$4.88 million
Is it time to refresh your data protection program?
September 22, 2025 | 3 minute read
Key Takeaways
- Effective data protection depends on full visibility into what data your organization relies on, where it is stored and who can access it.
- Plan to manage the risks associated with insider threats, whether they involve employees lacking cyber-awareness or those who intentionally misuse or steal company data.
- Consistent enforcement of data monitoring protocols, employee training and regular review can help your company deal with evolving data threats.
The sheer volume of intellectual property data, customer personally identifiable information (PII), employee PII and other data categories can make it difficult for companies to control who has access to data and where they store it.
As more operations move to cloud environments and incorporate artificial intelligence (AI) and machine-learning (ML) functionality, data is traveling over many new pathways and being used in many new tools and to train ML models. Each new pathway and use case represents a potential data breach.
Average global cost of a data breach, February 2024.1
While most companies have implemented data protection programs, another study found that 73% of cybersecurity leaders believe these programs’ guidelines are insufficient, and most believe their companies are not fully compliant with data protection laws.2
Fundamentals of a data protection plan
Complete data discovery and inventory
Many organizations lack complete visibility into the types of data they possess and where they store it. Data discovery helps companies classify data types and segment out data that requires robust protection.
Create and review data usage policies
Cloud deployments have contributed to decentralized data storage, which can elevate data breach risk and lead to more expensive breach response.3 Consider whether centralized data storage is feasible for your business practices and create policies that enforce your chosen storage approach.
Track shadow data
Shadow data is involved in one-third of recorded breaches and can also result in regulatory compliance violations.4 Consider cloud data security solutions and inform employees about the risk of handling and storing data outside of established company policies.
Enable and enforce identity and access management
Many data breaches begin when bad actors capture employee credentials and use them to access critical data and systems. Identity and access management supported by multifactor authentication, passkeys and other protections can mitigate this cyber-based threat.
Invest in AI and ML-enabled security
Automated security and AI-driven analysis can help address the ongoing lack of security talent and contribute to lower data breach costs and shorter remediation times.5
Encrypt all important data
Your company should encrypt all proprietary and high-value data, or any data that could lead to regulatory, financial or reputational damage if it is stolen or lost.
Create a response plan for data breaches
Every company is at risk of data breaches, so the best approach is to anticipate a data theft or loss event and create an actionable plan to detect the breach and minimize its effects. Identify key stakeholders, assign response tasks and update the plan regularly.
Invest in employee training
Educating your workforce about the threat of phishing, credential theft and data theft is among the most effective means to reduce the overall costs of data breaches.6 Emphasize the importance of cybersecurity and data protection across your organization.
The combination of elevated risk and dynamic data creation and use means that data protection programs must continue to evolve. Your organization should regularly evaluate what data is essential, who uses it, how it is protected and how the organization will respond in the event of a data breach.
While every organization’s approach will have unique features, the considerations above can help you create, review and maintain a data protection program that supports security and benefits your business operations.
Explore more
Security & Information Management
Phishing. Vishing. Smishing. Keeping up with threats from scams, fraud and cyberattacks is difficult. Our resources and insights can help you protect your company and customers.
Important Disclosures and Information
Bank of America, Merrill, their affiliates and advisors do not provide legal, tax or accounting advice. Consult your own legal and/or tax advisors before making any financial decisions. Any informational materials provided are for your discussion or review purposes only. The content on the Center for Business Empowerment (including, without limitations, third party and any Bank of America content) is provided “as is” and carries no express or implied warranties, or promise or guaranty of success. Bank of America does not warrant or guarantee the accuracy, reliability, completeness, usefulness, non-infringement of intellectual property rights, or quality of any content, regardless of who originates that content, and disclaims the same to the extent allowable by law. All third party trademarks, service marks, trade names and logos referenced in this material are the property of their respective owners. Bank of America does not deliver and is not responsible for the products, services or performance of any third party.
Not all materials on the Center for Business Empowerment will be available in Spanish.
Certain links may direct you away from Bank of America to unaffiliated sites. Bank of America has not been involved in the preparation of the content supplied at unaffiliated sites and does not guarantee or assume any responsibility for their content. When you visit these sites, you are agreeing to all of their terms of use, including their privacy and security policies.
Credit cards, credit lines and loans are subject to credit approval and creditworthiness. Some restrictions may apply.
Merrill Lynch, Pierce, Fenner & Smith Incorporated (also referred to as “MLPF&S" or “Merrill") makes available certain investment products sponsored, managed, distributed or provided by companies that are affiliates of Bank of America Corporation (“BofA Corp."). MLPF&S is a registered broker-dealer, registered investment adviser, Member SIPC, and a wholly owned subsidiary of BofA Corp.
Banking products are provided by Bank of America, N.A., and affiliated banks, Members FDIC, and wholly owned subsidiaries of BofA Corp.
“Bank of America” and “BofA Securities” are the marketing names used by the Global Banking and Global Markets division of Bank of America Corporation. Lending, derivatives, other commercial banking activities, and trading in certain financial instruments are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Trading in securities and financial instruments, and strategic advisory, and other investment banking activities, are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, BofA Securities, Inc., which is a registered broker-dealer and Member of SIPC, and, in other jurisdictions, by locally registered entities. BofA Securities, Inc. is a registered futures commission merchant with the CFTC and a member of the NFA.
Investment products: