Data is the most valuable corporate asset for any business. No matter what industry you are in, it’s critical to take care of your data, whether it is financial reports and healthcare records, or a start-up business plan.
In this article, we are going back to the most important data security basics, which are getting lost in the entire cybersecurity market buzz. We will be discussing why, in spite of the growing focus on cybersecurity, the data breach rate is constantly going up, and how that affects data security processes. We will also discuss what specific steps you can take to strengthen the security of your sensitive data without using multiple complex security technologies or spending a large chunk of your budget.
Introduction to data security
What is data security? It is an important part of a comprehensive security strategy. It includes methods for identifying and evaluating security threats, and reducing risks related to protection of sensitive information and underlying computing systems.
Data can flow free everywhere, and the goal is to build a data-centric security strategy to control that flow. Thus, security of data involves a wide and complex set of protective measures against various security issues, such as accidental and intentional unauthorized access, changes that can lead to data corruption or loss. Modern data protection requires development of a comprehensive network security, configuration of firewalls, web & browser security, building security policies, risk management and even an introduction of cryptographic principles.
A big part of the problem is that organizations often have a challenge understanding what “data security” really means to them, and what good data security standards are and how to achieve them. Do invoices need a backup? Should users put tags on every file they create to indicate the type of data inside? Should remote access be restricted to the production database?
Without a good understanding of data security basics, there’s a risk to end up trying to protect every file, even that outdated version of the product guide, and restrict access to every folder, whether it contains intellectual property or pictures from the company picnic.
Why is data security important now more than ever?
There are several reasons why data protection and security requires spending time and money. Building security strategies, modern companies are busy dealing with the following challenges:
Cyberattacks. On one side, we see cybercrimes performed using ransomware, malware-as-a-service, advanced persistent threats, state-sponsored attacks, insider threats and so on. Cybercriminals are very successful. Only in the first 9 months of 2019, there were 5,183 breaches reported with 7.9 billion records are known to be exposed, according to the study called Data Breach QuickView.
While cybercrimes evolve, so do the solutions that help protect the information. It’s equally important to implement preventive measures like firewall configurations to restrict access to incoming and outgoing suspicious traffic, as well as implement solutions and procedures for the unfortunate event of security breach taken place. The best practice today is assume that you’ve been breached, and make sure you have proper tools and procedures in place to detect and investigate attacks, as well as redundancy, disaster recovery solutions, and other solutions that can help you recover quickly. Take steps to discover and classify all critical data, protect data with encryption, back it up, and implement as much control over your data storage as possible.
Compliance issues. There is a huge pressure on companies created by a variety of laws and global regulations focused on data protection. Since companies are collecting sensitive personal information, they are made responsible for ensuring security of processing operations and introduction of security controls and measures.
Those organizations dealing with personal data are subject to compliance regulations, depending on the type of information assets and the industry company is in. Regulations’ scope also includes control over security posture of companies’ third parties, like suppliers or service providers.
Such regulations include Personally Identifiable Information (PII), Protected Healthcare Information (PHI, HIPAA), or credit card information. These include standards like General Data Protection Regulation (GDPR) in European Union, Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act of 2002 (FISMA), Family Educational Rights and Privacy Act (FERPA), Gramm–Leach–Bliley Act (GLBA). Maintaining compliance with regulations is essential to an organization’s reputation and financial well-being.
Legal regulations are severe. GDPR requirements, for instance, demands the disclosure of a data breach event. Appointment of a data protection officer (DPO) is also required. All that along with limiting companies from collecting personal data without person’s consent. Financial losses, hefty fines, legal issues, reputational damage, data loss and disruption of operations are among the most devastative consequences of a data or security breach for an enterprise, not to forget drop in investor and customer confidence. Apart from imposing fines, protection authorities can issue warnings and reprimands, and — in extreme cases — restrict the organization from processing personal data.
The good news is that more and more organizations are now making data security a priority – to better protect the data they process and store — even if they are often driven by fear of bad press and huge compliance fines. Moreover, regulatory requirements can often become a guidance in building a solid data security program.
Three big data security challenges
All the cybersecurity hype makes organizations think that information security too complicated to handle on their own, but if they purchase all these trendy solutions, they will be able to protect their data from the latest cybersecurity threats. It also leads to the misconception that magic bullets exist that can provide a panacea for all possible threats at once, and that increasingly high budgets are required to obtain those magic pills. However, the three main challenges that can hinder your data security are not related to absence of AI technology in your portfolio.
Challenge #1. Understaffed IT teams. A bigger problem is that most IT security teams are understaffed. For example, in small businesses, IT admins usually have to wear multiple hats — often there is just one IT specialist, who is responsible for everything from handling service outages to resolving user desktop issues to protecting sensitive data. Even in larger organizations, the IT team has so much to do that they simply don’t have time to look into what kinds of sensitive data they store and develop a plan for protecting it.
Challenge #2. Limited budgets. Many organizations are not ready to allocate a large part of their budgets to hire new IT security personnel or educate their current employees on how to achieve data security. Thus, it seems much cheaper and easier to purchase a few tools that cybersecurity vendors claim will protect data from multiple data security threats, which results in the next problem:
Challenge #3. Spending on inefficient tools. Companies often do not know what kinds of sensitive data they have, where it is located and whether it is overexposed. But they buy a bunch of different software to «protect» it. Later they find that the technologies they acquired in a hurry are not delivering on the vendors’ promises or meeting their own expectations. In fact, according to Cybersecurity Ventures forecast, the global spending on cybersecurity products and services in 2018 reached $120 billion. This number will exceed $1 trillion cumulatively before 2021, increasing the overall cybersecurity spending by 88%!
Basic concepts of data security
Information security is based upon the three fundamental concepts: confidentiality, integrity and availability (CIA, or the “CIA triad”).
Confidentiality is based on the principle of the least privilege. It is about preventing unauthorized access to sensitive data to prevent it from reaching the wrong people. To protect confidentiality, organizations should provide adequate security measures, which include access control lists (ACLs), encryption, two-factor authentication and strong passwords, configuration management, monitoring and alerting software.
Integrity is about protecting data from improper deletion or modification. One way to ensure integrity is to use a digital signature to verify the content authenticity or secure transactions, which is widely used by government and healthcare organizations.
Availability is a basic element of data security. Security controls, computer systems and software all have to work properly to ensure that services and information systems are available when needed. For example, if your financial database is offline, your accountants will be unable to send or pay invoices in time, which may lead to disruption of critical business processes.
Data security vs information security
Exploring the topic of data security basics, you might see that security professionals use the terms “data security” and “information security” with different meanings. So what is the difference between data security and information security?
First, let’s talk about definitions of data and information. Separate raw pieces of facts and details are usually called data, raw data tables as an example. To become digestible information, data needs to be put in the context, because alone it does not have any meaning and can’t be used for decision making. Thus, information gets more broad meaning. Types of information include all types of processed data, i.e. business email communications.
Comparison of data protection vs data security also needs a discussion as these two terms are confused with each other.
Data protection deals with active security practices. It needs tools and procedures of securing the data from unauthorized electronic access, modifications, accidental disclosure, disruption and destruction. It involves using physical and logical strategies to protect information from data breaches, cyberattacks, and accidental or intentional data loss.
While data security is dealing with passive administrative measures like those covering legal aspects (privacy policies, terms and conditions). These policies define how organizations handle and manage data, especially its sensitive types, like personally identifiable information, credit card data, health or education records, etc.
Top 5 data security basics
So what are those basic data security concepts we keep talking about?
#1. Assess and mitigate your IT risks
Before turning your attention to the data you store, you need to clean the house. Start by analyzing and measuring the security risks related to how your IT systems process, store and allow access to sensitive and business-critical information. In particular:
- Identify stale user accounts in your directory. You should identify any user accounts in your directory structures that are stale and work with your business counterparts to see whether they can be eliminated. Then figure out why those accounts were still active and fix the underlying processes. For instance, is IT team being notified when employees leave the company or contractors’ projects are completed? If not, the associated accounts can lie dormant, even though they still retain permissions to access systems and data. It’s relatively easy for a hacker to find inactive accounts to target — a quick search on LinkedIn or Twitter, for example, could reveal who’s recently left a company. Taking over a stale account is a great way for an intruder to quietly probe your network without raising any alerts.
- Find users with unnecessary admin privileges. For instance, users with administrative access to their computers can intentionally or unintentionally download and execute a malicious program that could then infect many computers on your network.
- Scan your environment for any potentially harmful files. You should regularly scan for executables, installers and scripts, and remove those files so no one can accidentally open files that could contain ransomware or other malware.
Your objective in doing configuration assessments is to lock things down, eliminate disarray and keep everything at the necessary minimum with no hanging unclear entities or loose configurations.
#2. Conduct an asset inventory
Next, make a list of all the servers that you have and the purpose of each one. In particular, you should:
- Check your operating systems. Check whether any servers are running an operating system that is no longer being supported by the vendor. Since outdated operating systems do not get security fixes, they are an attractive target for hackers, who are quick to exploit any system vulnerabilities.
- Ensure antivirus is installed and updated. Antivirus is the “policeman” at the gate of an IT system. Not every type of cyberattack can be blocked by antivirus software, but it is a critical first line of defense.
- Review other programs and services. You might have programs buried in your hard disk that you don’t need anymore. Unneeded apps do more than just take up space; they are a security risk because they might have enough permissions to manipulate your sensitive data.
Taking the time to do this inventory will enable you to identify weak spots and security gaps that need to be eliminated, as well as other areas of concern that you will have to address. Remember this is not a one-time thing; you have to do it regularly. Nevertheless, you will strengthen the security of your systems and reduce the risk of data leaks significantly.
#3. Know your data
You need to look into every corner of your environment and know exactly where sensitive data is located, both in the cloud and on premises. Note that:
- Data can be spread across systems. Do not forget that data is your most important asset. Organizations often try to protect every piece of data they have. But the truth is, you don’t have to protect all data equally. Rather, you need to concentrate on the truly important data. To do that, you need to locate all the sensitive data you store and classify it so you know why it’s sensitive and how important it is. For example, you need to know which data is subject to each of the compliance mandates you’re subject to, so you can protect it accordingly.
- Data can be structured and unstructured. Sensitive data is not limited to Word documents and spreadsheets. Many organizations store critical customer information in databases, and lots of business processes rely on them. Therefore, you need to have deep insight into the sensitivity of both structured and unstructured data.
- Data is subject to constant changes. Data is dynamic. Files are created, copied, moved and deleted every day. Therefore, data classification has to be an ongoing process.
#4. Find out who can access what
Next, you need to turn your attention to access permissions:
- Determine the level of access of each individual. Make sure it matches the level of access they actually need. You don’t want a sales representative to have access to financial documents. Be sure to check everyone, including admins, users, contractors, and partners and so on.
- Review access rights on a regular basis. Again, this is not a one-time process. You need to review access rights regularly because both internal conditions and the threat landscape will change over time. An account manager who had access to customer billing information should have that access revoked when they change roles and become a technical support engineer.
- Establish and maintain a least-privilege model. It limits the damage a user can do deliberately or accidentally, as well as your attack surface when an attacker gets control of a user account.
#5. See what’s going on
Merely classifying data and knowing who has access to it is not enough to ensure data confidentiality, integrity and availability. You also need to know about all attempts to read, modify or delete sensitive data, whether successful or not, so you can respond quickly.
Here are some examples of signs that someone is trying to steal sensitive information:
- Look for spikes in user activity. For example, if someone is removing a large amount of sensitive data, the cybersecurity team should receive an alert and investigate the activity straight away. It could very well be a ransomware attack in progress or a disgruntled employee who is planning to leave the organization.
- Check activity outside of business hours. You need to stay current on any actions user perform outside normal business hours, when they assume no one is watching them.
- Control anomalous VPN access. It is essential to keep track of each VPN logon attempt. For instance, if you know for sure that users from the finance department never use VPN, it would be highly suspicious if your accountant decided to check invoices from a different network.
Following these data protection best practices will dramatically improve your data security. However, most organization simply do not have time to implement it on their own. Fortunately, they do not have to. There are tools and solutions that can help you automate most of these processes and provide with the exact information you need to ensure the security of your data.