The average cost of a data breach has risen to nearly $4 million worldwide and $8.2 million in the U.S. Multiply that number across the thousands of breaches that occur in a given year, and it becomes clear why organizations are reconsidering their data security controls.
The good news is that organizations can improve data security by implementing straightforward policies, adopting proven technology and taking stock of their data stores. Implementing data security controls is a meaningful step toward securing vital sensitive and business-critical data and passing audits.
The Primary Objectives of Data Security
The three basic goals of data security are confidentiality, integrity and availability, which are often collective called CIA or the CIA triad.
- Confidentiality is based on the principle of the least privilege — restricting each user’s access to the minimum required to perform their jobs. Data security controls that promote least privilege include ACLs, encryption, two-factor authentication, strict password protocols, configuration management, and security monitoring and alerting software. Establishing guidelines for appropriate authorization and prevention of unauthorized access is a key confidentiality component.
- Integrity is aimed at protecting data from modification by unauthorized users and improper modification by authorized users. To verify integrity, you can use hashing algorithms and digital signatures.
- Availability involves ensuring that authorized users can access information and information systems in a timely and uninterrupted manner.
Types of Data Security Controls
The primary objective of data security controls is to reduce security risks associated with data, such as the risk of data loss, by enforcing your policies and data security best practices. Controls such as software and hardware access restrictions and protocols for handling data can help you achieve goals like the following:
- Promote consistency in how employees handle data across the enterprise
- Keep data safe, yet accessible
- Help SecOps teams identify and manage security threats and risks in a timely manner
- Ensure compliance with regulations, such as the GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act)
Data security controls can be broadly grouped into internal controls and incident-focused controls.
Internal Controls
Internal controls include the following:
- Operational controls are procedures, rules and other mechanisms implemented to protect systems and applications.
- Technical security controls are mechanisms within information systems designed to enforce internal policies or help the organization comply with applicable compliance requirements. Examples of technical controls include ACL lists (which help administrators apply the principle of least privilege) and automatic cleaning or encrypting the cache of a user’s activity whenever they log out of the system.
- Administrative controls include actions, procedures and policies for enforcing data security standards. One example is a policy that details acceptable data handling practices, including sharing with third parties, and the penalties for violations.
- Architectural controls focus how the organization’s on-prem and cloud storages, end points, devices, services, and other information systems are connected. Vulnerability assessments can help you identify weak spots in your network’s architecture.
Striking a realistic balance between security and functionality is critical to designing effective internal controls.
Incident-Focused Controls
These controls are focused on preventing, spotting and responding to security incidents.
- Preventative controls are focused on keeping security incidents from happening. Prevention can be improved by applying the least privilege principle because it limits the risk of accidentally leaving data open to vulnerability. System hardening, anti-sniffing networks, and two-factor authentication provide further preventative controls. They also include internal policies and employee training focused on secure handling of organization’s critical and sensitive data.
- Detective controls are designed to help spot active threats across the IT environment. They include continuous monitoring of network access and usage, intrusion detection technologies, and analysis to uncover unusual behavior, such as anomalous changes and access events.
- Corrective controls are focused on incident response and disaster recovery — for example, repairing the damage when a data breach occurs or an employee accidentally mishandles data. Applying patches, removing viruses, restoring data and rebooting systems are examples of corrective controls.
- Compensating controls help make up for security measures that cannot be implemented at present. For example, if you can’t encrypt all electronic data, you can compensate by using email encryption, audit log monitoring and network access control.
Implementing Data Security Controls
Choosing the right data security controls is essential for effective data protection and risk management. It’s wise to start with the following basic controls before moving to implementing more complex controls:
- Hardware and software inventory — Routine inventories help you spot security holes and other system vulnerabilities. For instance, an inventory can determine whether the operating system and antivirus protection on each server are current, and whether any unnecessary applications are installed on any end points or other systems.
- Hardware and software baselining — Establishing a standard baseline for hardware and software settings can speed the provisioning process in addition to improving data security.
- Change and access auditing — Regular monitoring of activity in your environment. helps SecOps teams detect suspicious behavior in time to respond before it causes real damage. It can also help organizations learn how to improve their security policies. Third-party tools like Netwrix Auditor can dramatically improve and streamline the auditing process.
- Vulnerability management — Vulnerability scanning tools test your network to determine elements that put data at risk, such as open ports. Penetration testing helps you measure the effectiveness of your data security policies, network architecture and other security measures.
- Remote access control — Employees working from home or in the field need access to internal data, but that access must be secure. Strong authentication is a must, and IT teams should evaluate the devices being used to access sensitive data. Complete remote access usage logs are essential for investigations and accountability.
- Data discovery and classification — Organizations can’t adequately secure their network if they don’t know what data they have and where it lives. A data discovery and classification solution can help you map your data and categorize it by type and sensitivity level, so you can better understand and manage risks.
- Malware and virus protection — Malware and virus infections usually start on endpoints. SecOps teams can fight these threats with anti-virus software, antispyware, anti-adware and other malware protection solutions.
- Backup and recovery — Organizations need to be able to restore data and operations promptly, whether a user has accidentally deleted a file and now needs it urgently, a server has failed, or a natural disaster or targeted attack has brought down the entire network. Your disaster recovery plan should lay out a clear set of steps for retrieving lost data and managing incident response.
Conclusion
Establishing strong data security controls is essential to information security and regulatory compliance. But the benefits extend far beyond that — by better understanding and securing your data, you can drive your business forward.