management of cybersecurity risk through effective discovery and classification – helping organisations to understand where and how to safeguard their data.
At Nephos, we combine technical expertise and the strategic business value of traditional professional service providers to deliver innovative data solutions. Not sure where to begin? Discover our Data Governance-as-a-Service (DGaaS) — where our data experts provide the insights you need to enhance your organisation’s compliance and efficiency.
