Six essentials of company data security

 

Data breaches are not just a problem; they are a crisis

The list of companies that have had their data security breached seems endless: Target, Facebook, T-Mobile, Marriott, Quest Laboratories, Quora, Equifax and on and on and on. It’s no wonder that a recent study by Cisco showed that 31% of organizations have, at some point, encountered breaches of their data security infrastructure. At any given time, any company could be vulnerable to a serious data security breach. That’s why it’s important for every company to have a strategy for mitigating their data security risks. Here are six important ways a company can minimize its data security risk.

1. Know what data you have and where it is

It’s important to do a data analysis that defines important enterprise data, its attributes and where it is processed and stored. Security and compliance restrictions should be identified as an attribute of metadata and data classification. Ensure that the data is stored on platforms that restrict access based on these attributes and classifications. Understanding what you have, where it is, and who is responsible for it is the foundation of building a data security strategy.

2. Perform a data risk assessment regularly

To identify any potential dangers, you should perform risk assessments at regular intervals. The assessment should review any threats—virtual (online internal or external, web, etc.), logical (software reliability and updates) or physical (power outages, temperature, water, environmental, theft, etc.). Identify any weak points and prioritize actions to remediate any risks. A good rule of thumb to follow is to perform risk management assessments annually, at a minimum.

3. Adopt a multi-layered approach to data security

Your company’s program for managing data security should have a multi-layered approach for data and storage networks. Adopting a defense-in-depth strategy towards your data security will protect it if one or more of your defense mechanisms fails or is breached. This should include:

  • Authentication. Use different tactics depending on the user type. Implement different techniques for internal users and vendor users.
  • Authorization. Enforce privileges based on roles, responsibilities, and user type.
  • Encryption. All sensitive data should be encrypted wherever it is stored.
  • Auditing. Logs and histories are essential for maintaining accountability and identifying potential risks.

4. Have a backup and recovery strategy for important and sensitive data

Have a formal disaster recovery and business continuity plan and test it. The latter is often overlooked. Test your plan at least annually and document the results for improvement and lessons learned. Don't forget to make sure your backups are stored securely (whether physical or online media) and that they're encrypted. These files contain all the crown jewels in your organization in a compact form that is easily exfiltrated from your network if it is breached. Make sure that they are useless scrambled data if this happens (see defense-in-depth statement earlier). Finally, consider using a backup solution that allows for scanning data for dormant malware. Cyber-extortionists now try to infect your backups before springing their trap so that they are useless to you. Checking them for infections can give an early warning of infection, allowing you to remediate before the attack.

5. Review third-party risk management policies

Inventory the vendors that have access to your data. Ensure that your vendors comply with your vendor privileged access policy. Most companies store at least some of their data in the cloud using Amazon, Google, Microsoft, and other cloud service providers.  Ensure that your IT team has appropriate training on these platforms and understands the security measures your provider uses for encryption, authentication, API, applications, and other processes.

6. Train everyone, including vendors

A company’s data security policy is only effective if people know about it and understand its importance. Every level of the organization and every third-party vendor should understand that they are responsible for data security and the impact that a data breach can have on the business and its reputation. Be sure that your training, policies, and procedures stay up-to-date with your company’s business strategy, technological changes, and industry regulations. These six essentials of company data security provide a framework that is critical for defending your company from threats. To learn more about how to protect yourself, check out our infographic that walks you through the different threats from employees and vendors.