A strong data security defense always comes back to the basics
300,000. 50. 600,000,000.
On their own, these figures may seem meaningless. But in context they tell a dire tale.
They represent the number of files and directories stolen by a former Tesla employee, the number of terabytes of data an NSA contractor downloaded – widely viewed as the largest data heist in U.S. history, and the number of Facebook users whose passwords were found stored in plain text.
It’s clear, irrespective of the circumstances, that data remains woefully insecure.
With new data privacy legislation, like the California Consumer Privacy Act (CCPA) for instance, getting introduced week-in and week-out, there needs to be a collective sea of change sooner than later. And when it comes to securing critical data, companies should start with the basics.
Much like building a house, it’s impossible for an organization to build a successful security program without a proper foundation. Understanding everything you can about your data, especially from an employee standpoint – where it is, where it flows throughout the company, who can access it, who can share it – is fundamental to ensuring it’s adequately protected.
First, it’s essential for organizations to understand where their sensitive data lies and what, if any, controls are in place. Not being aware of where your data resides can have several drawbacks.
Without that knowledge, organizations can’t properly classify data and know what files, documents, or intellectual property would have the greatest risk if it were compromised. Data classification strategies can vary from company to company but by using tools to break down what sensitive data is and by applying policies, organizations can bring some much-needed structure to their data protection strategy.
Customarily, data can be classified as either restricted (meaning that if it were released, it could have a long-lasting, damaging outcome to a company), confidential (meaning it needs to be protected from unauthorized access and contains moderately sensitive information), or public (meaning it’s okay to share publicly and largely non-sensitive in nature).
In this day and age, data rarely exists solely on the corporate network; it’s free flowing, it lives on laptops, tablets, mobile phones, remote offices, and the cloud. Not knowing where data is in an organization can have other consequences, like increased third-party risk, employee data theft, or non-compliance.
After data has been classified, companies should ensure the appropriate security controls are in place, on a user level, to safeguard it against theft. Policy controls ensure that data can’t be altered, lost, or stolen by malicious, or in some scenarios, well-meaning employees. Organizations would be doing a disservice by overlooking the carelessness of employees; negligent workers have been among the leading causes of corporate data loss for years now.
As a bonus, the same controls can also help organizations and agencies comply with stringent regulations and guidance, like the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and NIST SP 800-53, in addition to GDPR and the forthcoming CCPA.
By implementing data security policies built around role-based access controls, organizations can better coach users on who has access to what data and for what purpose. In addition to being able to track critical data, controls can prevent users from doing certain things, like moving, copying, or printing data.
Many organizations, to mitigate risk, opt for controls that limit data access for employees by ensuring they only have access to data relevant to their job. In these scenarios, admins can employ solutions to make it so users see notifications that explain why their action – be it accessing, moving, or emailing data – may be prohibited in their organization.
This can also drive cybersecurity education initiatives; by better teaching employees how to make decisions with regards to data, they’ll be more productive and emboldened to make better judgments on their own around data in the future. Data protection solutions can help prevent data loss, but maintaining a successful security program is largely dependent on employee awareness and their ability to comply.
While helpful, controls aren’t necessarily failsafe. So it’s important for admins to verify the effectiveness of controls to ensure those in place are doing their job.
If effective, these safeguards should give admins and organizations alike peace of mind that data, wherever it is, whatever it is, isn’t going anywhere. Applying policies to protect data throughout the processing lifecycle, whether it’s in transit, at rest, or in use, ensures the data remains locked down.
Some solutions feature policies that enable prompting, blocking, or automatic encryption if a user is handling sensitive data. Others can be configured to outright prevent unauthorized access to sensitive content, tampering, or syncing to cloud environments.
In the event of potential data loss or exfiltration, solutions can allow admins the ability for easy remediation, thanks to operational and security alerts that can be triggered if a user performs a certain activity. These alerts, which are traditionally built around policies applied to users in organizations, can provide immediate feedback on risks to your environment. To avoid cyber alert fatigue and weed out false positives, organizations should consider focusing on high-fidelity threat alerts.
While it’s difficult to truly protect data from being exfiltrated from an organization, employing these basic practices can help companies better understand where their sensitive data is, where it’s going, who’s interacting with it, and where to divert efforts if it’s accessed.