With an expanding cyber attack surface, frequent supply chain attacks, and a shift to the cloud, data security is more important than ever. The global average cost of a data breach reached an all-time high of $4.45 million in 2023 according to the 2023 Cost of a Data Breach Report by IBM Security.
In this article, you’ll discover the main principles of data security and learn 10 data security best practices that apply to most industries. Some of these data protection methods are also required by data security laws and regulations.
Data threats and benefits of maintaining data security
Below, we overview the data security field, highlight the key benefits of robust data security systems, identify the types of data that require protection, and outline the critical threats organizations face. Let’s dive in.
What is data security?
Data security is a combination of processes and tools that aim to protect an organization’s sensitive assets. Valuable data must be protected both at rest and in transit. Other vectors of data security that security officers should consider are safe data creation and use.
Efficient data security measures involve implementing real-time monitoring and quickly reacting to any suspicious events to make your data resilient to fraudulent activity.
Why does data security matter so much that authorities and regulators constantly create new data security requirements?
Main benefits of robust data security
Let’s take a look at the key benefits of high-level data security in your organization:
1. Safeguard information — Knowing that your information is protected from both internal and external threats can give you peace of mind. Thus, you’ll have more time to concentrate on your business strategies rather than worrying about data leaks.
2. Strengthen your reputation — Organizations and businesses that are looking for long-term cooperation always pay close attention to the reputation of their potential partners. Applying reliable data protection practices also inspires your customers’ trust.
3. Comply with data security requirements — Implementing proper security measures can ensure compliance with data security requirements. This will help your organization avoid extensive fines due to non-compliance.
4. Reduce litigation expenses — Preventing an incident from happening is always more cost-efficient than dealing with its consequences. The more time and effort you spend on data security, the less money you’ll spend on containing and recovering from a potential incident.
5. Enhance business continuity — Robust data security practices contribute to uninterrupted operations, reducing the risk of business disruptions and, consequently, revenue loss.
Which data needs protection?
To understand which data is at risk, let’s first take a look at the types of data most commonly stolen:
Your organization’s sensitive data must be guarded according to relevant laws and regulations in your industry and jurisdiction.
In the table below, you can see some of the most commonly breached types of sensitive data and the laws, standards, and regulations that govern their protection:
|IT compliance requirements for three important types of data|
|Data category||Relevant laws, standards, and regulations|
|Financial data||Payment Card Industry Data Security Standard (PCI DSS), SWIFT Customer Security Programme (CSP), Sarbanes–Oxley (SOX) Act, Gramm-Leach-Bliley Act (GLBA), System and Organization Controls (SOC) 2|
|Personal data||General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), California Privacy Rights Act of 2020 (CPRA)|
|Protected Health Information (PHI)||Health Insurance Portability and Accountability Act (HIPAA)|
Key threats to corporate data
No system is 100% immune to misconfiguration, insider threats, and cyber attacks. An organization’s sensitive data can get lost, damaged, or obtained by the wrong people.
Here are the key threats an organization’s data or systems may face:
In this article, we focus on internal human threats, as even many external cyber attacks are possible only due to employees’ actions — 74% of all data breaches include a human element according to the 2023 Data Breach Investigations Report by Verizon.
To understand how data is compromised, let’s recall a few examples of data breaches caused by insiders:
- Human error and negligence — A legitimate user can make various errors due to negligence, lack of attention, fatigue, and other human factors in cybersecurity.
In spring 2021, an employee of the Dallas Police Department accidentally deleted more than eight million files. This data was crucial for more than 17,000 violence cases. The erased information included 23 terabytes of audio, video, photos, and case notes.
- Malicious insiders — Internal users may intentionally steal, damage, or destroy an organization’s data for their own benefit.
In January 2021, four lawyers of the Pennsylvanian law firm Elliott Greenleaf stole a large number of their company’s files. After four months of thorough planning, data was moved to their cloud accounts. Stolen data contained the firm’s work products, records, correspondence, pleadings, and client base.
- Privilege misuse — Users with elevated privileges can engage in various types of sensitive data misuse or improper data handling.
In April 2021, a sales executive from Proofpoint uploaded corporate data to his USB thumb drive and allegedly transferred stolen data to the company’s competitor, Abnormal Security. This data included important trade information and competition strategies.
- Third-party threats — Data security threats can come from partners, vendors, and subcontractors with access to your organization’s sensitive data. Third parties can also become intermediaries for outside attackers, as in some supply chain attacks.
In May 2021, one terabyte of Saudi Aramco’s data was leaked because of an affected third-party vendor. The attackers demanded a $50 million ransom in exchange for the stolen data.
All of the threats described above may jeopardize your sensitive data and disrupt your business operations:
However, if you notice and respond to a data security threat in a timely manner, you can efficiently mitigate its consequences.
How can you secure your organization’s sensitive data?
To answer this question, let’s take a look at key methods of protecting data. According to Gartner, the four main methods of securing data are:
1. Encryption — prevents unauthorized parties from reading your data.
2. Masking — suppresses or anonymizes high-value data by replacing sensitive information with random characters. You can also substitute data with a low-value representative token; this method is called tokenization.
3. Data erasure — involves cleaning your repository of data that is no longer used or active.
4. Data resilience — involves full, differential, and incremental backups of your critical data. Storing your valuable data in different locations helps to make it recoverable and resilient to different cybersecurity threats.
Now, it’s time to examine the fundamental principles behind strong data security.
Core data security principles and controls
Confidentiality, integrity, and availability form the CIA triad, which is vital to ensuring strong data protection:
- Confidentiality — Data is protected from unauthorized access.
- Integrity — Data is reliable and correct, and sensitive information is guarded against illegitimate changes.
- Availability — Data is easy to access for all legitimate users.
To adhere to these three principles, organizations need practical mechanisms called data security controls. These are countermeasures for preventing, detecting, and responding to security risks threatening your valuable assets.
Our 10 data security best practices below cover these controls as well as major compliance requirements of data security standards, laws, and regulations.
Top 10 data security best practices for your organization
While different businesses, regions, and industries may require different data protection practices, we have selected the best practices that will suit most organizations. If you’re wondering how to ensure data security for your organization, follow these top 10 data protection best practices.
Now, let’s talk about each of these data protection techniques in detail.
Consider reviewing your data before implementing security measures:
First, assess the sensitivity of your data. There are three data sensitivity levels:
- Low sensitivity data — Safe to be seen or used by the public, such as general information published on websites.
- Medium sensitivity data — Can be shared inside the organization but not with the public. In case of a data leak, there will be no catastrophic consequences.
- Highly sensitive data — Can only be shared with a limited circle of insiders. If compromised or destroyed, it can have a catastrophic impact on the organization.
Check your data visibility levels. Do you always have the possibility to see or review all actions connected to your sensitive data? If not, pay more attention to practices 6, 8, and 10.
Adhering to these practices can help you to prioritize and concentrate on the information that is most critical to protect.
The second task is to organize all your cybersecurity mechanisms, activities, and controls to form a working strategy. Make your organization’s human and technical resources effectively support your data security efforts by implementing a data security policy:
Create rules governing your organization’s sensitive data for your data usage policy. It should contain guidelines for employees, stakeholders, and third parties when handling data.
Implement a risk-based approach to data. Assess all risks connected to the use of data in your organization along with data weak points. Then, concentrate on the highest risks first.
Regular database audits help you understand the current situation and set clear goals for further data defense. They allow you to track all user actions and see detailed metadata at any time.
Apply a proper patch management strategy. This is a list of steps and rules to patch vulnerabilities inside your corporate environment or just in code. Conduct patches regularly and document all actions accordingly.
Terminate employees thoroughly, from monitoring and recording employees’ activities and operations with critical assets to fully revoking access rights.
Also, consider appointing a data protection officer (DPO) who will:
- Control compliance with data security requirements
- Give advice on data protection measures
- Handle security-related complaints among staff, providers, and customers
- Deal with security failures
An incident response plan sets out actions to handle cybersecurity incidents and mitigate their consequences in a timely manner. You can refer to HIPAA, NIST 800-53, PCI DSS, and other standards, laws, and regulations that set incident response requirements.don’t forget to:
- Define security incidents, their variations, and the severity of their consequences for your organization
- Choose people who will be in charge of handling an incident
- Conduct a security audit, improve your plan based on previous incidents, and make an extended list of incidents your organization may face
- Create a communication plan and a list of authorities you should inform in case of an incident
Also, create a data recovery plan to make sure your data and systems can be quickly restored after a possible incident.
Before enforcing other data protection practices, ensure that data is stored securely at all levels:
Carefully store physical media containing your data. It’s important to use waterproof and fireproof storage media. In addition, guard your data with deadbolted steel doors and security guards.
Furthermore, pay special attention to how you secure your data with the help of modern technologies. We’ve already talked about backups, encryption, masking, and confirmed erasure as the four main data security methods to store your files safely.
Consider deploying USB device management tools to secure all data stored on devices. Secure information on mobile devices and data shared via removable storage devices. Don’t forget about solutions that enable visibility and notifications on suspicious activity on devices that contain sensitive data.
Thoroughly protect data access as your starting point:
Physical access controls protect access to data servers through locking and recycling of databases, video surveillance, various types of alarm systems, and network segregation. They should also ensure secure access from connections with mobile devices and laptops to servers, computers, and other assets.
Control all of your data access points and enable efficient identity management with biometrics and multi-factor authentication. Password management helps you create and rotate passwords automatically and increase the security of your entrance points.
You can also reduce insider risks by adopting the principle of least privilege or just-in-time privileged access management (JIT PAM), which gives privileged access to users that really need it for a specific task and for a limited time.
Don’t forget to secure access to your most critical data from any device and endpoint. The continuing trend of remote work and hybrid work models is leading to increasing demand for secure access management solutions.
Consider enhancing your organization’s visibility with user activity monitoring (UAM) solutions. Full real-time monitoring of all employees with access to sensitive information may also include:
The ability to view any user session related to your sensitive data at any time and receive alerts on abnormal user activity can help you secure interactions with your critical assets. This way, you will have a much greater chance of avoiding a costly data breach.
It’s crucial to monitor the actions of third-party users inside your IT infrastructure. Third parties may include partners, subcontractors, vendors, suppliers, and any other external users with access to your critical systems. Even if you trust third parties, there’s a chance their systems are vulnerable to hacking and supply chain attacks.
In addition to monitoring third-party vendors’ sessions on-premises and in the cloud:
- Make sure you clearly understand what your third-party landscape looks like, and define workers who control and process your data
- Sign a service-level agreement (SLA) with third-party service providers
- Ask for regular accountability to be sure data security standards are maintained
- Work with your vendors on improving your mutual security
Keep in mind that privileged users have elevated rights to access and alter your organization’s sensitive data. Privileged account and session management (PASM) functionality serves to fully control access to as well as monitor, record, and audit sessions of privileged accounts.
Consider implementing five core PASM features:
It’s important to educate your employees on how to securely handle your corporate assets and how to recognize malware and social engineering attempts.
Don’t forget to provide new training to give up-to-date information about the latest data threat landscape. Also, consider creating introductory training for new employees. It’s vital to educate your staff and trainees regularly.
According to the people-centric approach to data security, employees play a major role in your threat mitigation process. Knowledge can significantly reduce people-related data leaks and make security measures more obvious for your employees.
Look into deploying a specialized data protection solution to control the security of your sensitive data. When implementing security software, give preference to solutions with the following capabilities:
- User activity monitoring
- Automated access management
- Notifications on security events
- Auditing and reporting
- Password management
Moreover, you might need to ensure the visibility of various types of devices and endpoints from one place. Deploying too many different tools and solutions isn’t always effective, as it can slow down your IT and security management processes, increase your expenses, and complicate maintenance.
That’s why we recommend you choose an all-in-one solution like Ekran System. Read on to find out how Ekran System can help your organization enhance data security.
Securing data with Ekran System
Ekran System is a full-cycle insider risk management platform that can help you protect your data in accordance with requirements established by the GDPR, HIPAA, NISPOM, NERC, SOC 2, and other standards, laws, and regulations.
You can implement the required technical data security controls by deploying Ekran System. Our platform has the capabilities to help you protect data from insider threats and follow the data security best practices described above:
- Privileged access management (PAM) — manage user access rights, passwords, and sessions of privileged users and regular employees
- Identity management — implement two-factor and secondary authentication to secure user accounts and ensure user accountability
- User activity monitoring (UAM) — get complete real-time visibility into user actions with your data
- Incident response to suspicious events — detect and contain security threats with the help of customizable user activity alerts and incident response capabilities
- User and entity behavior analytics (UEBA) — automatically detect anomalous user behavior with Ekran System’s AI-powered UEBA module
- Cybersecurity incident investigation — conduct audits and generate reports on user activity related to your sensitive information on all data security vectors, and even in the case of incidents
These features of Ekran System allow you to deter, detect, and disrupt insider threats to your corporate data and provide all necessary details during a forensic or internal inquiry.
See why Ekran System is a worthy alternative for Proofpoint and other ITM products in our blog post:
Data security aims to protect data during its creation, storage, management, and transfer. Insiders can pose risks to your organization’s data by violating security rules on purpose, mishandling data, or having their accounts compromised.
Consider implementing the best practices described in this article for optimal data security. Deploying Ekran System is a practical way to enhance the protection of your data against people-related threats and comply with industry requirements.
Request a free 30-day trial of Ekran System
and test its capabilities in your IT infrastructure!