With 1,862 instances of data compromise, 2021 broke all records for the past seven years — in other words, since the Identity Theft Resource Center. This is almost 70% more instances than were reported in 2020.
In this article, you’ll find out about the ten most important data security practices that apply across all of the largest industries. These IT security best practices are also recommended by data security laws and regulations. Read how to effectively implement data security best practices with Ekran System.
Data threats and data security benefits
What is data security?
Data security is a combination of processes and tools that aim to protect an organization’s sensitive assets. Valuable data must be protected both at rest and in transit. Other vectors of data security that data officers should consider are safe data creation and proper data use.
Ensuring proper data security also requires implementing real-time monitoring and quickly reacting to any suspicious events to make your data resilient to fraudulent activity. Find out which data you need to keep safe in the next section.
So, why does data security matter so much that authorities and regulators even create new rules?
The main benefits of robust data security
Let’s take a look at key benefits that ensuring a high level of data security can bring to your organization:
1. Safeguard information — Knowing that your information is safe and fenced off both from internal and external threats can give you peace of mind and confidence. Thus, it’s easier to concentrate on your business strategies.
2. Strengthen your reputation — Organizations and businesses that look for long-term cooperation always pay close attention to the reputation of their potential partners. Implementing reliable data protection principles improves an organization’s reputation and inspires trust.
3. Comply with data security requirements — All of your organization’s confidential data should be protected according to relevant IT security standards and regulations. Ensuring proper compliance with data security requirements protects your organization from extensive fines and loss of customer trust.
4. Reduce litigation expenses — Preventing an incident from happening is always more cost-efficient than dealing with its consequences. You can reduce forensic expenses by implementing a comprehensive security platform with automated forensic export of monitoring results.
Which data needs protection?
To understand which data is usually at risk in real life, let’s first take a look at the types of data most commonly stolen:
Your organization’s sensitive data must be guarded according to relevant laws and regulations in your industry and jurisdiction.
In Table 1, you can see some of the most commonly breached types of sensitive data and the laws, standards, and regulations that govern their protection:
|IT compliance requirements for three important types of data|
|Data category||Relevant laws, standards, and regulations|
|Financial data||PCI DSS, SWIFT, SOX, GLBA, SOC 2|
|Personal data||GDPR, CCPA, CPRA|
|Protected Health Information (PHI)||HIPAA|
Key threats to corporate data
No system is 100% immune to misconfiguration, insider threats, and deliberate attacks. An organization’s sensitive data can get lost, damaged, or obtained by the wrong people.
Here are the key threats an organization’s data or systems may face:
In this article, we focus on internal human threats and ways to mitigate them.
To understand how data is compromised, let’s recall recent examples of data breaches caused by insiders:
- Human error and negligence — A legitimate user can make various errors due to negligence, lack of attention, or fatigue.
In spring 2021, an employee of the Dallas Police Department accidentally deleted more than eight million files. This data was crucial for more than 17,000 violence cases. The erased information included 23 terabytes of audio, video, photos, and case notes.
- Malicious insiders — Internal users may intentionally steal, damage, or destroy an organization’s data for their own benefit.
In January 2021, four lawyers of the Pennsylvanian law firm Elliott Greenleaf stole a large number of their company’s files. After four months of thorough planning, data was moved to their cloud accounts. Stolen data contained the firm’s work products, records, correspondence, pleadings, and client base.
- Privilege misuse — Users with elevated privileges can engage in various types of sensitive data misuse or improper data handling.
In April 2021, a sales executive from Proofpoint uploaded corporate data to his USB thumb drive and allegedly transferred stolen data to the company’s competitor, Abnormal Security. This data included important trade information and competition strategies.
- Third-party threats — Data security threats can come from partners, vendors, and subcontractors with access to the organization’s sensitive data. Third parties can also become intermediaries for outside attackers.
In May 2021, one terabyte of Saudi Aramco’s data was leaked because of their affected third-party vendor. The attackers demanded a $50 million ransom in exchange for the stolen data.
All of the threats described above may disrupt your business operations:
However, if you notice and respond to a data security threat in a timely manner, you can efficiently mitigate its consequences.
How to protect your sensitive data?
So, how can you obtain all the benefits of having your data safe?
For answering that question, let’s take a look at key methods to protect data. According to Gartner, the four main methods of data security are:
1. Encryption — prevents unauthorized parties from reading your data.
2. Masking — suppresses or anonymizes high-value data by replacing sensitive information with random characters. You can also substitute data with a low-value representative token; this method is called tokenization.
3. Data erasure — involves cleaning your repository in case stored data is no longer used or active.
4. Data resilience — involves full, differential, and incremental backups of your critical data. Storing your valuable data in different locations helps to make it recoverable and resilient to different cybersecurity threats.
Now, it’s time to examine the fundamental principles behind strong data security.
Core data security principles and controls
Confidentiality, integrity, and availability form the CIA triad, which is the key to ensuring strong data protection:
- Confidentiality — Data is protected from unauthorized access.
- Integrity — Data is reliable and correct, and critical information is guarded against illegitimate changes.
- Availability — Data is easy to access for all legitimate users.
To adhere to these three principles, organizations need practical mechanisms — called data security controls — which we can divide into three types. Data security controls are countermeasures for preventing, detecting, and responding to security risks threatening your valuable assets.
- Administrative controls — Guidelines, procedures, policies, and so on for achieving an organization’s security goals
- Physical controls — Built or set physical restrictions that ensure data security, such as locks, boxes, fences, and cards
- Technical or logical controls — Automated software tools for protecting digital data from possible security risks
These types of data security controls shape efficient data security practices. In our ten best data security practices below, we also summarize the main compliance requirements in various regions and industries.
Top 10 data security best practices for your organization
While different businesses, regions, and industries may require different data protection practices, we have selected practices that will be appropriate for most organizations. To help you keep your organization’s sensitive data safe and sound, follow these top ten data protection best practices.
Now, let’s talk about each of these data security best practices in detail.
Review your data before you start implementing security measures:
First, assess the sensitivity of your data. There are three data sensitivity levels:
- Low sensitivity data — Safe to be seen or used by the public, such as general information published on websites.
- Medium sensitivity data — Can be shared inside the organization but not with the public. In case of a data leak, there will be no catastrophic consequences.
- Highly sensitive data — Can only be shared with a limited circle of insiders. If compromised or destroyed, it can have a catastrophic impact on the organization.
Check your data visibility levels — do you always have the possibility to see or review all actions connected to your sensitive data? If not, pay more attention to practices 6, 8, and 10.
Completing all these tasks can help you to prioritize the information that has to be protected first and concentrate on its protection using the next practices below in this article.
The second task is to organize all your cybersecurity mechanisms, activities, and controls to form a working strategy. Make your organization’s human and technical resources effectively support your data security efforts:
Write down rules governing your company’s sensitive data for your data usage policy. It should contain rules and steps for employees, stakeholders, and third parties when handling data.
Implement a risk-based approach to data. Assess all risks connected to the use of data in your organization along with data weak points. Then, concentrate on the high risks first.
Regular database audits help you understand the current situation and set clear goals for further data defense. They allow you to track all user actions and see detailed metadata at any time.
Apply a proper patch management strategy. This is a list of steps and rules to patch vulnerabilities inside your corporate environment or just in code. Conduct patches regularly and document all actions accordingly.
Terminate employees thoroughly, from monitoring and recording employees' latest activities and operations with critical assets to fully revoking access rights.
Also, it would be wise to appoint a data protection officer who will:
- Control data security compliance
- Give advice on data protection rules
- Handle security-related complaints among staff, providers, and customers
- Deal with security failures
An incident response plan sets out actions to handle a cybersecurity incident (data leak, hack, or breach) and mitigate the consequences in a timely manner. HIPAA, NIST, PCI DSS, and other laws, standards, and organizations describe incident response requirements. While planning your incident response, don’t forget to:
- Define a security incident, its variations, and the severity of its consequences for your organization
- Choose people who will be in charge of handling the incident
- Conduct a security audit, improve your plan based on previous incidents, and make an extended list of cases your organization may face
- Create a strict communication plan and a list of authorities you should inform in case of an incident
Also, create a data recovery plan to make sure your data and systems can be quickly restored after any possible incident.
Before enforcing other data protection practices, ensure that data is stored securely at all levels:
Carefully store physical media containing your data. It’s important to use waterproof and fireproof storage media. In addition, guard your data with deadbolted steel doors and security guards.
Furthermore, pay special attention to how you secure your data with the help of modern technologies. We’ve already talked about backups, encryption, masking, and confirmed erasure as the four main data security methods to store your files safely.
Implement device management to secure all data stored on devices. If devices are stolen, use remote wiping functionality immediately. Secure information on mobile devices and data shared via removable storage devices. Don’t forget about solutions that enable constant visibility and notifications of strange activity on devices that contain or can access sensitive data.
Thoroughly protect data access as your starting point:
Physical access controls protect access to data servers through locking and recycling of databases, video surveillance, various types of alarm systems, and network segregation. They should also ensure secure access from connections with mobile devices and laptops to servers, computers, and other assets.
Control all of your data access points and enable identity management with biometrics (iris scans, fingerprints, handwriting recognition) and multi-factor authentication. Password management helps you create and rotate passwords automatically and increase the security of your entrance points.
Mitigate insider threats by adopting the principle of least privilege or just-in-time privileged access management (JIT PAM). When choosing this approach, give privileged access to users or accounts who really need it in a specific situation and for a limited time.
Don’t forget to secure access to your most critical data from any device and any endpoint. The continuing shift towards remote work and a bring your own device (BYOD) approach is creating new demand for secure access solutions. Also, use a VPN when connecting remote devices to your servers.
Enhance your organization’s visibility with comprehensive user activity monitoring functionality. Full real-time monitoring of all of your employees who have temporary or constant access to servers with sensitive information should also include:
When you have the ability to view any user session related to your sensitive data at any time as well as receive alerts on every abnormal movement, you secure interactions with your critical assets. This way, you also have a much greater chance of avoiding a costly data breach.
It’s always advisable to monitor third parties’ actions towards all your critical systems. Even if you trust your contractors, there’s a chance their systems are vulnerable to hackers.
In addition to monitoring third-party vendors’ sessions on-premises and in the cloud,
- Make sure you clearly understand what your third-party landscape looks like, and define workers who control and process your data
- Sign a service-level agreement
- Ask for regular accountability to be sure data security standards are maintained
Closely monitor privileged users, as they have elevated rights to access and alter your organization’s sensitive data. Privileged account and session management (PASM) functionality serves to fully control access to as well as monitor, record, and audit sessions of privileged accounts.
Implement five core features of PASM:
Educate your employees on how to securely handle your corporate assets and how to recognize malware and social engineering attempts.
Don’t forget to provide new training to give up-to-date information about the data threat landscape and to create classes for new employees. Educate your staff and trainees regularly.
According to the people-centric approach to data security, people should play a major role in your threat mitigation process. Knowledge can significantly reduce people-connected data leaks and make security measures more obvious for your workers.
Set up an integrated data protection solution for technically controlling the security of data. When you implement a single yet robust piece of security software, you can ensure the security of important assets by means of:
- Automated access control
- Password management
Moreover, you might need to ensure the visibility of various types of devices and endpoints from one place. Deploying too many different tools and solutions isn’t always effective, as it can slow down your IT and security management processes, increase your expenses, and complicate data protection.
Implementing data security best practices with Ekran System
Ekran System is a full-cycle insider risk management platform that helps you protect your data in accordance with requirements established by the GDPR, HIPAA, NISPOM, NERC, and other regulations, laws, and entities.
You can implement technical data security controls by deploying Ekran System. Our platform has the capabilities required to implement the ten best practices for data security described above:
- Privileged access management — enables management of user access rights, passwords, entrance points, and sessions of high-level employees
- User monitoring — ensures full visibility in one place of all workers’ activity from any device and endpoint
- Incident response to suspicious events — provides effective incident notifications and response tools after you’ve created a written incident response plan
- Identity management — implements multi-factor and secondary authentication to secure your valuable systems and servers from insider threats
- Cybersecurity incident investigation — enables auditing and reporting on activity within your databases and all activity related to your sensitive information on all data security vectors and even in the case of incidents
These features of Ekran System allow you to deter, detect, and disrupt insider threats to your corporate data and see all necessary details during a forensic or internal inquiry.
The aim of data security is to protect your organization’s sensitive and critical data during its creation, storage, management, and transfer. Nowadays, insiders can pose threats to your data by violating security rules on purpose, mishandling data, or just having their accounts compromised.
Deploying Ekran System is a practical solution to enhance your technical data security and comply with industry requirements. You can efficiently secure work with your critical assets using our solution.
Stop data mishandling or theft with the help of constant session monitoring, granular PAM, and timely notifications. Start a 30-day trial to see how you can mitigate data threats with the Ekran System platform.