Data security is the process of protecting sensitive data from unauthorized access and corruption throughout its lifecycle. Data security employs a range of techniques and technologies including data encryption, tokenization, two-factor authentication, key management, access control, physical security, logical controls and organizational standards to limit unauthorized access and maintain data privacy.
How Should My Organization Think About Data Security?
The criteria you should think through before implementing or updating a data security policy or procedure includes:
- The size of your organization
- Where the data is stored
- The industry you operate in
- What devices the data can be accessed or stored on (e.g. desktops, tablets, mobile devices or IoT)
- The business value of the data being stored or transmitted
- How much time and effort it will take to secure the data
- Possible security risks associated with data exposure
- Your organization's current level of data security expertise
- Whether third-party vendors have access to the data
By definition, data security is defense in depth, your organization needs to employ a series of security solutions that protect you and your customers' sensitive data. No one solution can prevent all data breaches and data leaks.
Why is Data Security Important?
The primary aim of data security is to protect the sensitive information an organization collects, stores creates, receives, and transmits. There are several reasons to spend time, money and effort on data protection. The primary reasons are to:
- Minimize financial loss through fines or customer churn
- Protect customer trust
- Meet compliance and regulatory requirements
- Maintain business productivity
- Meet customer expectations
Just as you wouldn't leave your office door unlocked, don't leave data exposed.
Businesses are increasingly invested in digital transformation and are increasingly reliant on the data they receive and create, e.g. how Google uses big data and machine learning to improve the user experience of their search engine or how e-commerce use Facebook lookalike audiences to drive traffic to their site.
The data your organization uses and creates is often protected by government regulations which dictate how the data should be stored and what is an acceptable level of disclosure.
Non-compliance can leave executives criminally liable and with the cost of a data breach is now estimated at $3.92 million, it's safe to say it pays to prevent data breaches.
Customers expect their data to be secured and data breaches can cause irreversible reputational damage.
So whether you work at a multinational financial services organization dealing with personally identifiable information (PII) and financial data or a local hospital processing protected health information (PHI), data protection is a part of regulatory compliance and overall information risk management.
What are Best Practices for Data Security?
As data security relies on defense in-depth, there are many parts to a best-in-class data security program. But what is sufficient in one industry may be criminally negligent in another.
To achieve the minimal level of expected data security in an industry, the following best practices should be adopted.
1. Data Governance
Data governance is data management 101. Information is grouped into different buckets based on its sensitivity and legal requirements. To limit the risk of data exposure from leaked credentials, users should only have access to the least amount of data they need to do their job.
2. Secure Privileged Access Management
Secure Privileged Access Management (PAM) is integral to a data security strategy. PAM empowers organizations to control the permissions of all users so that sensitive data and intellectual property documentation is only accessible by those that absolutely require it.
With a secure PAM strategy, cybercriminals will have difficulty accessing all sensitive types of data, if they manage to breach an IT boundary. This is especially an important security control for highly regulated industries like healthcare.
Encryption can protect against man-in-the-middle attacks and make it harder for potential attackers to gain unauthorized access to information that is stored or in transit. Never store sensitive data in plain text and avoid providing login credentials to websites that lack SSL certificates.
Teach staff how to recognize common cyber threats to transform them into human firewalls
Some of the most popular cyber threat staff should be aware of includes:
- Phishing attacks
- Email spoofing
- Domain hijacking
- Ransomware attacks
- Different forms of malware attacks
- Social engineering attacks
Besides cyberattacks, staff should also be trained in best cybersecurity practices such as avoiding public Wi-Fi networks as well as the basics of OPSEC and network security.
The complexity of cyberattacks is rapidly rising, so it's no longer acceptable to solely rely on antivirus programs to prevent malicious code injection. Cybersecurity train needs to become a standard inclusion in staff onboarding programs.
5. Data Security Testing
Test your organization's data security by sending fake spearphishing campaigns and dropping USB traps around the office. Understand that is is easier to prevent data breaches than rely on digital forensics and IP attribution to understand what happened once a data breach has occured. Once exposed, data can can easily end up for sale on the dark web, many of the biggest data breaches end up there.
6. Incident Response Plan
When your security is compromised, the last thing your organization and your customers need is panic. An incident response plan can limit the amount of data exposed and outline clear next steps to recover lost data or close the attack vector.
7. Regular Data Backups
Ransomware attacks targeting data centers on-premises or accidental deletion devastated business continuity, but this can be avoided with regular backups and a Data Loss Prevention (DLP) program.
8. Secure Deletion
Avoid hoarding data that is no longer in use, including physical data like folders or paper documents. That said, make sure to comply with any industry guidelines or regulations that dictate how long you must store data for.
9. Third-Party and Fourth-Party Vendor Monitoring
Data breaches are often caused by poor security practices at third-party vendors, you need to monitor and rate your vendors' security performance.
To ensure attack surface disturbances are rapidly addressed, an ideal solution should include an automation component to security posture lapses in real-time.
According to the latest data breach report by IBM and the Ponemon Institute, automation controls could reduce data breach costs by up to 80%.
10. Accidental Data Exposures and Leaked Credentials Monitoring
Data isn't always exposed on purpose, this is why it pays to continuously monitor your business for accidental data exposures and leaked credentials.
Examples of Data Security Technology and Solutions
Data security technology comes in many forms, each designed to protect against different cyber threats. Many threats come from external sources and insider threats, but organizations often overlook the need to mitigate third-party risk and fourth-party risk.
The following list of data security solutions will support data security best practices.
Authentication and authorization is one of the ways to improve data security and protect against data breaches. Authentication ensures that data access is limited to authorized users. Authentication can use a combination of ways to identify an authorized user including passwords, PINs, security tokens, swipe cards and biometrics.
The most secure authentication strategy is multi-factor authentication (MFA). MFA only grants users access to a web application if they correctly submit multiple pieces of evidence in an authentication mechanism. Two-factor authentication (2FA) is a subset of MFA that requires exactly two authentication factors. Learn more about the difference between 2FA and MFA.
Though is a very simple (and sometimes irritating) security control, it can prevent up to 99% of account attacks.
This is especially an important security control for protecting endpoints in a remote working model since hackers are usually targeting remote workings and their portable devices.
Even with MFA, organizations must ensure they have additional security measures in place as cybercriminals can find ways to bypass additional authentication requirements. Learn how hackers can bypass MFA.
Access control systems can limit access to different data classifications based on identity, groups, or roles.
A security method where information is encoded and can only be accessed or decrypted by a user with the correct encryption key.
A method of creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as software testing and user training.
A software-based method of overwriting data that aims to destroy all data residing on a hard drive or other digital media using zeros and ones to overwrite data onto all sectors of the device.
Creating backups of data so organizations can recover from ransomware attacks or data that is erased, corrupted or stolen during a security breach. The global impact of WannaCry showed how poor global cyber resilience is.
Tokenization substitutes sensitive data with random characters that are not algorithmically reversible. The relationship between the data and its token is stored in a protected database lookup table, rather than being generated and decrypted by an algorithm (e.g. encryption).
Phishing emails and email spoofing can result in stolen credit card numbers, social media credentials, and other security threats such as malware.
Vulnerability Assessment and Automated Patching
New vulnerabilities are posted on CVE daily and can be exploited by cybercriminals to gain unauthorized access to sensitive data. Read our full post on vulnerability assessment.
Real-Time Monitoring of Third and Fourth-Party Vendors
Data security doesn't stop with your organization, you need to control third-party risk and understand your vendors' security postures.
Key management is the management of cryptographic keys including the generation, exchange, storage, use crypto-shredding and replacement, as well as protocol design, key servers, user procedures and other relevant protocols.
Real-Time Risk Assessments
Cybersecurity risk assessments are focused on understanding, managing, controlling and mitigating cyber risk. They are a crucial part of any organization's third-party risk management framework and data protection efforts. However, the traditional methods are time-consuming which is why many organizations fail to implement vendor questionnaires and third-party monitoring properly. This is why you should look at tools that can automate vendor risk management to help you scale your security team.
Does My Organization Have Data Security Regulatory Requirements or Standards?
This will depend on where your organization is located, what industry you operate in and what geographies you serve. That said, if you collect any form of personal data, there is a good chance you are classified as a data processor, and as a result, have compliance requirements.
This comes with a number of regulatory requirements that govern how your organization can process, store and transmit personally identifiable information (PII), regardless of volume or type. For example, if you store data relating to European Union citizens, you need to comply with the EU's General Data Protection Regulation (GDPR). Failure to comply with can result in fines up to €20 million or 4% of their annual revenue, customer churn and reputational damage.
Other regulatory and compliance standards include:
- APRA CPS 234: Information Security Prudential Standard: CPS 234 requires APRA-regulated entities to take necessary measures to defend from cyberattacks and various other information security incidents that concern the confidentiality, integrity and availability of information assets and data.
- China's Personal Information Security Specification: Guidelines for consent and how personal data should be collected, used and shared.
- Payment Card Industry Data Security Standards (PCI DSS): A set of security standards designed to ensure all companies that accept, process, store or transmit credit card information maintain a secure environment.
- Health Insurance Portability and Accountability Act (HIPAA): Legislation passed to regulate health insurance and "to adopt security standards that take into account the technical capabilities of record systems used to maintain health information, the costs of security measures, and the value of audit trails in computerized record system."
- Health Information Technology for Economic and Clinical Health Act (HITECH): Requires entities covered by HIPAA to report data breaches which affect 500 or more people to the United States Department of Health and Human Services, to media and to those affected by the data breach.
- Sarbanes-Oxley (SOX): A United States federal law requiring publicly listed companies to submit an annual assessment of the effectiveness of their internal auditing controls. Read our full guide on SOX compliance here.
How Does the CIA Triad Relate to Data Security?
Confidentiality, integrity and availability (CIA triad) are at the core of data security:
- Confidentiality: Confidentiality is about not making information available or disclosed to unauthorized individuals, entities or processes. While similar to privacy the words should not be used interchangeably.
- Integrity: Integrity or data integrity is concerned with the maintenance, assurance, accuracy and completeness of data over its entire lifecycle.
- Availability: For any information system to be useful, it must be available when needed. This means computer systems that store and process critical data, the security controls that protect it, and the communication channels that access it must function on demand.
Is Vendor Risk Management Important for Data Security?
Vendor risk management (VRM) is an often overlooked part of data security. It is no longer enough to solely focus on your internal cybersecurity. If your third-party vendors don't have the same security solutions and security standards in place, your sensitive data is at risk.
Outsourcing can introduce strategic advantages (lower costs, better expertise and more organizational focus), but it also increases the number of attack vectors that make cyber attacks and corporate espionage possible.
Third-party vendors with poor information security introduce significant cybersecurity risk in the form of third-party risk and fourth-party risk.
This is where VRM can help. VRM programs are concerned with management and monitoring of third and fourth-party risk, as well as ensuring that customer data and enterprise data is not exposed in third or fourth-party data breaches and data leaks.
Increased regulatory scrutiny means that vendor risk management teams are spread thin and need to look at automating as much as possible including vendor questionnaires. Read our Buyer's Guide to Third-Party Risk Management white paper for more information.
Don't make the mistake of only negotiating service-level agreements with potential vendors, monitor your vendors in real-time and request remediation of potential attack vectors.
Your organization's information security policy must focus on both first, third and fourth-party security postures, spend the time developing a robust third-party risk management framework before you are breached. And ask for your vendor's SOC 2 report.
Even if you are not legally liable for a third-party data breach, your customers expect you to protect their data and won't care who caused the breach.