Data Security Management: Where to Start

Data security has become even more complicated with today’s hybrid environments. Coordinated security management is essential to a range of critical tasks, including ensuring that each user has exactly the right access to data and applications, and that no sensitive data is overexposed.

This article details the must-have elements of data security management, the risks they address, and what organizations should do to protect their data.

What is data security management?

Data security management involves a variety of techniques, processes and practices for keeping business data safe and inaccessible by unauthorized parties. Data security management systems focus on protecting sensitive data, like personal information or business-critical intellectual property. For example, data security management can involve creating information security policies, identifying security risks, and spotting and assessing security threats to IT systems. Another critical practice is sharing knowledge about data security best practices with employees across the organization — for example, exercising caution when opening email attachments.

Data security threats and how to manage them

There are many different threats to data security, and they are constantly evolving, so no list is authoritative. But here is the most common threats you need to keep an eye on and teach your users about:

  • Malware — Malware is malicious software developed to gain unauthorized access or cause damage. Once malware infects one computer, it can spread quickly through the network. Malware comes in a variety of forms, like viruses, worms, Trojan horses, spyware and crimeware. Often malware spreads using its victim’s access rights, so it’s vital to limit each user’s permissions to only the data and systems they need to do their job.
  • DDoS attack — Distributed denial of service attacks attempt to make your servers unusable. To mitigate the risk, consider investing in an intrusion detection system (IDS) or intrusion prevention system (IPS) that inspects network traffic and logs potentially malicious activity.
  • Phishing scams — This common social engineering technique attempts to trick users into opening malicious attachments in phishing emails. Solutions include establishing a cybersecurity-centric culture and using a tool to automatically block spam and phishing messages so users never see them.
  • Hackers — This is an umbrella term for the actors behind the attacks listed above.
  • Third parties — Partners and contractors who lack sufficient network security can leave interconnected systems open to attacks, or they can directly misuse the permissions they’ve been granted in your IT environment.
  • Malicious insiders — Some employees steal data or damage systems deliberately, for example, to use the information to set up a competing business, sell it on the black market or take revenge on the employer for a real or perceived problem.
  • Mistakes — Users and admins can also make innocent but costly mistakes, such as copying files to their personal devices, accidently attaching a file with sensitive data to an email, or sending confidential information to the wrong recipient.

Data protection best practices

To build a layered defense strategy, it’s critical to understand your cybersecurity risks and how you intend to reduce them. It’s also important to have a way to measure the business impact of your efforts, so you can ensure you are making appropriate security investments.

The following operational and technical best practices can help you mitigate data security risks:

Operational best practices

  • Use compliance requirements as cybersecurity basics. Simply put, compliance regulations are designed to force companies defend against major threats and protect sensitive data. Although meeting compliance requirements is not sufficient for complete data security, it will help you get started on the right path to risk management and data protection.
  • Have a clear cybersecurity policy. Create a policy that clearly explains how sensitive data is to be handled and the consequences for violating your data protection Making sure all employees read and understand the policy will reduce the risk that critical data will be damaged or lost due to human actions.
  • Build and test a backup and recovery plan. Companies must prepare for a range of breach scenarios, from minor data loss to complete data center destruction. Ensure that critical data is encrypted, backed up and stored offline. Set up roles and procedures that will speed recovery, and test every part of the plan on a regular schedule.
  • Have a bring-your-own-device (BYOD) policy. Allowing users to access your network with their personal devices increases the risk of a cybersecurity Therefore, create processes and rules that balance security concerns against convenience and productivity. For instance, you can mandate that users keep their software up to date. Keep in mind that personal devices are harder to track than corporate devices.
  • Provide regular security training. Help your employees identify and avoid ransomware attacks, phishing scams and other threats to your data and IT resources.
  • Make cybersecurity talent retention a priority. Cybersecurity pros are a scarce commodity today, so take steps to keep the talent you have. Invest in automated tools that eliminate mundane daily tasks, so they can focus on implementing strong data security techniques to combat evolving cyber threats.

Technical best practices

  • Classify data based on its value and sensitivity. Get a comprehensive inventory of all the data you have, both on premises and in the cloud, and classify it. Like most data security methods, data classification is best when it’s automated. Instead of relying on busy employees and error-prone manual processes, look for a solution that will accurately and reliably classify sensitive data like credit card numbers or medical records.
  • Conduct regular entitlement reviews. Access to data and systems should be based on the least-privilege principle. Since user roles, business needs and the IT environment are constantly changing, work with data owners to review permissions on a regular schedule.
  • Run vulnerability assessments. Proactively look for security gaps and take steps to reduce your exposure to attacks.
  • Enforce a strong password policy. Require users to change their credentials quarterly and use multifactor authentication. Since administrative credentials are more powerful, require them to be changed at least monthly. In addition, do not use shared admin passwords, since that makes it impossible to hold individuals accountable for their actions.

Data security tools

Basic data security tools

The following data security tools are necessary for data security management:

  • Firewalls — Firewalls prevent undesirable traffic from entering the network. Depending on the organization’s firewall policy, the firewall might completely disallow some traffic or all traffic, or it might perform a verification on some or all of the traffic.
  • Backup and recovery — As noted earlier, you need reliable backup and recovery in case data is altered or deleted accidentally or deliberately.
  • Antivirus software — This provides a critical first line of defense by detecting and blocking trojans, rootkits and viruses that can steal, modify or damage your sensitive data.
  • IT auditing — Auditing all changes in your systems and attempts to access critical data enables you proactively spot issues, promptly investigate incidents and ensure individual accountability.

Advanced security tools

The following types of solutions address more specific problems:

  • Data discovery and classification — Data discovery technology scans data repositories to locate all data. Data classification uses the discovery findings and tags sensitive data with specific labels so you can protect enterprise data in accordance with its value to the organization and reduce the risk of improper data exposure.
  • Data encryption — Encryption makes data useless for malicious actors. Software-based data encryption secures data before it is written to the SSD. In hardware-based encryption, a separate processor is dedicated to encryption and decryption in order to safeguard sensitive data on a portable device, such as a laptop or USB drive.
  • Data loss prevention (DLP) — These data security products and techniques help prevent sensitive or critical information from leaving the corporate network, thereby helping to protect it from being lost, misused or accessed by unauthorized people.
  • Dynamic data masking (DDM) — DDM supports real-time masking of data in order to limit exposure of sensitive content to non-privileged users without changing the original data. Interest in DDM is especially high in big data projects.
  • User and entity behavior analytics (UEBA) — UEBA is a complex technology for baselining normal activity and spotting suspicious deviations before they impact security or business continuity. UEBA can help you detect multiple types of threats, including insider threats, hackers, malware and ransomware.
Product Evangelist at Netwrix Corporation, writer, and presenter. Ryan specializes in evangelizing cybersecurity and promoting the importance of visibility into IT changes and data access. As an author, Ryan focuses on IT security trends, surveys, and industry insights.