Data security is defined as the technical process of protecting any computer system’s information from unauthorized access or destruction. In this article, we explain what data security is today, its plans and policies for effective management, with the best practices to follow in 2021.
Table of Contents
- What Is Data Security?
- Data Security Plan and Policy: 6 Key Steps with Examples
- Key Challenges and Solutions for Data Security in 2021
- 8 Best Practices for Data Security in 2021
What Is Data Security?
Data security is defined as the technical process of protecting any computer system’s information from unauthorized access or destruction. This encompasses any type of device, server or network of computer devices (like your home wifi).
Let us look at the key components of data security to understand further:
- A three-fold resource set – It’s a common mistake to assume that the definition of data security applies only to data security tools and technologies. In reality, the security strategies, processes to enact them, and resource allocation are equally important to protect enterprise data assets.
- Identifying valuable data – To formulate a data security policy framework, first you need to prioritize your data in terms of security investments. For instance, investing the same level of resources to 50-year-old data as you would to a newly inked IP document is inefficient when there are expense constraints, especially after the Covid lockdowns. This especially becomes a major challenge when replicated at scale. That’s why identifying, classifying and prioritizing your data security needs is crucial.
- Data may never be 100% secure – Valuable data could lie exposed to new forms of malware and viruses for which your current security mechanisms may not be enough. This is because both sides are constantly innovating- one tries to hack and your data security protocols and systems try to detect and neutralize it. But this doesn’t take away from the level of security it provides and the highly reduced probability of security breach.
- Data security is key for work data– While personal devices also need and often have data security inbuilt while purchasing, an enterprise/ organizational system is much more prone to attacks given that the value of information/cost of damage is much higher.
To cover all of these touchpoints effectively, companies need a robust data security plan.
Learn More: What Is a Data Catalog? Definition, Examples, and Best Practices
Data Security Plan and Policy: 6 Key Steps With Examples
It is easy to take a set-up-and-forget approach to data security. You partner with a vendor, install a data security solution, and keep doing business as usual. But without the critical steps mentioned below, companies are likely to face glaring gaps along the way. That’s why it is advisable to:
1. Rethink network-based cybersecurity frameworks
Network-based security divides up the enterprise ecosystem into an application, device, and perimeter levels. But this is only one step of the solution. As companies embrace widespread remote working in 2020, employees will log in to data applications from endpoints that are outside of this traditional strategy.
“To protect customers, employees, and reputations while ensuring compliance with evolving regulations, companies should shift their security strategies from an outdated reliance primarily on ‘perimeter protection’ to a companywide approach based on ‘secure data access,’†saysOpens a new window Nick Halsey, CEO of Okera, a data governance and access software company. For example, protecting the perimeter isn’t enough when so many employees are working outside the enterprise firewall. Device-based security doesn’t factor in human folly and digital bad habits.
In contrast, secure data access at every level helps in adherence to security protocol, no matter the device of access or employee role.
2. Shape your data security policy around the cloud
Cloud migration was already on most organizations’ digital transformation roadmaps, and remote work has only accelerated the pace due to Covid lockdowns. Cloud adoption means you are using shared resources, with far more security vectors than you would have in an on-premise-only set-up. Your data security policies for the cloud should also be scalable. As you leverage cloud resources dynamically, the framework adapts in tandem without leaving any vulnerability.
Technology advancements make it possible to achieve this with minimal effort investment. For example, a hybrid cloud data warehouse company, Yellowbrick Data, has just partnered with data security provider Sotero, for a solution along these lines. You can integrate your existing database infrastructure, even in a hybrid environment, with a strong security layer that requires little operational and maintenance intervention.
Learn More: Top 10 Data Governance Tools for 2021
3. Make data security a parameter for SaaS investments
Every new SaaS license you purchase brings with it its own set of security risks and vulnerabilities. In the last few months, there have been repeated headlines on security flaws in Zoom and how it exposed confidential communication data. When shopping for a SaaS product, submitting RFPs, and writing the SLAs, make data security a central parameter.
For example, Slack has recently enhanced its data security controls to give admins better visibility and simplify data-related compliance. Its new enterprise key management feature encrypts a custom workflow from end to end, while Slack audit logs maintain detailed records – which, as we mentioned, is a key component of data security.
Going through the product documentation and holding data security workshops with your vendor will help to make safer purchase decisions.
4. Opt for a zero-trust strategy for user authentication
A large or even a mid-sized enterprise will see hundreds of stakeholders logging into its data applications every day. From local contractors in the public sector to digital payment enablers for banks, from insurance brokers in healthcare to logistics managers in manufacturing — there is no end to the number of roles present in a typical enterprise ecosystem.
A zero-trust data security policy assumes every stakeholder to be a potential risk, regardless of their credentials. It monitors your digital assets and assesses every user who attempts to connect to these assets, maintaining records for a possible worst scenario. Cybersecurity analysts and experts increasingly recommend this policy, suggesting that every user, device, service, and dataset are bucketed into separate categories inside the trust framework to limit access. For example, the National Institute of Standards and Technology (US) has released new guidanceOpens a new window to implement zero-trust architectures.
Learn More: What Is Data Governance? Definition, Importance, and Best Practices
5. Maintain transparency and accountability for data breaches
The steps we mentioned so far will give you an accurate view of where your data is located, the measures in place, and how, who, and why it is being accessed. This accountability map is useful if at any time you face a data breach.
Depending on the nature of the data, companies are obligated to report a breach to the right authorities and make reparations. The failure to do so could invite millions of dollars in penalties, not to mention irreversible damage to brand reputation. That’s why the response step is a critical part of any data security policy, outlining an action plan for when the “prevention is better than cure†adage is no longer applicable.
Take lessons from recent attacks where the company failed to assume accountability on time. For example, Uber’s former Chief Security Officer now facesOpens a new window a summons with U.S. Marshals for not reporting a 2016 hack, trying to pay off the threat actors instead. In such cases, it is advisable to consult an experienced domain expert – which brings us to the next step.
6. Partner with a data privacy and security law specialist
A legal specialist can help you better navigate the evolving laws around data security, privacy, and utilization, tailoring your strategy to the needs of a specific region or industry. Involving a specialist at the early stages of policy implementation can help configure your framework more effectively, select the most security-friendly technology enablers, and respond appropriately in a worst-case scenario.
There are several organizations to help you with this. For example, the global law firm, Winston & Strawn LLP, has a new practice for global privacy and data security. “The almost-universal remote work environment caused by the COVID-19 pandemic has added to the challenge of providing access to information while ensuring systems are not vulnerable and abiding by the privacy and data security laws,†saysOpens a new window Sheryl Falk, co-leader of the practice.
Learn More: What Is Enterprise Data Management (EDM)? Definition, Importance, and Best Practices
Key Challenges and Solutions for Data Security in 2021
2020 is a landmark year for cybersecurity, as any gaps in enterprise digital frameworks will likely start to show. As employees switch to remote work and use digital-only mechanisms for communication and productivity, companies are scrambling to scale their data security infrastructure. Over 50%Opens a new window of the organizations have made new investments in VPN and cloud security, while only 37% are using multi-factor authentication.
Several challenges need to be resolved before we can adequately address all gaps:
- Employees are still open to scams like phishing
A sense of uncertainty is now propelling employees to click on links or open emails they would have otherwise avoided. Since February, there has been a 667% uptickOpens a new window in phishing attacks, and recently Microsoft seized control of several domains used for COVID-19-themed phishing.
The best solution to this challenge is security-awareness training. Educating employees about online risk and fostering a culture of skepticism will nip the problem at its source. Bolster your training campaign with specialized products like Sophos Phish Threat – it simulates a realistic and challenging attack based on threat intelligence. Employees can work through 30+ training modules for a hands-on understanding of what to do when faced with suspicious content.
- Everyone is a privileged user, especially in small businesses
As small and mid-sized businesses digitize in 2020, IAM and user-privilege definition often takes a backseat. Business leaders are eager to equip employees with all the resources they enjoyed in a physical office and empower them to stay productive, often going against pre-pandemic data security policies.
There is a two-fold answer to this challenge: technology and culture. Small businesses must embrace a culture of security awareness, where honoring data privacy is a top priority. Technology can work to augment this – consider IAM tools like OneLogin that are available for as low as $2 per user per month, providing industry-leading security measures at just $100 for a 50-member small business.
Learn More: Top 8 Big Data Security Best Practices for 2021
- Shadow IT leads to a sprawling data environment
2020 has introduced an unseen level of decentralization, where individual business units try to become self-sufficient and continue operations with little to no physical interactions with the HQ. This leads to shadow IT – as the IT team can’t be physically present to resolve issues, BUs are forced to pick up the mantle. But shadow IT may not (and usually does not) follow the same stringent data security policies as the HQ, despite consuming 30-40% of costsOpens a new window .
The solution to this challenge lies in better consolidation and integrated visibility, preferably via a unified dashboard. Software like the Trustway DataProtect AppOpens a new window encrypts data across disparate applications and brings them together in a centralized platform, minimizing risk from shadow IT. CoreSaaS is another handy tool that helps you discover all your active SaaS applications, monitor activity, and govern SaaS data.
- Applications aren’t built on safe data principles
This is a major challenge for large enterprises, ISVs, and digital-first companies that regularly develop in-house applications. Application design must follow data security best practices, and testing data needs to be adequately anonymized – these needs have given rise to the DataOps field, where strong data governance is tightly woven into the application development CI/CD landscape.
In an agile world, where iterations and updates are released every next month or week, security flaws in your applications have a very large reach. Choose a DataOps solution like Delphix to maintain development speeds without compromising on data security. Delphix can create a secure virtual environment, manage sensitive data, maintain data version control, and revert data to any historical point as needed during development.
- There is no clear data security policy for retiring datasets
Most data security laws come with storage limitations, restricting companies from holding onto data beyond a justifiable cause. In other words, you can’t store data for future analysis unless you have already identified the purpose and impact of the said analysis. To comply, enterprises must institute a clear data retention period, after which it enters the retirement stage.
Fortunately, there are several solutions available to address this challenge, like Blancco. Blancco’s data erasure software adheres to 25+ standards and provides you with a tamper-proof report for compliance. It maintains an accurate chain of custody for complete transparency and analyzes your mobile endpoints to find errors.
The proliferation of digital tools will only add to the challenges in data security. That’s why it is essential for enterprises to take a proactive stance and follow data security best practices, keeping pace with evolving threat variants.
Learn More: What Is a Firewall? Definition, Key Components, and Best Practices
8 Best Practices for Data Security in 2021
So far, in 2020, a total of 16 billion data records have been exposedOpens a new window , which is a 273% uptick from the same period of the previous year. This trend highlights the importance of data security best practices, from the grass-root level to business leaders, if we are to keep sophisticated cyberattack tactics at bay. These best practices include:
Best Practices for Data Security in 2021
1. Carefully formulate access privileges in IAM
Identity access management or IAM forms the crux of data security policies at several organizations, giving users access to data based on their role/persona. Typically, experts recommend a least-privilege approach, where employees have access to only what’s relevant to their work and must seek approval for everything else. IAM also requires that you keep detailed records of user authentication, access logs, and device/origin of access. This comes in handy for future compliance and data security audits.
2. Adhere to data privacy and security regulations wherever applicable
Governments around the world are fast adapting to an evolved cybersecurity climate, where consumers are sharing data at scale, opening up new vulnerabilities. Apart from the well-known GDPR law for EU citizens and CCPA, which is specific to California-based companies, almost every region (and sector) calls for dedicated compliance. For example, all health data records must follow HIPAA norms, which are specific to the healthcare sector. This could require intervention from a legal professional, which is why partnering with a privacy and security law specialist should be a part of your data security plan.
3. Set clear data security priorities before policy implementation
How do you know which data to protect, which ones need universal access, which datasets should have multi-layered authentication, and which data should be retired entirely? A detailed and regular risk assessment exercise assigns data sets a risk score depending on its value to the enterprise, its value to the originator (employee or customer), and the possibility of exposure through daily digital activities. Prioritization also makes your data security plan more efficient, as you are focused on the most vulnerable/severe-criticality areas. It will also help you allocate your security resources more effectively.
Learn More: Top 10 Firewall Security Software in 2021
4. Don’t ignore your internal customers – the employees
Data security rules apply equally to both external and internal users. For example, laws like GDPR and CCPA mandate similar privacy, consent, and autonomy rights for every user, regardless of whether they are an external customer or they fall within the purview of contractual employee agreements.
Enterprises must balance the need to monitor data activities, restrict access, and scan for unusual activity, with a conscious acknowledgment and upholding of individual employee rights. Be mindful of data collection via cookies, the reasons for collecting employee data, and where you store your most valuable information like employee social security numbers. Weak measures could open a company to a variety of risks, including legal liability.
5. Maintain regular back-ups
Losing access to data is as much of a problem as having data exposed in the public domain. Cyber-attack strategies like malware target valuable data like customer information, which delivers analytics, or intellectual property to extract a ransom from the data owner (like the WannaCry ransomware attack of 2017).
Data loss could also be an unforeseeable consequence of a natural disaster when a physical server is damaged. Without access to the data, critical business functions could come to a halt. That’s why a useful DLP best practice is maintaining data backups that are as close to real-time as possible. Look for advanced backup techniques that let you record data changes/updates, without revising the entire dataset, to optimize resource utilization.
6. Enforce proper password management guidelines
Did you know that even in 2020, where so many companies are facing high-value data breaches, 1 out of every 142 passwords continues to be 123456Opens a new window ? This statistic illustrates the human tendency to get lazy about password management for the sake of convenience. Add to this, common password management bad habits like writing it down on a piece of paper that’s readily accessible and using the same password for multiple applications. Proper password management guidelines are essential to not just protecting data, but also your enterprise assets as a whole.
Learn More: Top 10 Firewall Hardware Devices in 2021
7. Adopt privacy by default
Privacy by default entails that your system configurations – across the entire digital landscape – will record as little data as possible. For instance, your website might ask for the user’s permission before displaying a video ad, because it does not want to intrude on the user’s privacy and browsing experience. A simple way to adopt this principle is by enabling only the absolutely necessary cookies on your website and requesting the user to consent to additional cookies for a more personalized experience.
8. Restrict network access to non-work-related sites
Accessing suspicious websites on a work device is among the most common causes of vulnerabilities. Malicious software can creep in the form of harmless downloads and aid in data theft. That’s why it is a good idea to block commonly known malicious pages on the enterprise network and company-owned devices. However, ensure that your network access restrictions don’t get in the way of employee productivity and workflows. There should be an easy verification and approval process in place if an employee requires access to an unknown website.
It can be difficult to follow stringent data security policies given the current IT cost crunch. However, intelligent investment in data security across all of 2021 is essential to enterprise success during the pandemic and the recovery period. By remembering the above basic best practices and formulating an effective policy framework, you can ward off security threats and continue BAU even in today’s complex times.
What steps have you taken to strengthen data security in 2021? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window We would love to hear from you!