No matter how large or small your organization is, the security of your data must be one of your top priorities. While regulations like HIPAA, GDPR, and CCPA provide basic privacy compliance standards for storing, accessing, and transferring information, data security overall is a broader issue that you’ll need to tackle from multiple angles. Data privacy – which is the primary concern of these regulations – involves who is allowed to see or access sensitive information. Data security, on the other hand, is about protecting that data from malicious or unauthorized access. Essentially, you need effective data security in order to maintain your data privacy.
The best way to approach data security is by designing your systems, infrastructure, and policies around security from the very beginning – a practice known as “shifting left”. However, that doesn’t mean your organization can’t upgrade your existing security strategy now to ensure data protection and privacy compliance in the future. The amount and types of data you manage will determine which specific approach you take, but the following data security best practices can help organizations of any size protect sensitive information and prevent breaches.
Data Security Best Practices
It can be tempting to view data security as a problem that can be solved by implementing a one-and-done software solution, but the truth is there are many layers of technology, training, and processes involved in a truly effective data security strategy. Even the smallest organizations need to take a holistic approach to securing their important data.
Sensitive data needs to be identified and clearly labeled so it can be stored in a secure location with the appropriate user access controls. You can use data discovery technology to help you classify and store data according to applicable criteria, whether the data security regulations you must be compliant with or the relative value of that data to your organization. If you employ a data discovery solution to help you manage your data, you need to ensure there are controls in place to prevent unauthorized users from reclassifying data improperly.
Once your data has been classified and secured, you must create security policies to restrict who has access to important data and implement barriers to prevent unauthorized users from gaining access. Your data usage policy should follow the principle of least privilege, which means users only get the privileges that are required for them to perform their job duties. Your access control barriers can be physical, such as biometric or card-swipe locks on doors, or technical, like Group Policies and multifactor authentication.
You should be logging all your database and file server activities, including logins, changes, and moves. This will enable you to track any changes to critical data and spot any other unusual activity. Also, tracking how your sensitive data is being used and who’s accessing it will help you build and manage more effective access controls in the future.
All of your important data should be encrypted, whether it’s on a file server, inside a database, or on a user’s hard drive. You should be encrypting your data both while it’s at rest and while it’s in transit (i.e., via email, over the network, or on portable media, as well as during any data migrations). Most encryption is software-based, using either passwords or public key infrastructure (PKI) certificates like SSH or HTTPS, but you could also use hardware-based encryption such as a TPM chip on the motherboard or USB key that you must insert before gaining access.
Software-based password encryption will only protect your data if your passwords are secure. Your organization should be requiring long, complex passwords that are changed on a regular basis. However, these password requirements can be frustrating to users, and can frequently lead to bad practices like writing passwords down on sticky notes or only changing one character of their password on each change cycle. To combat this, you should invest in a password manager that allows your staff to save and auto-fill their passwords. In addition, multi-factor authentication can provide another layer of security by requiring a secondary device (like a cell phone or a key fob) to confirm the user’s identity before they can access sensitive data.
Data backups are absolutely critical no matter how big or small your organization is. You should be backing up all critical business assets, but especially the ones containing sensitive or important data. Having a robust backup policy in place will help ensure the security of your data even in a worst-case scenario, such as a natural disaster or ransomware attack. Your backup strategy will be determined by how much data you manage, how much storage space and other resources are available for the backups, and the regulations you must be compliant with. It’s important to note that backups are frequently targeted in cyberattacks as well, so that data should be encrypted to prevent data loss and add an extra layer of security.
All of the applications and operating systems on your network need to be up to date to ensure any security vulnerabilities are patched. For endpoint devices, the best strategy is most likely going to be allowing automatic updates on antivirus software and operating systems. On critical infrastructure, you should be thoroughly testing any patches before you implement them to ensure that your functionality isn’t impacted, and no vulnerabilities are introduced into your network.
Speaking of endpoints, it’s important to have security software installed and updated on all of the endpoints on your network, even if you have a BYOD policy and/or employees working from home. Endpoint security software protects your data from unauthorized programs and malware, including rootkits and ransomware. Protecting your endpoints will ensure that malware is unable to find an entry point into your network, keeping your infrastructure safe from breaches.
Software Supply Chain Security
In software development, “supply chain” refers to any code, binaries, any other components that go into or affect your software at any stage of development. These dependencies are frequently open source, and too often, they’re implemented without being thoroughly vetted, so there is a huge potential for an unnoticed vulnerability to be introduced. These kinds of vulnerabilities, even if they’re not intentional or malicious, are becoming common attack vectors, so you need to address them early in the development process. The most effective way to do so is with automated software supply chain scanning, like with an SAST (static application security testing) tool.
One of the biggest threats to your data security is human error. You need to ensure your staff is trained on the proper procedures for accessing, storing, and changing sensitive data, especially if your data is subject to regulations like HIPAA or PCI. You should also educate your users on how to spot phishing attempts and other social engineering tactics, so they don’t inadvertently expose your sensitive data to malicious actors.
Fostering a Secure and Collaborative Culture
All of the technology in the world won’t protect your organization’s important data if you haven’t fostered a culture of trust and security among your people. Most security vulnerabilities occur because of human-level error, so you must approach security as an issue beyond your endpoints and infrastructure. Robust security policies and access control lists, plus comprehensive security awareness training for your staff, will go a long way toward preventing breaches.
It’s crucial to find a balance between security and trust. If your organization views its staff as potential security threats and not as valuable team members, you’ll create a toxic environment that can damage your company faster than any security breach. Instead, you need to treat operational security as a collaborative goal that your whole business is working towards together.