Originally published on the Barracuda Blog, June 10, 2019, by Anastasia Hurley
The frequent headlines around spear phishing and ransomware serve as regular reminders that data protection is critical to a business. The City of Baltimore, Oklahoma City Public School, and Wolverine Solutions Group are just a few of the organizations that have fallen victim to ransomware attacks in recent months. Despite the ubiquity of these threats, many businesses are unprepared for this type of crime or any other catastrophic business loss. Sometimes this is due to a misunderstanding or misconfiguration of the backup solution, and sometimes it’s just a matter of business managers working so hard on growing the business that they just don’t think about how to protect the business data.
Conventional wisdom around data backup and protection is that it’s a necessary but routine task for any modern business. But what if it was possible to use this routine task as a differentiator for your business? What if you could manage your data protection in such a way that it added value to your brand?
Compliance is not optional
Let’s start with the low-hanging fruit that is regulatory compliance. Most regions and industries have regulations that govern data collected in the course of doing business. HIPAA, for example, requires that healthcare providers keep patient information secure, maintain an offsite backup, and more. Companies can use these mandated standards as an opportunity to communicate their efforts to protect consumer information. This is especially true for companies that operate above the minimum legal requirements.
“While the mega breaches get all the attention, studies have shown that most SMBs have to close their doors after a cyberattack.”
While the mega breaches get all the attention, studies have shown that most SMBs have to close their doors after a cyberattack. There are several reasons (and a few more) why this may be the case, but the one we’re looking at is the fact that SMBs simply do not have the cushion necessary to absorb the downtime or recovery costs after an attack. A proactive data protection plan means that you can speak confidently about the availability of your business services, at least in terms of data being accessible when needed.
Remember that data protection isn’t just backup, it’s also a matter of securing the data that is collected. Backing up your data doesn’t prevent it from being accidentally exposed to outsiders or stolen by someone with malicious intent. Here are some of the data protection controls you might have in place that offer business value outside of their specific purposes:
- The Principle of Least Privilege
- Consistent encryption practices
- Data Loss Prevention technology
- A Zero Trust model
- Employee training
Controls like these can provide enormous benefit to your customers, and over time can build consumer trust in your brand.
Customers want to know
Earlier this year, IBM’s Institute for Business Value released this survey data:
89% say technology companies need to be more transparent about their products
75% say that in the past year they’ve become less likely to trust companies with their personal data
88% say the emergence of technologies like AI increase the need for clear policies about the use of personal data.
While it’s not clear how much this impacts consumer behavior, it is in line with other recent studies showing that consumer concern is increasing.
Many disaster recovery plans are a disaster! While most (69%) organizations claim to have a DR/BC plan, more than half (52%) don’t currently test it.
Not all businesses will be able to benefit from this kind of communication, but should still go through the exercise of closely examining how the business data is being protected. If nothing else, this will help you find any problem areas that have gone unnoticed.
Also, consider whether you are comfortable having your employees or consultants share information about your data protection strategies. You might decide that it’s best to not share any information at all. If you do not already have confidentiality agreements in place, make sure you communicate your expectations to the right people.