Data security is the process of protecting sensitive data from unauthorized access and corruption throughout its lifecycle. Data security employs a range of techniques and technologies including data encryption, tokenization, two-factor authentication, key management, access control, physical security, logical controls and organizational standards to limit unauthorized access and maintain data privacy.
How should my organization think about data security?
The criteria you should think through before implementing or updating a data security policy or procedure includes:
- The size of your organization
- Where the data is stored
- The industry you operate in
- What devices the data can be accessed or stored on (e.g. desktops, tablets, mobile devices or IoT)
- The business value of the data being stored or transmitted
- How much time and effort it will take to secure the data
- Possible security risks associated with data exposure
- Your organization's current level of data security expertise
- Whether third-party vendors have access to the data
By definition, data security is defense in depth, your organization needs to employ a series of security solutions that protect you and your customers' sensitive data. No one solution can prevent all data breaches and data leaks.
Why is data security important?
The primary aim of data security is to protect the sensitive information an organization collects, stores, creates, receives and transmits. There are several reasons to spend time, money and effort on data protection. The primary reasons are to:
- Minimize financial loss through fines or customer churn
- Protect customer trust
- Meet compliance and regulatory requirements
- Maintain business productivity
- Meet customer expectations
Just as you wouldn't leave your office door unlocked, don't leave data exposed.
Businesses are increasingly invested in digital transformation and are increasingly reliant on the data they receive and create, e.g. how Google uses big data and machine learning to improve the user experience of their search engine or how ecommerce use Facebook lookalike audiences to drive traffic to their site.
The data your organization uses and creates is often protected by government regulations which dictate how the data should be stored and what is an acceptable level of disclosure.
Customers expect their data to be secured and data breaches can cause irreversible reputational damage.
So whether you work at a multinational financial services organizations dealing with personally identifiable information (PII) and financial data or a local hospital processing protected health information (PHI), data protection is a part of regulatory compliance and overall information risk management.
What are best practices for data security?
As data security relies on defense in depth, there are many parts to a best-in-class data security program and what is sufficient in one industry may be criminally negligent in another. That said, organizations should have:
- Data governance: Data governance is data management 101. Information is grouped into different buckets based on its sensitivity and legal requirements. To limit the risk of data exposure from leaked credentials, users should only have access to the least amount of data they need to do their job.
- Encryption: Encryption can protect against man-in-the-middle attacks and make it harder for potential attackers to gain unauthorized access to information that is stored or in transit. Never store sensitive data in plain text and avoid providing login credentials to websites that lack SSL certificates.
- Education: Educate staff about phishing attacks, email spoofing, domain hijacking, ransomware and other types of malware, OPSEC, as well as basic network security like avoiding public Wi-Fi networks. More sophisticated social engineering attacks mean it's no longer enough to install an antivirus program.
- Testing: Test your organization's data security by sending fake spearphishing campaigns and dropping USB traps around the office. Understand that is is easier to prevent data breaches than rely on digital forensics and IP attribution to understand what happened once a data breach has occured. Once exposed, data can can easily end up for sale on the dark web, many of the biggest data breaches end up there.
- Incident response plan: When your security is compromised, the last thing your organization and your customers need is panic. An incident response plan can limit the amount of data exposed and outline clear next steps to recover lost data or close the attack vector.
- Backups: Ransomware attacks or accidental deletion of data has crippled organizations but it shouldn't. By regularly backing up important data your organization can minimize the impact of ransomware and data loss.
- Secure deletion: Avoid hoarding data that is no longer in use, including physical data like folders or paper documents. That said, make sure to comply with any industry guidelines or regulations that dictate how long you must store data for.
- Third-party and fourth-party vendor monitoring: Data breaches are often caused by poor security practices at third-party vendors, you need to monitor and rate your vendors' security performance.
- Accidental data exposures and leaked credentials monitoring: Data isn't always exposed on purpose, this is why it pays to continuously monitor your business for accidental data exposures and leaked credentials.
What are examples of data security technology?
Data security technology comes in many forms, each designed to protect against different cyber threats. Many threats come from external sources and insider threats, but organizations often overlook the need to mitigate third-party risk and fourth-party risk.
Data security solutions include:
- Authentication: Authentication and authorization is one of the ways to improve data security and protect against data breaches. Authentication ensures that data access is limited to authorized users. Authentication can use a combination of ways to identify an authorized user including passwords, PINs, security tokens, swipe cards and biometrics.
- Access control: Access control systems can limit access to difference data classifications based on identity, groups or role.
- Data encryption: A security method where information is encoded and can only be accessed or decrypted by a user with the correct encryption key.
- Data masking: A method of creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as software testing and user training.
- Data erasure: A software-based method of overwriting data that aims to destroy all data residing on a hard drive or other digital media using zeros and ones to overwrite data onto all sectors of the device.
- Data resilience: Creating backups of data so organizations can recover from ransomware attacks or data that is erased, corrupted or stolen during a security breach. The global impact of WannaCry showed how poor global cyber resilience is.
- Tokenization: Tokenization substitutes sensitive data with random characters that are not algorithmically reversible. The relationship between the data and its token is stored in a protected database lookup table, rather than being generated and decrypted by an algorithm (e.g. encryption).
- Email security: Phishing emails and email spoofing can result in stolen credit card numbers, social media credentials and other security threats such as malware.
- Vulnerability assessment and automated patching: New vulnerabilities are posted on CVE daily and can be exploited by cybercriminals to gain unauthorized access to sensitive data. Read our full post on vulnerability assessment.
- Real-time monitoring of third and fourth-party vendors: Data security doesn't stop with your organization, you need to control third-party risk and understand your vendors' security postures.
- Key management: Key management is the management of cryptographic keys including the generation, exchange, storage, use crypto-shredding and replacement, as well as protocol design, key servers, user procedures and other relevant protocols.
- Real-time risk assessments: Cybersecurity risk assessments are focused on understanding, managing, controlling and mitigating cyber risk. They are a crucial part of any organization's third-party risk management framework and data protection efforts. However, the traditional methods are time consuming which is why many organizations fail to implement vendor questionnaires and third-party monitoring properly. This is why you should look at tools that can automate vendor risk management to help you scale your security team.
Does my organization have data security regulatory requirements or standards?
This will depend on where your organization is located, what industry you operate in and what geographies you serve. That said, if you collect any form of personal data, there is a good chance you are classified as a data processor.
This comes with a number of regulatory requirements that govern how your organization can process, store and transmit personally identifiable information (PII), regardless of volume or type. For example, if you store data relating to European Union citizens, you need to comply with the EU's General Data Protection Regulation (GDPR). Failure to comply with can result in fines up to €20 million or 4% of their annual revenue, customer churn and reputational damage.
Other regulatory and compliance standards include:
- APRA CPS 234: Information Security Prudential Standard: CPS 234 requires APRA-regulated entities to take necessary measures to defend from cyberattacks and various other information security incidents that concern the confidentiality, integrity and availability of information assets and data.
- China's Personal Information Security Specification: Guidelines for consent and how personal data should be collected, used and shared.
- Payment Card Industry Data Security Standards (PCI DSS): A set of security standards designed to ensure all companies that accept, process, store or transmit credit card information maintain a secure environment.
- Health Insurance Portability and Accountability Act (HIPAA): Legislation passed to regulate health insurance and "to adopt security standards that take into account the technical capabilities of record systems used to maintain health information, the costs of security measures, and the value of audit trails in computerized record system."
- Health Information Technology for Economic and Clinical Health Act (HITECH): Requires entities covered by HIPAA to report data breaches which affect 500 or more people to the United States Department of Health and Human Services, to media and to those affected by the data breach.
- Sarbanes-Oxley (SOX): A United States federal law requiring publicly listed companies to submit an annual assessment of the effectiveness of their internal auditing controls. Read our full guide on SOX compliance here.
How does the CIA triad relate to data security?
Confidentiality, integrity and availability (CIA triad) are at the core of data security:
- Confidentiality: Confidentiality is about not making information available or disclosed to unauthorized individuals, entities or processes. While similar to privacy the words should not be used interchangeably.
- Integrity: Integrity or data integrity is concerned with the maintenance, assurance, accuracy and completeness of data over its entire lifecycle.
- Availability: For any information system to be useful, it must be available when needed. This means computer systems that store and process critical data, the security controls that protect it, and the communication channels that access it must function on demand.
Is vendor risk management important for data security?
Vendor risk management (VRM) is an often overlooked part of data security. It is no longer enough to solely focus on your internal cybersecurity. If your third-party vendors don't have the same security solutions and security standards in place, your sensitive data is at risk.
Outsourcing can introduce strategic advantages (lower costs, better expertise and more organizational focus), but it also increases the number of attack vectors that make cyber attacks and corporate espionage possible.
This is where VRM can help. VRM programs are concerned with management and monitoring of third and fourth-party risk, as well as ensuring that customer data and enterprise data is not exposed in third or fourth-party data breaches and data leaks.
Increased regulatory scrutiny means that vendor risk management teams are spread thin and need to look at automating as much as possible including vendor questionnaires. Read our Buyer's Guide to Third-Party Risk Management white paper for more information.
Don't make the mistake of only negotiating service-level agreements with potential vendors, monitor your vendors in real-time and request remediation of potential attack vectors.
Your organization's information security policy must focus on both first, third and fourth-party security postures, spend the time developing a robust third-party risk management framework before you are breached. And ask for your vendor's SOC 2 report.
Even if you are not legally liable for a third-party data breach, your customers expect you to protect their data and won't care who caused the breach.
How UpGuard can improve your data security
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.
UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.