Data is the most valuable asset of any business. Regardless of your industry, you absolutely need to take care of your data, whether it’s financial reports, medical records or a start-up business plan.
In this article, we will return to the fundamentals of data security, forgotten in the frenzy that has seized the cybersecurity market. We will examine why, despite growing attention to cybersecurity, the number of data breaches is constantly increasing and how this affects data security processes. We’ll also discuss specific steps you can take to increase the security of your sensitive data without relying on multiple, complex security technologies or spending too much of your budget.
Introduction to Data Security
What is Data Security? It is an important part of the overall security strategy. It includes methods for identifying and assessing security threats, and mitigating the risks associated with protecting sensitive information and the underlying computer systems.
Data can flow everywhere freely, and the goal is to develop a data-centric security strategy to control this flow. Data security therefore involves a large and complex set of safeguards against various security issues, such as accidental and intentional unauthorized access, changes that may lead to corruption or loss of data. Modern data protection techniques require developing comprehensive network security, configuring firewalls, securing the web and browsers, implementing security policies, managing risks and even introducing principles of encryption.
A big part of the problem is that organizations often struggle to understand what “data security” really means to them, and what good data security standards are and how to achieve them. Do online invoice need to be saved? Do users have to label each file they create to indicate the type of data it contains? Should remote access to the production database be restricted?
Without a good understanding of the basics of data security , there is a risk of attempting to protect every file (even outdated versions of product guides) and restricting access to every folder, whether it contains intellectual property or photos from the company picnic.
Why is data security more important today than ever?
There are many reasons to spend time and money on data protection and security. When developing security strategies, modern enterprises face the following challenges:
Cyberattacks. Cybercrime uses various techniques: ransomware, malware as a service, advanced persistent threats, state-sponsored attacks, insider threats, etc. Cybercriminals are having great success. In the first 9 months of 2019 alone, 5,183 breaches were reported, and 7.9 billion documents were flagged as exposed, according to the study called Data Breach QuickView .
As cybercrimes evolve, information protection solutions also advance. It is equally important to implement preventive measures such as firewall configurations limiting suspicious inbound and outbound traffic, and to apply solutions and procedures in the event of a security breach. Current best practice is to assume that you have been the victim of a breach and ensure that you have adequate attack detection and investigation tools and procedures in place, as well as redundancies, disaster recovery and other recovery assistance solutions. Take steps to discover and classify all your critical data, protect data with encryption,
Compliance issues. Businesses are under tremendous pressure from a variety of global data protection laws and regulations. As companies collect sensitive personal information, they must ensure the security of processing operations and the application of controls and security measures.
Organizations that process personal data are subject to compliance regulations, depending on the type of information resource and the company’s industry. The scope of these regulations also includes monitoring the security of third parties, such as suppliers or service providers.
These regulations include personally identifiable information (PII), protected health information (PHI, HIPAA), and payment card information. These include standards such as the European Union’s General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), Data Portability and Accountability Act. (HIPAA), Federal Information Security Management Act of 2002 (FISMA), Family Education and Privacy Rights Act (FERPA), Gramm-Leach Act -Bliley (GLBA). Compliance with regulations is essential for the reputation and financial prosperity of organizations.
The legal regulations are strict. GDPR requirements, for example, require reporting of data breaches. The appointment of a Data Protection Officer (DPO) is also required. At the same time, companies cannot collect personal data without the consent of the data subjects. Financial loss, hefty fines, legal issues, reputational damage, loss of data and disruption of operations are some of the most devastating consequences for a business of a data or security breach, not to mention a loss of investor confidence. and customers. In addition to imposing fines, protection authorities can issue warnings and reprimands,
The good news is that more and more companies are making it a priority to better protect the data they process and store – even if they are often driven by fears of reputational loss and hefty fines. . Additionally, regulatory requirements are often used as a guide in developing a robust data security program.
Three big challenges for data security
The hype around cybersecurity makes companies believe that information security is too complicated for them, but if they buy all these cutting-edge solutions, they will be able to protect their data against the latest cybersecurity threats. It also leads to the misconception that there is a panacea for all possible threats, and that increasing budgets must be devoted to it. However, the top three challenges that can hinder your data security are not related to the lack of artificial intelligence in your wallet.
Challenge # 1. Understaffed IT teams. One of the major problems is that most IT security departments are understaffed. In small businesses, for example, IT administrators typically have to wear multiple hats. Often there is only one IT person responsible for everything from handling downtime to resolving computer issues to protecting sensitive data. Even in large companies, the IT team is so busy that they simply don’t have time to look into the types of sensitive data they store and come up with a plan for protecting it.
Challenge 2. Limited budgets. Many organizations aren’t ready to spend a large chunk of their budget on hiring new hires who specialize in IT security or training their current employees on how to ensure data security. It seems much cheaper and easier to purchase a few tools that cybersecurity vendors claim will protect data against multiple data security threats. This leads to the following problem:
Challenge # 3. Spending on inefficient tools. Companies often don’t know what types of sensitive data they have, where it resides, or whether it’s overexposed. But they buy a whole host of different software to “protect” them. They then find that the technologies they have acquired in haste do not deliver on vendor promises or meet their own expectations. Thus, according to Cybersecurity Ventures forecasts, global spending on cybersecurity products and services reached $ 120 billion in 2018. This figure will cumulatively exceed $ 1 trillion by 2021, corresponding to an increase in spending. overall cybersecurity ratings of 88%!
Basic concepts of data security
Information security is based on three fundamental concepts: confidentiality, integrity and availability.
Confidentiality is based on the principle of least privilege. It consists of preventing unauthorized access to sensitive data in order to prevent it from falling into the hands of the wrong people. To protect privacy, organizations must take adequate security measures, which include access control lists (ACLs), encryption, two-factor authentication and strong passwords , configuration management software, monitoring and alert.
Integrity consists of protecting data against abusive deletion or modification. One way to ensure integrity is to use a digital signature to verify the authenticity of secure content or transactions, which is widely done by governments and healthcare organizations.
Availability is an essential component of data security. Security controls, IT systems and software must all function properly to ensure that IT services and systems are available when needed. If, for example, your financial database is offline, your accountants won’t be able to send and pay invoices on time, which can lead to disruption of critical business processes.
Difference Between Data Security and Information Security
As you study the basics of data security, you may notice that security professionals use the terms “data security” and “information security” with different meanings. What is the difference between data security and information security?
Let’s first look at the definition of data and information. The individual raw facts and details are usually referred to as “data”: tables of raw data for example. For this data to become actionable information, it must be put into context, otherwise it is meaningless and cannot be used for decision making. “Information” therefore has a broader meaning. The different types of information include all types of data processed, for example business communications by e-mail.
The difference between “data protection” and “data security” should also be considered, as these two terms are often confused.
Data protection is about active security practices. It requires tools and procedures to protect data against unauthorized electronic access, modification, accidental disclosure, disruption and destruction. This involves using physical and logical strategies to protect information from data breaches, cyberattacks , and accidental or intentional data loss.
While data security concerns passive administrative measures such as those covering legal aspects (privacy policies, general conditions, etc.). These policies define how organizations process and manage data, especially sensitive data, such as personally identifiable information, payment card data, medical or educational information, etc.
Top 5 Data Security Basics
So what are these basic data security concepts we keep talking about?
1. Assess and mitigate your IT risks
Before you get interested in the data you store, clean it up. Start by analyzing and measuring the security risks related to how your IT systems process, store and authorize access to sensitive and strategic information. Especially:
- Identify stale user accounts in your directories. You should identify all stale user accounts in your directory structures and work with your colleagues in other company departments to see if they can be removed. Then find out why those accounts were still active and fix the underlying processes. For example, is the IT team notified when employees leave the company or when contract projects are completed? If this is not the case, the associated accounts can remain inactive while retaining their rights to access systems and data. A hacker can quite easily find inactive accounts to target – a quick search on LinkedIn or Twitter, for example, can reveal who has recently left a company.
- Find users with superfluous administrator privileges. For example, users with administrator rights on their computers can intentionally or unintentionally download and execute malware that can infect many computers on your network.
- Scan your environment for potentially harmful files. Regularly scan for executables, installers, and scripts, and delete these files so that no one can accidentally open files containing ransomware or other malware.
Your goal when evaluating your configurations is to lock things down, bring order, and stick to the minimum necessary without leaving ill-defined entities or loose configurations.
Selected related content:
2. Take an Asset Inventory
Next step: Make a list of all your servers and the purpose of each one. In particular, you must:
- Check your operating systems. Check if any servers are running an operating system that is no longer supported by the vendor. With outdated operating systems no longer benefiting from security patches, they are an attractive target for hackers, who are quick to exploit any vulnerabilities in the system.
- Make sure you have an up-to-date antivirus installed. Antivirus is the “guardian” of your computer system. Antivirus cannot block all types of cyberattacks, but it is an essential first line of defense.
- Explore other programs and services. You may have programs that you no longer need buried in your hard drive. Useless apps don’t just take up space; they represent a security risk because they may have sufficient permissions to manipulate your sensitive data.
Take the time to do this inventory, it will allow you to identify weak points and security holes that need to be eliminated, as well as other aspects that you will need to address. You will have to undertake this step regularly, once is not enough. But in doing so, you will strengthen the security of your systems and considerably reduce the risk of data leaks.
3. Know your data
You need to examine every corner of your environment and know exactly where sensitive data resides, both in the cloud and on your premises. Remark:
- Data can be scattered across multiple systems. Remember that your data is your most valuable asset. Organizations often try to protect all the data they have. In fact, not all data needs to be protected equally. You need to focus on the really important data. To do this, locate all the sensitive data you store and classify it so you know why it is sensitive and what is its importance. For example, you need to know what data is subject to each of the compliance requirements you are required to meet, so you can protect it accordingly.
- Data can be structured and unstructured. Sensitive data is not limited to Word and Excel documents. Many companies store critical customer information in databases, and many business processes rely on this information. For this reason, you need to thoroughly understand the sensitivity of your structured and unstructured data.
- Data is subject to constant change. Data is dynamic. Every day files are created, copied, moved and deleted. Data classification should therefore be a continuous process.
4. Know who can access what.
Next, you need to look at access permissions:
- Determine the level of access for each user. Make sure it matches the required access level. A sales representative should not have access to accounting documents. Make sure you control everyone, including administrators, users, contractors, partners, etc.
- Review access rights regularly. Again, this is not a one-time process. You should regularly review access rights because internal conditions and the threat environment change over time. An account manager’s access to customer billing information should be revoked if that account manager changes role to a support engineer.
- Establish and maintain an access model based on the principle of least privilege. This limits the damage a user can deliberately or accidentally cause, as well as your attack surface if an attacker takes control of a user account.
5. See what happens
Simply classifying data and knowing who has access to it is not enough to ensure data confidentiality, integrity and availability. You should also be aware of all attempts to read, modify or delete sensitive data, whether successful or unsuccessful, so that you can take prompt action.
Here are some examples of signs that someone is trying to steal sensitive information:
- Look for suspicious spikes in activity. For example, if someone deletes a large amount of sensitive data, the cybersecurity team should receive an alert and immediately investigate this activity. It could very well be a ransomware attack or a disgruntled employee planning to leave the organization.
- Look for activities outside working hours. You should keep yourself informed of all actions users take outside of normal business hours, when they assume no one is watching them.
- Check abnormal VPN access . It is essential that you keep track of every VPN connection attempt. If, for example, you are sure that the users of the financial department never use the VPN, it would be very suspicious if your accountant decides to consult invoices from another network.
By following these data protection best practices, you will significantly improve the security of your data. But most organizations simply don’t have the time to do this. Luckily, they can dispense with it! There are tools and solutions that allow you to automate most of these processes and provide the exact information you need to keep your data secure.