Into data security: the 'what', 'why' and 'how'
The shift from physical binders to digital databases has the necessary consequences. Nowadays, the rule is: 'Without data, there is no business operations.' To give just one example: healthcare experts use data to draw up entire treatment plans for patients. And crucial intellectual property (such as prototype information or recipes) has been digitized. With this increasing reliance on data, the risk of loss, theft or manipulation of data is getting closer. The chance of a data breach is increasing and cybercriminals are also seeing new revenue models emerge in data. Many organizations are willing to pay large amounts of money for the recovery of stolen data. And if data is not available for other reasons, it often causes a disastrous stagnation or shutdown of important processes. In addition, compliance guidelines are becoming increasingly strict: you face hefty fines if you don't handle your data properly.
Data is the heart of today's average organization. And that's why you're now hearing the word 'data security' from all angles — in short, operationally ensuring the availability, integrity and confidentiality of data. In this blog post, we'll discuss the essentials of it!
Threat protection and data security: data protection inside and outside the door
Most organizations are busy shutting down their virtual doors: they protect their networks, systems and information against cyber attacks from outside. By making employees aware of their role in the line of defense, but also by monitoring, detecting and responding to possible cyber incidents (with which malicious parties can gain access to data) 24/7. This is called threat protection. It is of course very wise to do a lot about this, but often there is a neglected child: protecting the data itself.
You also want to secure the 'structure' from the inside. And that's what we call 'data security'. That term refers to protecting data regardless of the source or type of threat. This prevents data breaches, where data is accessed unauthorised or even 'seeps out' — either (accidentally) via an employee, or via a cybercriminal who breaks through your threat-protection wall and takes data.
Managed eXtended Detection and Response
Cybersecurity as next-level protection against all internal and external threats.
Data Security Assessment
Compliance: 4 ways to protect your data
Data security is no longer a nice-to-have. Today, you can safely speak of a must. You must comply with various (international) regulations, such as PCI DSS, HIPAA, NEN7510 and the GDPR. These require you to take specific measures to protect data. If you don't do this, you may face fines and legal problems.
The question is: how exactly do you protect your data? Without being exhaustive, we will discuss four ways in which you can do this below.
1. Make sure your access to data is in order
Who needs access to which data? And for how long? With identity and access management, you ensure that employees can only access the data they really need to do their work — during a period when it is strictly necessary. This is how you limit the risks. An example: you usually do not have to give a facility employee in a hospital access to a patient file. In the unlikely event that the user account is hacked, the hacker will not have direct control over this sensitive information.
2. Encrypt data and create backups
If a hacker gets hold of your data, it is of course useful to have a very recent off-site backup. In addition, you want to provide data with good encryption. This creates an extra barrier: the hacker will first have to invest in 'deciphering' the stolen data. After all, hackers are not necessarily good 'codebreakers'.
3. Know your data and make sure you have a good classification
What data exists within your company? Where is this information stored? And have you classified your data correctly? The latter is usually done on the basis of the BIV classification, which allows you to assign data the following labels:
-
'Audience' (for example, information on your website);
-
'Internal' (information that is sensitive, but that you share with quite a lot of people internally);
-
'Confidential' (e.g. customer data or CVs containing personal data);
-
'Highly confidential' or 'secret' (including information about shareholders, intellectual property and financial data).
4. Embrace data masking
Disguising data with a 'mask'? That may sound a bit strange, but it exists. Data masking is a technique that allows you to protect sensitive information in a database by replacing it with non-traceable, fictitious or 'masked' data. The goal: to ensure data privacy, especially in non-production environments (such as development, test and training environments) where real data is not a necessity. If hackers get hold of such data, it is of little use to them. They do not have the really sensitive information in their hands.
Laying a Compliance Foundation... then what?
How do you implement these kinds of measures in a streamlined way? Good data security starts with a solid policy: a data security policy in which you record everything. Think of the 'who', 'when', 'how long' and 'why'. But also the data encryption method, the data categories and your approach to data retention, data leaks and (data) security awareness.
This is followed by the operationalisation of these parts. You can do this, among other things, by implementing the measures described above. Another measure that then comes into play is data loss prevention. By this we mean the 'fences' that you put up so that employees cannot easily share data. For example, you set that an employee cannot (or not just) share a document labeled 'confidential'. Or that you get a signal in the event of unusual behavior (an example: an employee who leaves employment in two weeks' time suddenly downloads a huge amount of data).
Once you've set all these things up, it's time to look at management. How do you keep your policy up to date? How do you follow up on deviations from your policy? Sometimes it turns out to be necessary to suppress a danger or mitigate risks. But it also happens that you have to adjust your policy slightly. Let's say HR regularly shares resumes with other departments, and the system keeps asking HR staff, "Are you sure you want to share this document?" Such a reminder can become tiresome and hinder efficiency. Because it is a reliable action, you can optimize your policy in this case.
But before you draw conclusions, you must first interpret and analyze the reports that arise from your data security measures. That takes time and a good dose of expertise. Wortell takes over this comprehensive task from you through Managed eXtended Detection and Response. From this service, we also provide threat protection. In short, we help you 24/7 to fend off external attacks and mitigate internal risks. This is how you build a rock-solid 'data security fortress' that minimizes today's dangers!
'Managed data security', please! But where do you start?
Managed data security (MDS) means that you build and configure data security, but also that you follow up on deviations from your policy. Basically, it includes monitoring, visualizing, detecting, analyzing, and optimizing. The question is: where do you start?
A good starting point is often an assessment to identify your data and risks. Do you need help with that? Follow a data security workshop or contact Wortell.