Data security is important for smooth functioning of businesses. With multiple stakeholders like employees, customers, shareholders, partners etc. spread across the globe, businesses need to ensure that their data is secure. Data breaches, revenues, brand standards – a lot is at stake where data is concerned. Hence the need to get data security practices and strategies right.
Data security represents the process used to protect data from unauthorized access. It lays a special emphasis on sensitive data like personal data, financial data and intellectual property. A lot of companies have personal data pertaining to employees and customers which is more often than not susceptible to cyberattacks. Processes and technologies are devised to safeguard these data points against corruption, modification and misuse. It gains prominence in the current times when organizations, both large and small, are moving to remote working with many systems getting connected virtually and sharing information at record speeds.
Importance of Data Security
The average cost of a data breach globally in 2020 was $3.8Mn. Another study by the Ponemon Institute found that the US alone witnessed losses amounting to $8Mn in 2020. According to the Internet Crime Complaint Center (IC3) of FBI, there was a 69% increase in complaints of internet crime from the American public. Securing data is the most important strategy that an organization can adopt since its reputation relies heavily on it. A simple cyber attack can result in a data breach and can deal a major blow to a business, leading to huge financial losses. Litigation cases, lawsuits, huge fines and bans could also be some of the repercussions. Customers need to have confidence in a business’ capability to safeguard its data. A damaged reputation could mean limited referrals, a badly hit image and extra effort to gain back brand equity, market standing etc. Compliance is one more angle that makes it imperative for companies to focus on data security practices. One important point to note here is that data can be stored in multiple devices and places – desktops, shared resources, mobiles, web among many others. A good data security policy should cover all of these.
Data Security v/s Data Protection v/s Data Privacy
There is often confusion around these 3 key concepts in relation to data. Let us set things right –
- Data privacy deals with how data is handled by companies. There has been a recent buzz about Google phasing out cookies. Cookies help collect and save browsing details of users so relevant advertisements can be shown. Data privacy regulations help frame guidelines for gaining user consent and responsibly using the data
- Data protection is concerned with creating backups and duplicate copies of data so that in the unlikely event of a data breach or misuse, data can still be available in its original form
- Data security is focused on ensuring that data is not accessed by unauthorized users by stopping data breaches and similar incidents
Data Security Technologies
Safeguarding data from inside and outside the organization requires a robust strategy. Some of the technologies and controls worth exploring and implementing are:
Here, sensitive details are disclosed in a limited fashion to limit its misuse. For example: a credit card having multiple digits might not be fully disclosed and a part of it might be masked. Personally identifiable information (PII) category of data requires this to a large extent.
Here, every piece of data is converted to an unreadable format. An encryption key is generated to decode/decrypt this piece of data by the authorized parties.
Copies of data are created so they could be referred to in case a particular piece of data is erased or corrupted.
Here, data is erased permanently when it is no longer required. For example, financial details of old customers should ideally be deleted if they are no longer doing business with a company. Also, if a specific customer/lead requests deletion of any specific details, the same should be done as part of good company policies. This data should also be unrecoverable.
Authentication and authorization
Two of the most obvious strategies but often overlooked ones. Authentication focuses on verifying users based on the credentials entered and compared with what is stored in the database. Having good password policies can ensure that breaking into a system becomes difficult. Authorization, which comes after a user is authenticated, checks for the access control. Role-based access control ensures that clear bifurcations are done so only relevant users or roles are provided access to the right amount of data.
This replaces the specific sensitive data with a random sequence of characters which act as a token to represent the real data while the actual data is stored in a secure place.
Data Security Regulations
Some regulations help define best practices and provide guidelines for securing data in the best ways possible. A look at a couple of important and prominent ones:
General Data Protection Regulation (GDPR)
This protects data of EU citizens and covers important data points like SSN, email ids, IP addresses, phone numbers, account numbers etc. Companies need to classify data and delete data if specifically requested for by a person. Also, a breach needs to be reported within 72 hours. Companies are also liable to provide clear details of how, where and when the data would be used.
This is a US federal law looking at audit controls. Companies should undertake assessments of their internal controls as part of their annual reporting procedure while also controlling access to critical data points, security settings and access permissions. Regular reports pertaining to data use, data changes and permission updates also come under its purview.
Health Insurance Portability and Accountability Act (HIPAA)
This regulates health insurance and looks at records pertaining to health information. Continuous monitoring activities related to access to sensitive data and permission changes find coverage under this act. It also encourages maintaining a written record of all detailed activities for all users.
Federal Information Security Management Act (FISMA)
The act pertains to guidelines and security standards for federal agencies. Any private companies with a contractual relationship with the government also come under the act’s purview. Through continuous monitoring, risk categorization, security controls and robust system security plans, the agencies can avert attacks and possible vulnerabilities.
Family Educational Rights and Privacy Act (FERPA)
This applies to educational institutes that receive the US Department’s federal funds. The focus is on protecting personally identifiable information (PII) embedded in student education records.
Payment Card Industry Data Security Standard (PCI DSS)
Applicable to businesses that process credit card transactions, PCI DSS focuses on implementing robust access control measures to protect card holders’ data. A vulnerability management program, continuous threat monitoring and training of security professionals are key features
Gramm–Leach–Bliley Act (GLBA)
This act directs financial institutions, or any organization selling financial products or services to securely collect, share and use customers’ PII and Nonpublic Personal Information (NPI). Companies are also expected to notify consumers about the actual usage of their data and help them opt-out at any point in time.
Five ways of ensuring compliance on an ongoing basis:
There are some basic tips and practices that you can follow on a regular basis to be on top of your data security game:
- Understand your data and what regulations apply to you: As discussed above, different acts and regulations apply to different companies. It is important to understand which ones apply to you and your data so you can work on specific security controls.
- Conduct regular assessments and checks: Running regular assessments of risks and possible vulnerabilities will help gain a better understanding of your security posture, thereby helping fix issues and reach a higher security stage.
- Devise a plan: A plan here stands for a holistic one which looks into how security controls can be created, an implementation strategy can be developed and executed, employees can be trained, and regular tweaks / updates can be undertaken.
- Enhance your knowledge and network with peers: As the world changes around us and new attack vectors surface every minute, security controls also tend to become obsolete over a period of time, leading to the development of new controls. So, it is always good to keep reading, networking and being abreast with the latest security best practices.
- Get expert advice: When things go down south, it is important to take expert advice, so that the situation doesn’t go out of hand. Professional advice especially helps take a deep dive of the issues and devise relevant action plans.
Mobile app security shouldn’t be ignored:
While the data security strategies and areas discussed above are pretty much device-agnostic, some specific practices for mobile security go a long way in ensuring security of mobile data:
- Data purge and minimization: Companies should practice purging or deleting data that is no longer required. Also, having only the data points that are really crucial for businesses is important.
- Data auditing: These are regular checks and tests undertaken to report any access control changes, tampering of data, any possible attacks etc.
- Real-time alerts: Incorporating real-time alerts for deviations from existing standards or procedures will help to deal with issues proactively since many times companies do not realize the extent of a data breach till it is too late. 91% of recent incidents didn’t even generate an alert as per a 2019 survey
- Educate employees: Phishing attacks and email spoofing are pretty common across organizations. Training or educating internal stakeholders to beware of such attacks and practices is a good way to stay safe as a team and also ensure customer data protection.
- Have an incident management and data security recovery plan in place: When specific incidents do take place, a list of “Dos and Don’ts” comes in handy. This would also help get back on the ground running and fixing issues.
- Ensure that data is accessible only to certain individuals
- Protect data at source by through robust authentication techniques like Two Factor Authentication (2FA)
- Continuously test organization-wide systems by devising use cases and stress-testing all the infrastructure
- Remember to also delete physical copies of data to ensure that data that is no longer required is actually deleted completely with no traces left behind
Mobile application developers and owners do well by protecting their apps from hackers and modifications. Also, it helps when misuse or tampering of any nature can be tracked in real time, so damage is controlled and reputation is maintained. AppSealing with its Runtime Application Self Protection (RASP) solution helps companies monitor and scan their apps more proactively for threats and possible attacks. Companies can go for complete in-app protection without having to worry about any separate coding or AMC. Contact AppSealing today!