Three key elements to build a "life raft" for enterprise data protection

As users' data security awareness gradually increases, users have higher requirements for the work done by enterprises in data security and privacy, which also determines the degree of trust users have in enterprises. However, an effective data protection strategy must be built on a solid business foundation. Enterprises can follow the " life raft " principle - risk awareness, flexibility and trust to deal with network threats.

1.   Raise risk awareness

Management often uses return on investment (ROI) to measure team performance, but ROI structures rarely incorporate risk identification, and only Chief Information Security Officers (CISOs) focus on the company's return on risk (ROR). Incorporating ROR goals into management's priorities requires a shift in corporate culture.

The 2008 financial crisis, this year's COVID-19 pandemic, and various regulations, including the General Data Protection Regulation (GDPR), have highlighted the importance of risk awareness in business operations. Companies that lack risk awareness often face risks without knowing it, while companies with strong risk awareness regard security as an important part of cross-departmental process requirements, and will consider risk issues more in purchasing decisions related to everything from cloud data management to ransomware detection.

Key Takeaways:

1. The focus of enterprises should shift from pure ROI considerations to the balance between ROI and ROR

2. Give full play to the role of Chief Information Security Officer in risk identification and warning in corporate management

2.  Enhanced flexibility

Under complex and changing social and economic conditions, flexibility will become the source of competitive advantage for enterprises, helping them cope with crises and seize important opportunities. Article 32 of the General Data Protection Regulation (GDPR) stipulates that enterprises need to meet the following requirements from a technical and organizational level:

• Ability to ensure the confidentiality, integrity, availability and resilience of systems and services;

• To restore the availability and accessibility of personal data in a timely manner in the event of a physical or technical incident;

• Regularly test and evaluate the effectiveness of the company's technical and organizational measures to ensure the security of the processing.

GDPR requires that companies that involve EU citizen data must have effective backups for restoring systems and maintaining business continuity. In fact, effective data backup and regular testing and evaluation of cybersecurity processes should become common sense for all companies around the world, not just regulatory requirements. At the same time, companies should test the response capabilities of their crisis teams (including those responsible for technology, legal affairs, corporate reputation, and social media) through immersive simulation exercises rather than lecture training. Such simulation exercises also help management identify cyber risks and better realize the need for crisis preparation.

Key Takeaways:

1. Regularly test and evaluate your organization’s cybersecurity processes, including your backups

2. Build a comprehensive cybersecurity incident response plan for your business and validate it through immersive simulation exercises

3.  Strengthen public trust

Ransomware is a typical cybersecurity threat. Nowadays, even if companies pay the ransom, there is no guarantee that their encrypted data can be redeemed, let alone whether the ransomware has left a backdoor in the company system for the next ransom. What's worse, the ransom method has changed from denying companies access to data to threatening to disclose sensitive data of companies. In recent years, the number of ransomware incidents has been on the rise, and the average ransom amount has continued to rise. The  resulting downtime, corporate reputation loss, recovery costs, regulatory fines and lawsuits will bring even more immeasurable losses to companies.

Crisis management theory mentions that there will be a " golden period " after a crisis event , when companies can win public support by responding quickly and showing empathy to users. However, in a cybersecurity crisis, the " golden period " does not exist, and the media and the public will only blame the company for data loss and leakage rather than hackers. Rapid evidence collection and damage assessment after a crisis can help companies fix vulnerabilities and establish necessary legal statements and brand strategies. At this time, brand trust is the top priority, and companies should strive to maintain public trust in their brands, and then repair their reputation through long-term public opinion influence and control.

Key Takeaways:

1. Build brand trust and respond quickly after a crisis

2. Cybersecurity crises cannot be dealt with in the same way as other crises. Companies must be fully prepared in terms of legal and corporate reputation evidence.

If you are prepared, you will be safe. Comparing the market to the ocean, by increasing risk awareness, flexibility and public trust, we can build a data protection " life raft " for enterprises , which can not only provide effective protection for enterprises and their users when crises occur, but also safeguard the long-term development of enterprises.