As Governments across the globe introduce new and/or improved data privacy regulations, organizations must ensure that they have the necessary tools in place to demonstrate their compliance efforts to the relevant supervisory authorities.
Due to various reasons, such as the increased adoption of cloud services and the increase in the number of employees working remotely, IT environments have become increasingly more distributed, which has led to a change in the way we think about data security.
As the traditional moat-castle approach to safeguarding our critical assets becomes less relevant, we’ve shifted towards a more data-centric approach, which focuses more on people, and the way they interact with our data.
What is data security
Data security is a set of tools, processes, and practices which serve the purpose of safeguarding our IT environment, and of course, the data contained within it. An effective data security strategy will incorporate numerous procedures and technologies that are designed to protect files, databases, accounts, applications, servers, and so on. A data security program should take into consideration which assets are the most sensitive, and those that are most at risk of being compromised. As Governments across the globe introduce new and/or improved data privacy regulations, organizations must ensure that they have the necessary tools in place to demonstrate their compliance efforts to the relevant supervisory authorities. Due to various reasons, such as the increased adoption of cloud services and the increase in the number of employees working remotely, IT environments become increasingly more distributed, which has led to a change in the way we think about data security. As the traditional moat-castle approach to safeguarding our critical assets becomes less relevant, we’ve shifted towards a more data-centric approach, which focuses more on people, and the way they interact with our data.
Why is data security important
Of course, companies have a moral obligation to protect the sensitive data they are entrusted with, which is important, right? For most companies, the costs associated with a data breach provide the greatest incentive for them to implement a comprehensive data security strategy. After all, a serious and well-publicized data breach may cause considerable damage to their reputation, which will likely result in a loss of business. On top of this, they may be subject to costly lawsuits or fines. There are also costs associated with recovery/remediation, and in some cases, such as a Business Email Compromise (BEC) attack, they might inadvertently hand over large sums of money directly to the attacker. Below are some of the biggest risks associated with poor data security.
Costly fines and litigations: As mentioned above, were a company to suffer a serious data breach, it may be subject to costly fines and lawsuits. Customers who were affected by the breach may choose to take legal action, or regulators may choose to levy large fines for non-compliance.
Reputational damage: Any publicly disclosed data breach will negatively affect a company’s reputation. While some customers may not care so much about the incident, many will loose confidence in the company’s ability to safeguard the data they are entrusted with.
Loss of business: There are numerous ways in which poor data security will lead to a loss of business. For example, if a company falls victim to a ransomware attack, its systems will be inaccessible. This might lead to a loss of sales, and prevent staff from being productive. And then there are remediation costs to consider. As mentioned above, the damage caused to the company’s reputation could result in them losing customers. And of course, having to shell-out large amounts of money on fines and legal fees will also mean less money to re-invest in the business, thus resulting in a loss of potential business.
Data security best practices
Discover and classify your critical data
An effective data security strategy should start off with some kind of risk assessment, which helps organizations understand what data they store, where it is located, and the likelihood and consequence of a data breach. However, carrying out a risk assessment is difficult when you have large amounts of unstructured data spread across multiple repositories. A sophisticated data classification software will scan your repositories (both on-premise and cloud) and automatically classify sensitive data as it is found. They can also classify the data at the point of creation/modification. Once you know exactly what sensitive data you store, where it is located and who has access to it, you can start to make decisions about what data is most at risk, and implement the appropriate controls to safeguard it.
Restrict access to sensitive data
All companies, big or small, must adhere to the Principle of Least Privilege (PoLP), which stipulates that companies should only grant access to sensitive data when it is absolutely necessary. In order to avoid “privilege creep”, companies must have a system in place to revoke access when it is no longer required. Enforcing PoLP will not only help to reduce the attack surface by ensuring that only a small number of accounts have access to sensitive data, but it will also help to prevent the spread of malware, streamline audits and comply with the relevant data privacy laws.
Use data encryption
Despite being an obvious solution to many companies’ data security woes, the use of encryption to protect sensitive data (both at rest and in transit) is frequently overlooked. They are numerous encryption tools on the market, including various open source solutions. However, Microsoft Windows provides a free tool called Encrypting File System (EFS), which lets you easily encrypt your files and folders. Another encryption tool provided by Microsoft is BitLocker. Unlike EFS, which can encrypt specific files and folders, BitLocker encrypts entire drives, which may provide better protection in the event that a device gets lost or stolen. Another technique that is used to make sensitive data unreadable is called “masking”, where the sensitive information is obscured in some way, perhaps using numbers, letters, and special characters. In this case, the original document can only be viewed by authorized users.
Backup your data
All critical assets should be backed-up periodically and the backups should be stored in a secure location. In some scenarios, you may want to perform a full backup of your data. In other scenarios, you may want to only backup the changes that were made since the last full backup. You will also need to periodically test your backups to ensure that the backed-up data is not corrupted in some way, and to ensure that you are able to restore the backup in a timely manner. Microsoft Windows has a “Backup and Restore” feature, which will automatically and periodically backup your data; however, there are numerous proprietary solutions available as well.
Purge stale data
As you can imagine, the less data you store, the easier it will be to keep it secure. Companies store large amounts of ROT (Redundant, Obsolete, and Trivial) data, and are often unaware of it. Even when they are aware of it, they are often hesitant to delete it in case they need it at some point in the future. It is important for companies to have a formalized process in place, as well as the technologies necessary, to enable them to identify unused data, and either dispose of it securely or archive it in some way to ensure that it is still retrievable. When documents containing sensitive data are no longer required, simply moving them to the trash can would not be considered a sufficiently secure method of removal. You will need to ensure that the deleted data is unrecoverable, which may require either writing over the data, or using a dedicated disk wiping solution.
Detect and manage inactive user accounts
It’s fairly common for large organizations to have user accounts on their network that are inactive, usually because an employee left the organization and the security team forgot to terminate the account. The problem with inactive accounts is that they are usually unmonitored, which means that a malicious actor can compromise an inactive account and access resources without getting noticed. In some cases, accounts are setup for a particular purpose and then forgotten about. To make matters worse, it’s sometimes the case where the account’s default password was left unchanged. It is crucially important that organizations have visibility into any inactive user accounts on their network. To address this problem, most sophisticated Active Directory cleanup solutions can automatically detect and manage inactive user accounts.
Monitor your accounts and data in real-time
As mentioned previously, data security has shifted from a predominantly perimeter-based paradigm to one based on the users and the data they interact with. A real-time change auditing solution can detect, alert and respond to changes made to your privileges accounts and the sensitive data they have access to. They can aggregate and correlate event data from multiple platforms – both on-premise and cloud platforms. Having visibility into who has access to what data, and when, is crucial if you want to prevent data breaches and identify unauthorized changes. Of course, data breaches can (and probably will) still happen, which means that you will need an immutable record of all events that took place prior to the incident. Most sophisticated change auditing software will also enable you to generate reports at the click of a button, which are customized to meet the requirements of most relevant data privacy regulations.
How Lepide Helps Improve Data Security
The Lepide Data Security Platform can help you improve your data security strategy by aggregating and summarizing event data from multiple sources – both on-premise and cloud platforms. All important events are displayed via a single, centralized dashboard, with numerous options for sorting and searching. Below are some of the most notable features of the Lepide Data Security Platform:
Machine learning: Lepide uses machine learning algorithms to establish usage patterns that can be tested against in order to identify anomalous behavior.
Change auditing and reporting: Lepide enables you to keep track of how your privileged accounts are being accessed and used. Likewise, anytime your sensitive data is accessed, shared, moved, modified, or deleted in an atypical manner, a real-time alert can be sent to your inbox or mobile device. Alternatively, you can simply review a summary of changes via the dashboard.
Data classification: The Lepide data classification tools will scan your repositories, both on-premise and in-the-cloud, and classify sensitive data as it is found. You can also customize the search according to the compliance requirements relevant to your business.
Threshold alerting: Lepide’s threshold alerting feature enables you to detect and respond to events that match a pre-defined threshold condition.
Inactive user account management: Lepide can help you locate any inactive, or “ghost” user accounts, thus preventing attackers from leveraging these accounts to perform nefarious activities.
If you’d like to see how the Lepide Data Security Platform can help give you more visibility over your sensitive data and protect you from security threats, schedule a demo with one of our engineers or start your free trial today.