The issue of protecting sensitive data is challenging for every organization, given how essential data has become to digital businesses, ecommerce brands, and financial institutions. Unfortunately, data theft due to breaches, leaks, exposures, and other compromises are all too common in the digital landscape, meaning organizations are failing to establish effective security postures. The ultimate cost and consequences of data breaches can be far-reaching and even permanently damage a company’s reputation.

There is a growing consensus that if a set of data does not add value to an organization or enable essential operations, it should not be stored. However, if an organization does decide to store data, there are responsible steps that can be proactively taken to ensure the data is protected. In fact, many industry best practices can help satisfy relevant regulatory compliance obligations, too. For example, leveraging additional security measures such as format-preserving encryption or tokenization meets common security requirements for data protection while keeping elements of the original data, which retains its usefulness to the business.

A harsh dose of reality is that no solution can claim to be a surefire or foolproof way to stop data breaches. The goal of this article is to impart simple security rules or wisdom, to help companies construct stronger cybersecurity strategies, and to ultimately build a solid foundation for protecting the data that is critical to digital business operations.

You cannot secure the unknown.

To determine the scale of the sensitive data in an organization, there needs to be a sufficient data discovery process. The idea is to also rigorously evaluate the risk of storing sensitive data versus its utility for analytics and other business purposes. Using tools to find and classify, or “map,” the sensitive information within the environment can streamline the process.

After it has been mapped, organizations can understand the scope of data to be secured and can begin to go about reducing associated risks. For instance, data shared with a third party or data that’s accessible to multiple employees via the network where data is stored is at greater risk for exposure. To reduce the risk of compromise or improper handling of data, teams might minimize the number of individuals or systems that are in contact with sensitive information.

You cannot skip the perimeter.

Although they cannot be the only measures used for protecting sensitive data, all traditional methods of perimeter security must still apply to an organization’s overall security posture. A layered approach includes the installation and maintenance of effective firewalls that track and monitor network traffic to determine who or what is allowed to access the environment. A starting point is to ensure you’re using a private network with a sufficiently strong and complex password on the router. A critical step further is requiring passwords for all individuals to access the environment, explicitly using strong and unique passwords for each account to avoid credential-stuffing attacks that steal login information to gain access to multiple accounts.

It’s important to also avoid unsecured employee routers, mobile devices, or hotspots, especially ones with public connections, as these introduce unprotected access points and weaken the security chain. Always utilize two-factor authentication, which requires multiple forms of identification to confirm user identity, and deploy and maintain an antivirus software program that can detect and remove various types of malwares, preventing them from penetrating systems or otherwise disrupting the network.

You cannot lose what is not there.

Still, some believe it is an inevitability that a data breach will occur. I do not recommend shifting the focus to plans for recovery rather than on intrusion prevention measures. Although it is crucial to maintain a detailed plan for recovery, that is just one part of the picture. Actively working to prevent breaches can slow the progress of the hackers and minimize the potentially negative impacts of a breach. We have already covered several proven security practices that can be effective at stopping data theft, using practices that align closely with industry requirements for regulatory compliance.

Tokenization can take this process even further by removing sensitive data from the environment altogether. We explain this to our customers very simply: no data, no theft. Due to its superior security, flexibility, and simplicity, tokenization is being widely adopted by organizations around the world to address concerns surrounding data protection and regulatory compliance.

Whether organizations need to satisfy privacy regulations, de-identify the sensitive data sets within systems, or help protect payment information in all its forms, tokenization is highly effective. By replacing data with a non-sensitive token, a breach would fail to yield any valuable or useable information. Tokens are worthless to cybercriminals, as they cannot steal data that is not there. Tokens are also useful in limiting internal risks of unnecessarily exposing data or having it be shared or mishandled. No data, no theft.