More than ever, digital data security is on the agenda in many organizations. The focus on protection of sensitive or critical data, such as intellectual property and personal data, is a result of growing cyber risks and increasingly stringent data security regulations.
Today, protecting sensitive information requires far more than implementing basic security technologies such as an antivirus solution and a firewall. Fortunately, the 2018 Netwrix IT Risks Report reveals that companies are ready to allocate more budget to cybersecurity: Security investments have grown by 128% in the past 3 years and are expected to grow by another 146% in the next 5 years.
What is data security?
The definition of data security is broad. Data protection is an important part of a comprehensive security strategy that includes identifying, evaluating and reducing risks related to sensitive information security. Security of data involves a wide and complex set of protective measures against both accidental and intentional unauthorized access, use and modification that can lead to data corruption or loss.
Why is data security important?
The need to prioritize information security comes from the risks that businesses are facing. Financial losses, legal issues, reputational damage and disruption of operations are among the most devastative consequences of a data breach for an enterprise. According to the 2018 Cost of Data Breach Study conducted by the Ponemon Institute, the average cost of a data breach in the U.S. is $7.91 million and the average number of breached records is 31,465 — which works out to roughly $251 per record.
Compliance requirements also drive data security. Data privacy is among the top trends in both the U.S. and the EU — the General Data Protection Regulation (GDPR) in Europe and the CCPA in California mandate a common privacy-conscious approach to doing business and regulate how companies use personally identifiable information (PII). Maintaining compliance with regulations is essential to an organization’s reputation and financial well-being. For example, GDPR fines can reach from 20 million euros or 4% of a company’s global annual turnover for the preceding financial year. Apart from imposing fines, authorities can issue warnings and reprimands, and — in extreme cases — ban the organization from processing personal data.
What are the top data security risk factors?
We can break data security risks into two main categories:
- Risks related to lack of visibility — The foundation of data security is a strong understanding of the data stored. Companies often have terabytes of data, and the risks of data breach rise when companies don’t know where critical and regulated data is being held across their infrastructures — on desktops, servers and mobile devices or in the cloud. The Netwrix report found that 44% of companies don’t know or are unsure of how their employees are dealing with sensitive data due to lack of visibility into their infrastructure. That is a huge risk because it makes detection of privilege abuse or unauthorized users accessing sensitive data almost impossible until it causes real damage.
- Risks related to human actions — While data can be lost or damaged due to natural disasters, the greatest threat is human beings, who can make critical mistakes or deliberately cause problems for many different For years, companies have generally trusted their internal users and focused on defending against those accessing the network from the outside, and that mindset continues to prevail. As the Netwrix research shows, most companies continue considering hacker attacks to be the most dangerous threat, while the evidence shows that it’s actually insiders who cause the overwhelming majority of security incidents.
The key threat actors are:
- Hackers, who can install malware when users mishandle phishing emails.
- Third parties, whose lack of sufficient network security can leave interconnected systems open to attacks, or who can take advantage of excessive permissions and overexposed data.
- Insiders with a malicious intent, who might steal data with a goal of setting up a competing business, selling the information on the black market, taking revenge on the employer and so on.
- Employees without a malicious intent, who might copy files to their personal devices in order to use them for a project without even realizing they are doing something illegal and dangerous. They also might accidently attach a file with sensitive data to an email or send it to the wrong recipient.
Which data security technologies can help mitigate risk?
The following security solutions can be handy in minimizing data security risks:
Data discovery and classification — Data discovery technology scans data repositories and reports on the findings so you can avoid storing sensitive data in unsecured location. It is helpful in reducing the risk of improper data exposure. Data classification is the process of labelling sensitive data with tags so you can protect enterprise data in accordance with its value to the organization.
Data encryption — Encoding critical information to make it unreadable and useless for malicious actors is an important computer security technique. Software-based data encryption is performed by a software solution to secure the digital data before it is written to the SSD. In hardware-based encryption, a separate processor is dedicated to encryption and decryption in order to safeguard sensitive data on a portable device, such as a laptop or USB drive.
Dynamic data masking (DDM) — This technology supports real-time masking of data in order to limit sensitive data exposure to non-privileged users while not changing the original data. Interest in DDM is especially high in big data projects.
User and entity behavior analytics (UEBA) — UEBA is a complex technology for spotting deviations from normal activity and suspicious or critical changes before they impact security or business continuity. Data security software of this type help detect multiple types of insider threats, bad actors and hackers, as well as advanced threats that include malware and ransomware.
How can you strengthen your data security?
The following recommendations will help you strengthen your data security:
- Clearly document security policies. Explaining how sensitive data should be handled is the first step in building a strong data security strategy. These policies should be easy to understand, tailored to your organization’s workflows, and regularly reviewed and updated. They need to be communicated clearly to users, and the rules of expected behavior should be explained to avoid misunderstanding. They should also specify mechanisms for security and require control over their implementation and use.
- Build a risk management Identifying, assessing and mitigating security risks is another key part of a healthy security program, and it is also required by many compliance regulations. Instead of building a framework from scratch, you can refer to one of the commonly used frameworks, such as the NIST risk assessment framework, as documented in special publication SP 800-30.
Enforce protection measures, including administrative, physical and technical controls, according to the policies you’ve developed.
- Apply identification and authentication controls first. For instance, two-factor authentication will help minimize your risk from identity theft.
- Second, configure access controls to ensure that users can access only the systems and files they need. User access rights should be granted in strict accordance with the principle of least privilege. Also, all parts of your network, including computers, software applications and devices, need to be configured in compliance with the security policy. Physical security controls are also important, but they are often overlooked. While things like cameras, locked and dead-bolted steel doors and alarm systems are set for physical system security, they also serve to secure company data assets.
- Then enable change management and auditing controls, such as logging all database and file server activities. You need to be able to identify and assess what, where, when and how users are accessing data, including administrators and highly privileged users.
- Continuously monitor your controls to ensure they satisfy your security requirements as business technologies, threats and vulnerabilities change over time.
- Emphasize security awareness. Educating employees about security rules and best practices, and refreshing their knowledge, is essential to building a strong security culture.
Data security encompasses a wide range of challenges. Minimizing the risk of data breaches requires both human factors like employee training and technologies that help you secure your sensitive data, no matter where it resides.