In an age when data breaches are almost as common as coffee breaks, understanding the threat landscape is more than just a risk management task; it’s a strategic imperative that must be woven into the fabric of every employee’s workflow.
In 2023, publicly reported data compromises increased by 78%, reaching a total of 3,205 incidents. This figure represents a 72% rise from the previous peak of 1,860 data compromises set in 2021, as reported in the Identity Theft Resource Center’s (ITRC) 2023 Data Breach Report.
In March, we published an article which introduced a five-step strategy for improved security and compliance. This month, we’re delving deeper into step 3: aligning data protection initiatives with risk management principles.
In an era dominated by digital advancements, the safeguarding of sensitive information has become paramount. The exponential growth of data brings with it a corresponding increase in risks, making robust data protection strategies indispensable for organisations across industries. So, read on as we unpack the intricacies of data protection and risk management, revealing key concepts and best practices to fortify digital assets against looming threats.
Responsibilities of Risk Management in a Data-Driven World
According to Forbes, “From 2010 to 2020, the amount of data created, captured, copied, and consumed in the world increased from 1.2 trillion gigabytes to 59 trillion gigabytes, an almost 5,000% growth.” And almost halfway through the next decade, at the start of 2024, the global total was 5.35 billion terabytes (or 5.35 zettabytes), with the IDC predicting that by 2025, this volume will have ballooned to 175 zettabytes. That is an eye-watering rate of expansion by anyone’s measure, and it brings with it complexities of risk that will impact all industries, everywhere.
In today’s interconnected world, where cyber threats come from all sides, the importance of data protection cannot be overstated. The more digitalised your business becomes; the greater volume of sensitive information is in your care. But who is the ‘you’ in this context?
The simple answer is ‘everyone’. Wherever you sit in the hierarchy of your chosen profession, the chances are you are both handling, and creating data. And with the proliferation of A.I. enhanced tools now infiltrating the workplace, keeping track of, and protecting this information can feel a little like ‘herding cats’ – in other words, practically impossible. Helping all stakeholders to understand the vital part they must play in safeguarding the organisation, is a fundamental step towards risk management in this environment. But it won’t be as straight-forward as it sounds, as author David Brin pointed out when he said “When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else.”
This is why we believe Identity Access Management (IAM) stands at the forefront of data protection initiatives, serving as the gatekeeper to digital realms that allows users to ‘own’ their role in combatting cyber-threats. IAM systems also provide clarity and accountability, meticulously regulating access rights, authentication, and authorisation, thereby thwarting unauthorised entry and fortifying data integrity.
Opportunity vs. Obstacle
The risk landscape is not getting any easier to navigate. But instead of viewing this as an encumbrance, let’s explore the concept of seeing it as an opportunity.
The PwC 2023 Global Risk Survey highlights several key trends and insights in this respect and how organisations can adapt to view these challenges as opportunities:
- Increasing Risk Exposure: Over 70% of executives reported a rise in the volume and complexity of risks over the past three years. This indicates a rapidly changing risk environment that businesses must navigate.
- Strategic Risk Management: Approximately 60% of organisations are incorporating risk management into their strategic planning. This integration helps businesses align their risk strategies with their overall objectives, turning potential threats into opportunities for growth and innovation.
- Technology and Data Utilisation: 59% of executives stated that advanced technologies like AI and data analytics are critical in managing risks. These tools enable better prediction, identification, and mitigation of risks, enhancing organisational resilience.
- Focus on Cybersecurity: Cyber threats remain a top concern, with 80% of respondents prioritising cybersecurity measures. This focus is crucial for protecting digital assets and maintaining stakeholder trust in an increasingly digital business landscape.
- Regulatory Compliance: Compliance with evolving regulations is a significant challenge, with 65% of executives highlighting the importance of staying ahead of regulatory changes. Proactive compliance strategies can prevent legal issues and foster a culture of accountability.
These insights emphasise that while the risk landscape is indeed complex and challenging, businesses that leverage strategic risk management, technology, and proactive compliance can transform these challenges into opportunities for resilience and growth.
The Importance of Data Classification
When it comes to enterprise resource planning (ERP) systems, the classification of data in terms of criticality and sensitivity is essential for ensuring data quality, security, and regulatory compliance. ERP systems are comprehensive software platforms used by organisations to manage and integrate crucial business processes across various departments. These systems hold vast amounts of data, ranging from financial records and human resources information to supply chain management details, Understanding, and properly classifying this data couldn’t be more important.
Data classification involves categorising data based on its level of importance and sensitivity. This process helps in determining how data should be handled and protected. In ERP systems, data classification plays a crucial role for several reasons:
- Data Security: By classifying data based on sensitivity, organisations can implement appropriate security measures to protect sensitive information from unauthorised access and breaches. For example, personal identifiable information (PII) or financial data requires higher security levels compared to general operational data. (Microsoft)
- Regulatory Compliance: Different types of data are subject to various regulatory requirements. For instance, financial data must comply with standards like the Sarbanes-Oxley Act (SOX), while health-related data needs to adhere to the Health Insurance Portability and Accountability Act (HIPAA). Proper classification ensures that organisations meet these regulatory obligations, avoiding legal penalties and reputational damage (IBM).
- Efficient Data Management: Classifying data helps in managing it more effectively. It allows organisations to prioritise critical data, ensuring it is accurate, accessible, and secure. This leads to improved decision-making and operational efficiency. (Microsoft)
ERP systems integrate and store data from various business functions. The criticality and sensitivity of this data can vary significantly:
- Critical Data: This includes data that is essential for the core operations of the organisation. Examples include inventory levels, order processing information, and financial transactions. Any compromise or loss of critical data can disrupt business operations and lead to significant financial losses.
- Sensitive Data: This refers to data that must be protected due to privacy or security concerns. Examples include employee records, customer information, and proprietary business information. Sensitive data often overlaps with critical data but emphasises the need for privacy and security controls to prevent unauthorised access and data breaches.
Understanding your data in this granular way will ease the transition into digitalisation and allow you to classify information more accurately.
5 Steps for Effective Data Classification
As we’ve described the importance of data classification, let’s now look at a 5-step strategy for successful execution. From the outset it’s important to remember that these principles must apply to master data (product, price, supplier etc.) as well as transactional data connecting your business to external sources:
- Identify Data Types: Start by identifying and cataloguing all types of data stored within the ERP system. This involves understanding the source, format, and usage of each data type.
- Define Classification Criteria: Establish criteria for classifying data based on its criticality and sensitivity. This can include factors like the potential impact of data loss, regulatory requirements, and the level of confidentiality required.
- Assign Classification Levels: Assign classification levels to data based on the defined criteria. Common classification levels include public, internal, confidential, and restricted.
- Implement Security Controls: Based on the classification levels, implement appropriate security controls to protect the data. This can include encryption, access controls, and regular audits to ensure compliance with security policies.
- Regularly Review and Update Classifications: Data classification should not be a one-time activity. Regularly review and update classifications to account for changes in data usage, regulatory requirements, and business priorities.
For further information about implementing an effective and secure ERP system, read Forbes’ excellent 9-setp guide on the topic.
Aligning Data Protection with Risk Management
And so, we circle back to the main theme of this article, the link between risk management and data protection. There is now a seemingly endless list of choices when it comes to governance, risk, and compliance (GRC) tools and a burgeoning attack surface to protect as automation and A.I. continue to boom. Deploying strategies like Identity Access Management (IAM), together with a rock-solid data classification system inside an effective Enterprise Resource Platform (ERP), are your best chance of turning these increased risks into real opportunities. Opportunities to built trust with your staff and customers. Opportunities to rise above your competition with better products and more reliable services. Opportunities to leverage the value of data through AI training models and the applications they drive. And the opportunity to increase profit margins as you take control of your digital assets rather than allowing them to control you.