It doesn’t matter if you’re a start-up or a multi-national conglomerate; the stark reality is that at some point, every business (including yours) will face a breach event. According to the 2022 Cost of a Data Breach Report, 83% of organizations studied have had more than one data breach—a figure which continues to climb year-over-year.
The proliferation of sensitive data across company networks has essentially leveled the playing field—and the overall attack surface. Small and midsized businesses comparatively hold the same high-value data as its larger peers, albeit in varied volumes.
Personal Identifiable Information (PII) ranked first in top confidential data in the 2023 Verizon Data Breach Investigations Report (DBIR) and its tracked breach data, followed by credentials and internal data.
The Verizon DBIR highlights growing similarities across the enterprise and SMB attack surface; according to the report, small businesses with less than 1,000 employees experienced 699 incidents with 381 confirming data disclosure. Compromised data included credentials (54%), internal (37%), other (22%) and system (11%).
Comparatively, large businesses with more than 1,000 employees experienced 496 incidents with data compromised across internal (41%), credentials (37%), other (30%) and system (22%).
Interestingly the number of reported incidents at small and midsized businesses surpassed the number of incidents reported across larger organizations. Over the years much has been said about a lack of cybersecurity preparedness and resourcing across small and midsized businesses. Midsized businesses have made huge strides in recent years—but they’re still playing catch-up when it comes to security maturity.
Security maturity—or the preparedness and position of an organization based on its cyber risk—varies depending on the size of the business in question, its resources, and the level of security controls and technology it has in place. Various initiatives act as building blocks that when pieced together build up security maturity.
Typically, initiatives align to three levels: basic (level 1), advanced (level 2), and expert (level 3), with initiatives meeting these general measurements:
Level 1 = Awareness and proactive planning
Level 2 = Implementing core components of the plan
Level 3 = Striving to be at least 80% in compliance with CIS benchmarks
What are the CIS benchmarks?
The CIS (Center for Internet Security) benchmarks are consensus-based best practices developed by a group of global cybersecurity professionals and subject matter experts. The benchmarks form security control guidelines that help IT and security teams focus on the secure configuration of multiple systems commonly used in business environments. We cover more on the CIS benchmarks in another blog post.
CIS benchmark controls are broken down into three categories:
- Level 1 – the simplest to implement in organizations of all sizes
- Level 2 – controls considered for defense-in-depth (for more mature organizations)
- STIG Profile (formerly level 3) – overlapping recommendations from both Level 1 and Level 2 for more comprehensive benchmarks coverage
The CIS Controls V8 is a list of prioritized safeguards that are mapped to and referenced by compliance frameworks and guides like NIST CSF, NIST Special Publication 800-Rev.5, NIST Special Publication 800-171-Rev.2, the Cybersecurity Maturity Model Certification (CMMC), Cloud Security Alliance Cloud Control Matrix (CSA CCM), AICPA Trust Services Criteria (SOC2), the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry (PCI).
Like all data protection and data privacy-focused frameworks, the CIS benchmarks are designed to protect sensitive data. Fundamentally, CIS benchmarks support data protection, data loss prevention, and data resiliency. They drive home the importance of knowing what sensitive data the organization has, how it’s used, and what measures are in place to protect it. Instituting and maintaining basic controls mitigates the risk of misconfigurations, protects data, and supports resiliency.
Preparing for data loss
Beyond the obvious financial cost associated with a breach event (IBM pegs the total cost of a data breach at $4.45 million USD in its 2023 Cost of a Data Breach Report), organizations face potential regulatory fines and penalties, and ripple effects that damage not only an organization’s reputation, but also their path to continued prosperity.
The 2022 IBM Cost of a Data Breach report found that 60% of organizations’ breaches led to increases in prices passed on to customers, while 19% of breaches occurred because of a compromise at a business partner. These are two poignant statistics that loosely translate to reputational damage and loss of trust (AKA customer attrition), third-party risk, and increased operational risk.
Minimizing the impact of data loss on your business starts with putting the right preventative controls in place to mitigate the risk of data loss in the first place. This is achieved by understanding key data protection, data loss prevention, and data resiliency best practices.
Here are five foundational considerations that can help you and your team mitigate and manage the risk of data loss and its impacts:
- Build a data inventory: an organization must first determine what type of valuable information it has before it can implement security measures and tools. Using automated data discovery and classification tools like the Cavelo platform can help you discover sensitive data on a continuous basis, manage an up-to-date data inventory, and institute a classification model that aligns to the different types of data your business uses, stores, and shares and its associated risk.
- Ensure you’ve got a stable backup plan in place.
- Run regular risk management assessments to identify any potential areas for improvement or vulnerabilities that may lead to security breaches or data loss.
- Use detection and response technology to find and contain threats before they become business impacting. Ensuring your data discovery and classification resources are plugged in to your threat detection and response tools will enrich incident investigations, improve time to response, and support remediation efforts.
- Update and maintain your organization’s disaster recovery plan.
Data loss prevention strategy starts with knowing what data exists on every endpoint across the network. With full visibility, businesses can establish a comprehensive data inventory, and better identify the tools they need to encrypt and protect sensitive company data, all by data type.
Open our Data Protection Solutions Guide PDF to learn how you can improve your organization’s security maturity and mitigate data loss.