The global pandemic has pushed more people to move to the internet (digital transformation) to work, communicate, have fun, watch movies and TV, socialize, shop, exchange information and more. The digital movement of millions of people has facilitated industries to transform how they market or deliver services. Unfortunately, the campaign has also opened the doors to hackers and increased the instances of data being compromised. Ponemon Institute estimates that the average cost of a data breach is a record-high $4.96 million per incident in terms of impact and resolution.
Data security now ranks as the most important aspect of data management. Digital transformation encouraged capturing everything that an individual or application does while connected to the Internet in tremendous detail. People working from home, using various devices that fall outside of corporate oversight or monitoring tools, further complicates sound data security management. More startling is how easy a personal device can affect an entire organization with a computer virus or open the door to a hacker. Government regulations for data control, such as the European General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA), provide guidance and fines to force organizations to improve data security management. Still, there is little regulation of personal security management.
What is data security management?
There are many definitions of data security management, and data security solutions abound. Every organization must clearly define and communicate the data security program and data security services it offers, as these will differ slightly from place to place. In general, data security management is:
- The practice of ensuring that data, no matter its form, is protected while in your possession and use from unauthorized access or corruption.
- The blending of both digital (cyber) and physical processes to protect data.
- The monitoring of data acquisition, use, storage, retrieval, and deletion such that data is not corrupted at any point in its lineage.
- The implementation of technology defenses that prevent data loss prevention from internal malicious actions or hacking.
- Encouraging applications and services developers to test against data security standards to improve data leak prevention.
- The policies that train and govern individuals on the importance of data security and how best to protect themselves and the business.
- The security of data exchanged with external applications or services.
- Taking advantage of the use of encrypted cloud storage or encrypted cloud networks to secure data transfers and sharing.
- The management of data center security, even if you benefit from cloud services, to ensure that your most precious non-people resource is safe.
Data security management practices are not just about sensitive or business-critical information. Data security management practices protect you and your organization from unintentional mistakes or hackers corrupting or stealing your precious resources.
Data security challenges
The most significant impact of a data security breach is losing business from current and potential customers.
The Ponemon Institute report points to poor passwords or credential management and misconfigured cloud data storage that allows public access as the top two causes of data security breaches. As organizations gather and store more information from digital networks, big data security challenges and cloud data security challenges increase. To avoid big data security threats and concerns, everyone in your business must be aware of big data security and privacy problems; such as:
- Security practices are deemed to conflict with agile development methods.
- Inadequate knowledge of how data flows into and through an organization.
- Organizations do not know why data has been gathered or created or how to maintain the data to be compliant.
- Misuse of email or other forms of social media or digital communication to exchange information (Dropbox or Zoom data sharing, for example).
- Lack of understanding of who has access to what and why and keeping that knowledge current as roles change or people leave.
- Allowing data to become forgotten (old or stale), representing an opportunity for a data breach or fines.
- Immature security and network protection (lack of proper encryption, firewalls, and vulnerability scans).
- Postponing updates to applications that include security patches.
- Lack of ability to monitor how staff working from home interact or share data.
- Allowing for the creation of unmanaged applications instead of improving applications to ensure ease of data use and exchange for employee tasks.
- Home networks or mobile device sharing or accessing corporate networks from public hotspots without the use of a secure VPN.
Data security best practices
The challenges are daunting, but below are recommended data security best practices that organizations can adopt and adapt to prevent data breaches, data loss, data leakage or avoid cybersecurity threats:
- A complete audit of data to map the lifecycle and lineage of data in your organization from acquisition to deletion. Once audited, unsuitable data must be cleansed or deleted to avoid security or compliance incidents.
- Data classification best practices are to maintain a catalog of data using master data management and metadata. Metadata, which acts like the cards in a library, helps applications or services know which data to use and how to secure it properly during or after usage. This underpins database security best practices.
- Restricting access to data according to its use and sensitivity.
- Accessing data only via approved APIs or applications.
- A zero-trust mentality should be used to assess all profiles that grant authorization to data by asking the question, does this role or service still require access and if so, why?
- All data maintained in physical devices residing in your data center or a cloud must have the same stringent security practices that apply to software and cloud services, including monitoring, alerting and reporting any access attempt, regardless of the reason.
- Data encryption best practices, while not foolproof, are one of the safest methods of ensuring data security, especially when combined with encrypting the data transfer.
- Cyber security threats are constantly occurring, and the methods of acquiring your data are evolving to overcome your security defenses. Performing continuous vulnerability scans and testing will help keep you safe.
- Database security best practices entail managing the schemas to meet the needs of the applications while also having a strong link to access management best practices and controls.
- Digital data will make use of cloud analytics for research and decision making. Power BI security best practices will scan and validate data prior to use to maintain integrity and classification of data.
- Training and enforcement of data security best practices with staff or using guides from security vendors can help show how easy it is to succumb to a hacker’s efforts.
- Data masking (hiding original data with modified content)) for the development of services is a DevSecOps best practice, especially for Personally Identifiable Information (PII).
- Benefit from external experts who test your networks, applications, or cloud services for data security concerns. Some firms have even hired hackers to perform these same activities.
- Have an incident management plan of what is precisely supposed to occur and how the breach is to be communicated internally and externally (especially to customers and regulatory agencies).
- Have a tested data recovery plan for those instances when data is inadvertently deleted or corrupted.
- Ensure applications or services can use any data backup, even ones created years before, to meet regulatory mandates, as software and hardware changes may negate their use. Accessibility of data in a secure fashion and reintroducing archived data is part of sound practices to prevent a data breach.
- Monitor to ensure that data is deleted when no longer required or becomes outdated.
- Train customers in data security management practices to build their trust that you consider data security to be important.
- Have a robust password management policy: minimum characters, how they can be derived, discourage previously used passwords, or benefit from a password management tool.
- Introduce multi-factor authentication, fingerprint or facial recognition to protect services and applications better.
- Validate your processes against data center security best practices and data management security best practice standards such as ISO/IEC27001 or NIST data security.
- Log all tests and keep them for audit and compliance teams.
- For mobile or digital devices:
- Regularly update applications and security.
- Install spyware or cookie blockers as appropriate.
- Remove old applications.
- Install mobile device blocking tools in case the device is lost or stolen.
Types of data security management
The above represents a portion of the data security management best practices that an organization can introduce. Understanding the types of data security practices and threats can help avoid the types of data breaches that you see in the news press, such as:
- Security knowledge and language: create a data security language guide to facilitate training and understanding
- Malware: Malicious software designed to gain access and cause harm.
- Computer virus: software that changes the way computers run such that they can be controlled externally or made to perform activities, sometimes without your knowledge. Computer viruses, like any virus, can spread from one computer to another and are difficult to remove once introduced without considerable effort.
- Types of encryption keys and best practices: the transformation of data into unreadable formats via an algorithm will aid in designing services that resist security attacks. Introducing the various types of data encryption relies on skilled data security measures via trained staff or trusted supplier partners. Remember that keys can be lost, and always have a deputy for those occasions when the key owner is not reachable.
- Organizational data security management: assigning roles for data security management to data stewards, data administrators, product owners, developers, external data or software providers, cloud and managed service suppliers are just the beginning of this aspect.
- Data deletion, erasure, and destruction: the use of software to completely eradicate data from a storage device (digital or physical) under the auspices of the data owner, data steward or governance team.
- There are several types of data breaches, but best practices such as data resiliency will implement the capability to restore and recover from physical or software disruptive events in a safe and timely manner.
Difference between data security and data privacy?
Data security helps to maintain the safety of data while your organization is using or storing it. Data privacy is the core practice of ensuring that personal or organizational information is maintained and used as stipulated by regulatory agencies or internal policy. Data security and privacy are similar in terms of data management overall concepts, but bear in mind that the main difference between data security and data privacy is that data privacy ensures information confidentiality, while data security keeps your data and organization safe.
Personal or organizational information is a valuable and tradable commodity, so your data privacy solutions must be able to:
- Prove that you obtained the information legally and with the consent of the other party.
- Show how your practices blend cyber security and privacy practices such as those from NIST.
- Explain how roles for data access are derived, monitored and alerted when a breach occurs.
- Illustrate how big data security and privacy (manual data, cyber data, application data) is maintained and secured against loss, leakage and incidents.
- Fulfil requests as required by governmental regulations for the deletion of privacy data if requested by the owner (GDPR).
- Alert and respond to all those impacted by a data incident promptly.
- Backup and restore information to mitigate threats to data.
- That data will be backed up or stored safely and only for as long as needed.
Regular monitoring of compliance, updating privacy policies as governmental or best practices change, and ensuring that data security software, training and processes underpin data privacy is an organizational commitment owned by senior leadership.
5 Ways A Hybrid Integration Platform Can Make Your Data More Secure
Read MoreHow to manage data security threats
To manage data security appropriately, consider these three concepts:
- Confidentiality: To comply with privacy rules, data is classified as public or confidential with appropriate safeguards for application and individual accessibility.
- Integrity: Created or acquired information must be validated as being required for business use before being used by a business task.
- Availability: Data must be easily accessible and ready for use as required, including recoverability.
Security threats try and undermine these Confidentiality, Integrity and Availability (CIA) characteristics. Examples are:
- Confidential:
- Attacking with password guessing software.
- Vishing (voice), smishing (text) or phishing (email) attacks: hackers represent themselves as a member of your organization, a customer, a regulatory agent or some valid individual in an attempt to steal information that would compromise data security or data privacy.
- As seen in the Verizon data breaches report and following its advice.
- Integrity:
- The purchasing of data that hackers have mined from any of the above methods to defraud your organization or customers.
- Unauthorized downloads of data by staff, especially to personal devices.
- Data corrupted or sold by staff that feel they were dismissed or made redundant without cause, often before employee role management can remove them from access lists.
- Applications or external partners can inadvertently leave open entry to your organization by their poorly designed services. Constantly monitoring all points of entry will alert you when a mitigating action needs to occur.
- Mistakes happen. Copying files to non-protected devices, sharing passwords in an emergency, sending data to the wrong person, not following rules are all types of errors that software and training can help limit their impact.
- Availability:
- Lack of data backups that can recover services on time.
- Data comes in all sorts of formats, and each design presents an opportunity to bypass security defenses. Data monitoring and alerting on your networks or within your applications will help shore up any deficiencies.
- Malware or computer viruses: software that compromises or attempts to control your applications or infrastructure. Security scanning and blocking software will mitigate the success of these attacks.
- Encryption key management to safeguard access and usage of information regardless of where it is stored or transferred.
CIA links to every aspect of your data security and business continuity management policies, practices, software and hardware. Senior management must help maintain the maturity of data security management at all levels of your business and contractually obligate business partners to do the same. Assessing your practices against those of best practices, such as those in the Verizon Data Breach report, will ensure trust and compliance in big data security management.
Data security management tools
Data security management:
- Planning and governance tools to monitor data through its lifecycle.
- Knowing what data you have and why you have it.
- Validation of data integrity.
- Understanding where information is stored and under what circumstances.
- Ensuring that data is deleted when and as required.
Due to the complexity and abundance of data used or housed by any organization, these tasks require the assistance of software to catalog, track, monitor, control and alert data access and use. The characteristics of software tools to consider are:
- All applications and services will have their own data needs, and each must be cataloged and linked to a data management system for monitoring and governance.
- Backup and recovery software underpin data loss prevention tools used by developers or SaaS partners.
- Data masking of sensitive information, especially for product development.
- Data deletion and erasure software with logging and confirmation.
- Security network monitoring via firewalls.
- Data security systems for physical devices such as alarms or locked doors.
- Encryption, tokens and security keys software for digital services or physical access.
- Multi-factor (two-factor) authentication, facial recognition, fingerprint access software.
- One-time password software for emergency access whereby the password is immediately disabled upon use.
- Compliance monitoring, alerting and reporting.
- Cloud access security broker: an extra level of software monitoring and control for data stored in a cloud.
- Using big data security to manage Hadoop open-source platforms, especially for data management platforms containing marketing information.
Introducing data security loss prevention software for specialized services such as payments, mobile apps, web browsers or data analytics.