Assignment task:
Data protection within an organization encompasses not only the network and IT system but the personnel. Practicing proper data protection involves the entire company's employees in being proactive and aware of their actions. Describe some of the issues that could exist if a company doesn't practice proper data protection.
In response to your peers, identify some of the strategies or tools that could be used to help remediate the issues your peers identified in their initial posts.
Response One:
Practicing proper data protection within an organization can look like many things. This starts with security awareness and ensuring that all employees understand the implications of what can happen if they are not serious about security. Security for an employee is having strong passwords, protecting sensitive information via encryption, and updating their systems regularly. Along with these keeping usernames and passwords private, changing passwords regularly, keeping safe backups of important data, and being mindful of where installations are coming from to ensure they are not malicious. This can be taught through training provided by the company that focuses on security and what can happen when it isn't taken seriously. Although this may seem like a lot of work, it is nothing compared to what can happen when a company doesn't practice data protection.
When data is left unprotected, many things are at risk. Confidential data, the integrity of the business, and the availability of resources are all put at risk. Data breaches can cause problems that a business will have to deal with for years to come. Financial and legal trouble can come when sensitive data is exploited. It costs money to fix the security infrastructure and make sure that systems can't be breached repeatedly. If HIPAA for example is broken due to a breach at a medical records organization, there could be legal fees and lawsuits in order. The reputation of an organization is looked upon negatively when data is breached, especially when they are supposed to be keeping data private and out of the hands of anyone, let alone someone with bad intent. Lastly, leaving data unprotected puts it at risk for cybercriminals to gain access to highly sensitive personal information, which is detrimental to not only the company but the individuals whose information was put at risk. Overall, there are many negative outcomes that come out of data being left unprotected. These breaches can take time to fix, and it can take time for business reputation to go back to normal. It is crucial that in the workplace we take security seriously from an employee standpoint.
Response Two:
First, without strong data protection, a company is at high risk for financial loss due to data breaches. Financial loss can result from lost revenue from clients who no longer trust them as well as intellectual property leaks. There can be other costs such as settlements and compensation payouts. Meta (Facebook) was fined $1.3 billion in 2023 and Chinese firm Didi Global was fined nearly $1.2 billion in 2022 for violations of law (Sharma & Hill, 2024).
Second, weak data protection measures expose the company to legal issues, both criminal and civil. Failing to comply with industry regulations, particularly in finance and healthcare, can result in severe fines, lawsuits, and potential criminal penalties. While I've already mentioned financial loss, it's worth reiterating here and also underscoring potential criminal prosecution that affects individuals. One glaring example of this is HIPAA, with possible annual penalties of over $2 million for willful neglect and one to ten years in jail for intentional disclosures (What are the Penalties for HIPAA Violations?, n.d.).
Third, poor data security practices can lead to reputational damage. Organizations depend on partnerships, whether it's customers, suppliers, or other business partners. A data breach or insider threat incident can harm the company's image, causing them to stop doing business altogether. Again, this relates back to financial loss and the ability of an organization to continue to function.
To briefly touch on the technical implications of not practicing data protection, we would observe things like a lack of data encryption, insufficient access controls, and untrained personnel. An audit might reveal unpatched systems and applications, inadequate monitoring, and a general lack of effective configuration management practices.