Building your data security and protection toolkit
Data security is broad and multi-faceted, with each element at risk of being the weak link that facilitates an attack, resulting in a breach of your business data. Creating an effective strategy means building a toolkit of software, processes, and training to ensure that data security best practices are consistently implemented, assessed, and updated.
This beginner-level training module will separate the different types of data security methods (physical, cloud, individual, and endpoint) and the measures that need to be in place for each. It will then provide more detail about how these data security principles should be recorded, reviewed, and revised to create a toolkit that can be improved as security concerns shift. Finally, it will explain the value of a best practice policy and training to emphasize the importance of data security.
Data security is often thought of as only a digital concern, but it is important to give equal consideration to the physical security of your data. In the same way that doors are locked and alarms are set to protect office spaces, individual users should be made aware of the physical threats that could become the source of data security issues.
A physical attack is caused when an unauthorized person gains access to the location where data is stored, with the intent to steal or damage the data. This physical location would typically be an office space, but in the modern workplace, it could also mean access to a laptop, tablet, phone, or any system used for business purposes.
You should also create and require staff at all levels to sign a Bring Your Own Device (BYOD) policy. This policy should ensure that company information is not accessed on personal devices unless they meet the same data security standards as company-provided devices, and that users agree to abide by best practices to keep data secure.
Anybody working on a train, having a public conversation, or replying to emails in a shared space also poses a potential physical security risk. Employees should be made aware of these risks, including being aware of who can see your screen and what is being said out loud – both could provide information that may result in a spearphishing attack.
Physical security measures to protect bad actors from accessing data:
- Not using physical external storage devices (USB drives)
- Locking away devices and paper files when they are not in use
- Secure server storage with access that is limited to those who need it in order to complete their work
- Access and surveillance controls, such as CCTV and ID entry systems, in company properties
- Keep server backups in a different location from the servers.
Cloud services are being increasingly adopted by organizations for many reasons:
- Remote access to files
- Automated backups
- Cost-efficient data security solutions
- Cloud processing, which allows low-powered devices to utilize demanding software.
However, working in the cloud entrusts a large amount of company data to third-party service providers. For this reason, your security toolkit must include a cloud security strategy to highlight potential data security threats, and the measures required for protecting data that is stored in or accessed from the cloud.
- Lack of visibility – Cloud infrastructures are designed to integrate multiple services and make data sharing simple. This makes it hard for a business to ensure that access permissions are correctly applied, as the attack surface is broadened and distributed across platforms. This removes the business’ control, since data security in the cloud is then in the hands of a third-party service provider, restricting the effectiveness of the incident response.
- Account hijacking – With so many tools and services accessible in the cloud, the importance of account security and credentials management becomes even more vital, as one breached account could provide access to much more data.
- Software security – The applications used to access cloud services must be correctly secured and regularly updated. If the cloud service provider were to be breached, their clients’ data could be exposed or lost, despite best practices being followed internally.
To protect against these risks and to utilize cloud services safely, IT managers should ensure that:
- Employees are fully trained with the latest guidance and best practices regarding data use and account security. This includes the use of multi-factor authentication (MFA) or single sign-on (SSO).
- Establish access controls and monitor user permissions proactively.
- Data backups should be held in multiple locations, including physical and offsite storage. Backups should be scheduled to run as regularly as possible to minimize potential data loss and disaster recovery downtime.
- Make sure that the cloud services apply suitable levels of encryption and meet corporate data security requirements and privacy regulations for the regions in which your business operates.
Protect against individuals
Insider threat incidents are one of the most common forms of data breach. It is important to note that while some insider threats come from malicious sources such as disgruntled former staff or contractors, most will come through human error – users with weak passwords, a lack of cybersecurity training leading to a phishing attack, etc.
While the general security measures included in a data security breach policy – such as physical security, strong access controls, encryption, and use of effective cybersecurity software, including VPNs, firewalls, and malware scanners – will help to prevent malicious attacks, reducing individual errors will protect against the largest cause of data breaches.
Cybersecurity training remains the first line of defense against phishing, social engineering, password best practices, and threat response, but detailed access control management is the most effective measure for ensuring data security. If an account is breached but only has access to essential files for that individual’s work, then the amount of data that is at risk of being stolen will be significantly reduced.
Identify and classify critical data
The first step towards improved data security management is to understand exactly what data you have and how it is stored. This will make it easier to classify which data requires additional security, encryption, and more regular secure backups.
There are typically three types of classification, though more can be added if required:
- Public: This information is not restricted and can be freely accessed. Examples include employee names or job titles.
- Proprietary/Internal: Data that should only be accessed by internal personnel includes documents relating to work processes, such as strategy documents and internal communications.
- Confidential: Data that is covered by data protection, such as customer information should receive the highest level of security and have access restricted to only those users with specific permission.
Data usage and access
Having taken the time to know exactly what data is being held, access permissions can be determined for individual user accounts. More detailed explanations can be found in the Identity Management course.
Permissions can be issued and managed in multiple ways, depending on the size and requirements of the business, but determining which users have access to important and sensitive data should always be decided by the needs of the role, not by an individual’s seniority.
Users should only have access to the data and documents required to complete their specific tasks. When this is no longer needed, permissions must be adjusted accordingly.
Principle of Least Privilege
The principle of least privilege (PoLP) is a cybersecurity approach that improves data security by reducing the number of people with the ability to access sensitive data. The fewer accounts with universal or administrator access, the smaller the attack surface.
This means that access should only be granted when the level of access meets the needs of the task. This approach also simplifies granting permissions for contractors as permissions have to be given rather than removed, meaning that nobody should have access to files without an administrator explicitly providing it.
Example levels of access:
- Full control (administrator)
- Permission to modify
- Permission to access
- Permission to access and modify (but not delete)
Each level of access could also be time-limited, meaning permission to modify certain documents could expire automatically when a project deadline is passed.
To ensure your collection of data security tools is comprehensive, it is vital to create a holistic endpoint security system. Endpoints refer to any devices that can connect to the business network – everything from laptops to IoT appliances (light bulbs and smart assistants).
Endpoints should be thought of like windows and doors – while they can be secured, they are also the entry points to the company – making them susceptible targets for cybercriminals and at risk of a data security breach.
With the growth of personal device use both inside and outside of the traditional office space, the number of endpoints has grown rapidly. This demands close monitoring so that every single entry point is sufficiently protected – no matter how modern and detailed a security plan is, it can only ever be as effective as the weakest link.
Document your data security policy
With a data security policy created, the next step is to make sure that it can be seen and understood. Every element should be documented clearly so that it can be quickly referred to and will provide definitive guidance in case of an attack.
Staff will be required to follow the processes set out by the policy, so it is important to provide transparency around what is being asked and why it is an important requirement. For every aspect of the policy, the following points should be answered:
- Policy details
Building a framework like this has many organizational benefits - making it easier to share processes and insights, arrange training, induct new staff, and ensure data security compliance is in line with legal regulations.
Review and revision
The threat landscape is continually evolving, and security software and strategies must keep pace with emerging technology. This means that last year's policies may not provide sufficient protection for this year. Data security policies need to be a living document that is constantly improved in order to stay in line with data security best practices and react to emerging threats.
The details should be tested and analyzed regularly to ensure that they remain effective. A schedule should be arranged so that different aspects are reviewed each month – meaning that every year, the entire policy has been reviewed. This should be thought of as a digital fire drill and identify weak points or issues with processes to make sure they remain effective should the worst happen.
When opportunities to improve best practices are identified, they should be made clear to staff through training so that new approaches can quickly become established.
Training is important for every member of the business, from part-time workers to the executive level. This will ensure a fundamental level of understanding and quick reaction that’s required to protect against insider threats, should suspicious network activity be identified.
Data security changes will likely occur regularly, making it especially important to train and support staff who are not tech-savvy, ensuring that they can meet the standards required to keep data secure.
Changes to company best practices coming from data security policy revisions should be made in consultation with different departments in order to balance security with employee productivity. Training sessions should also be a platform for discussion and explanation of new approaches. This will help to make security part of the company culture, as it is a communal conversation that should welcome input from all departments.
Building your data security and protection best practices into a toolkit needs to be a comprehensive process that provides clear guidance on:
- Physical security
- Cloud security
- Insider threats
- Data auditing and classifying permission levels
- Holistic endpoint security
The resulting documentation must clearly present best practices and policies. It should be updated regularly based on new threats and tested for effectiveness. Finally, regular training must be provided to ensure staff members have a fundamental understanding of security processes and how to implement them.