What is Data Security?
Data security is the practice of protecting corporate and customer data against unauthorized use and exposure. It includes everything from discovering the data that a company owns to implementing security controls designed to restrict access to and protect this data.
Data security is one of the biggest cybersecurity challenges faced by the modern business. In 2020, 3,932 data breaches occurred, leaking over 37,186 individual records, which is more than the previous six years combined. Recent data breaches range from minor incidents that most people have never heard about to huge-scale incidents like the Equifax breach that exposed financial data for 147 million people.
Why is Data Security Necessary?
Strong data security is important for a number of different reasons. One of the biggest drivers for investing in data security is minimizing the potential cost and damage caused by a data breach.
According to IBM and the Ponemon Institute, the average cost of a data breach is $3.6 million, and includes the following types of expenses:
- Detection and escalation (28.8%)
- Remediation (6.2%)
- Ex-post response (25.4%)
- Lost business cost (39.4%)
Of these four categories, the biggest cost of poor data security to the business is not cleaning up after the incident occurs. The loss of customer trust and future business – while difficult to measure – is a greater expense for the company.
Organizations with poor data security are also likely to face regulatory penalties. As data protection regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) become more stringent, regulators can levy fines for failing to comply with requirements even if that non-compliance did not result in a breach.
Non-compliance with other regulations, such as the Payment Card Industry Data Security Standard (PCI-DSS), can result in the loss of the right to process credit and debit cards, which has a significant impact on an organization’s ability to do business.
Types of Data Security
The objective of data security is to protect sensitive data by minimizing the probability that it will be leaked or exposed to unauthorized users.
A number of different tools exist for achieving this goal, including:
Encryption algorithms make it impossible to read data without access to the proper decryption key. Under many data protection laws, if encrypted data is leaked but the attacker does not have access to the decryption key, then the breach does not need to be reported. To learn more about how to use data encryption for data security, check out our data encryption guide.
|Prey Project can manage BitLocker for Windows 10 devices that have a physical Trusted Platform Module (TPM) installed and active. With it, you can select which disks to encrypt and decrypt, check on their progress and use the security standard that best suits your needs.|
Erasing unneeded data is the most effective method of protecting it against unauthorized access. Many data protection regulations have strict rules on how long an organization can retain certain types of data.
Identity Access Management (IAM)
Access control systems enable an organization to limit users’ access and permissions to the minimum required for their job role (the principle of least privilege). Implementing IAM decreases the probability and impact of data breaches and is required for compliance with certain data protection regulations (such as PCI-DSS).
Data Loss Prevention (DLP)
DLP solutions are designed to identify and alert on or block attempted exfiltration of data from an organization’s network. These systems can be a good last line of defense against data breaches but are most effective when paired with other solutions as they might miss an attempted exfiltration and only come into play once an attacker has already gained access to an organization’s data.
Governance, Risk, and Compliance
Policies and procedures are essential for robust data security. By defining and training employees on policies regarding data classification and how to properly manage different types of data, an organization can reduce its risk of a data breach.
Anti-Malware, Antivirus, and Endpoint Protection
Many data breaches are enabled by malware, including ransomware that steals data to force a victim to pay a ransom or infostealer malware that steals users’ credentials and other data. Installing anti-malware, antivirus, and endpoint protection solutions on devices can help to detect and block attempted data theft by malware.
While a variety of solutions exist for implementing data security, different approaches are better at managing different risks. For example, lost or stolen devices have been the source of numerous data breaches. While IAM and DLP solutions have little impact on these types of data leaks, deploying full-disk encryption on devices carrying sensitive company or customer data can help to mitigate these threats.
Data Security Threats
Data is everywhere within an organization’s network, and it can be put at risk in a number of different ways. Some of the top threats to data security include:
- Data Loss in the Cloud: Many organizations are moving to the cloud, but cloud security has consistently lagged. 60% of cloud storage includes unencrypted data, and security misconfigurations present in 93% of cloud storage services have caused over 200 data breaches in the last two years. Since these cloud-based resources are directly accessible from the public Internet, this places the data that they contain at risk.
- Phishing and Other Social Engineering Attacks: Phishing and social engineering attacks are a common method for stealing sensitive data. A malicious email, SMS, social media message or phone call may attempt to steal sensitive information directly or steal user credentials. These credentials can then be used to access online accounts containing sensitive information, such as cloud-based email or data storage.
- Accidental Exposure: Not all data breaches are intentional. According to IBM and the Ponemon Institute, 48% of data breaches are caused by system glitches or human error. This can include everything from an accidental CC on an email to misconfiguring cloud security permissions to leaving a USB drive or printout on the subway.
- Insider Threats: The popular conception of data breaches is that they are mainly carried out by outside attackers. However, insider threats are behind an estimated 60-75% of data breaches. This includes both malicious insiders – like that employee that was fired this morning but still has access to the network – and negligent employees that cause accidental data exposures.
- Ransomware: Ransomware is a threat to an organization’s data in a couple of different ways. All ransomware variants perform data encryption, which makes the data impossible to access without paying the ransom for the decryption key. Some ransomware groups have gone further and added a data stealer to their malware, which provides additional leverage when demanding a ransom payment.
- Physical Hardware Compromise: All data is stored on physical hardware, and this hardware may be the target of an attack. Malicious hardware inserted via a supply chain attack can compromise sensitive data, or an attacker can attempt to read memory directly off of a disk while it is still turned off.
How You Can Influence Data Security Where You Work
Many data security decisions are made at the executive level, such as corporate policies and the security solutions to deploy to protect the business. However, there are simple steps that you can take to improve your own data security and that of the business, including:
- Use Strong Access Control: Weak passwords are one of the biggest cybersecurity threats to an organization and its data. Use strong, unique passwords for all accounts and turn on multi-factor authentication (MFA) wherever it is available.
- Install Full-Disk Encryption: Full-disk encryption stores data in an encrypted state, making it impossible to read without the proper password. This protection against physical attacks grows more important as working from mobile devices becomes more common.
- Share Data Securely: Using sharing links for cloud-based documents and data makes them accessible to anyone with the link, and tools exist specifically to search for these links. Send an individual invite to access the resource rather than turning on link sharing.
- Create Backups Regularly: Ransomware is a serious threat, and a successful attack can cause significant loss of data. Set up an automatic backup solution to make a copy of data to read-only storage to protect against these attacks.
- Cybersec Training: User awareness is essential to the success of enterprise data security. For tips on developing cybersecurity awareness training for employees, check out this blog.
Data Security Regulations
Data protection regulations have been around for many years. However, in the last few years, the regulatory landscape has grown very complex very quickly.
The exact data privacy laws that an organization must comply with depends on its location and industry. Some of the major data security regulations to be aware of include:
General Data Protection Regulation (GDPR)
The GDPR was passed in 2016 and went into effect in 2018. It protects the personal data of EU citizens and applies to any organization with EU customers, regardless of location. The GDPR kicked off the recent surge in data privacy laws and is the inspiration for many of them.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a US regulation that protects the personal health data of US citizens. Its data security requirements apply to both healthcare providers and their service providers that may have access to data protected under the law.
Federal Information Security Management Act (FISMA)
FISMA is a law governing information security for the US government. It codifies the cybersecurity and data security protections and policies that federal agencies must make in place.
Sarbanes-Oxley Act (SOX)
SOX is a law designed to protect investors in a company against fraud. Data security is an important component of this as a data breach can hurt the value of a company’s stocks. After the Solarwinds hack, a class-action lawsuit was filed against the company asserting that the company’s claims regarding cybersecurity in its SOX filings were untrue and misleading.
Interested in learning more about keeping your company safe with Prey?