IT Focus Area: security
May 5, 2021
Take a Proactive Data Security Approach With These 5 Ws
Data powers the world’s commerce engine. Every business relies on the data collected, stored and used to drive the organization’s day-to-day operations. This data also fuels future competitive success and leads to strategic innovation. It’s not an overstatement to say that a business’s viability hinges on its ability to protect its data.
Reactive vs. proactive data security
The value of data to business continuity makes it somewhat surprising that we see organizations wait until a push by some outside factor before making data security a priority. It’s not unusual for our client conversations around data security to happen on the heels of a new regulation or a data breach. But you’ve heard about horses and the barn door, right?
Don’t wait for an event to trigger your data security planning. A proactive approach allows you to thoroughly develop and implement your strategy without being in a “state of emergency.” In this article, we will discuss the five Ws that can help you identify the right proactive path for your organization, then get started.
Data governance includes data security
Data governance provides an overarching framework that organizations can use to protect, use and manage their data. There are seven core pillars to a solid data governance program, one of which is data security.
It is possible to focus only on data security but taking a data governance approach improves your understanding of your critical data assets and advances your data governance maturity.
Data security vs. data privacy
Data security and data privacy are sometimes used interchangeably by organizations looking to advance their data protection, but they are different concepts.
How an organization handles the data it collects from users has gained importance as most transactions—including communication, commerce, and others—have moved online. Organizations with an online footprint must meet several data privacy regulations and compliance criteria to protect user privacy. Examples include the GDPR, HIPAA, and the California Consumer Privacy Act (CCPA).
Understanding your data—value, location and access—is key to securing it. Data security means protecting digital data from destructive forces, unwanted actions by unauthorized users, and accidental loss.
Data security involves implementing a set of controls based on:
- The relative importance of each data set to your organization
- Established sensitivity levels based on confidentiality, integrity and availability
- Meeting required regulatory compliance
After establishing criteria for your controls, you can then apply the appropriate protections to secure these resources.
The 5 Ws of proactive data security
To establish a proactive path to data security for your organization, begin by asking these five questions.
1. Who is responsible for data security?
Every organization has data that needs to be protected, regardless of whether it has customers, clients, patients, donors or volunteers. Every transaction or interaction produces data.
If every organization has data that needs protection—including yours—then who in your organization is responsible for securing that data? You are. And he is. And so is she. Every individual within an organization has a role to play in protecting data.
- Employees need training in the basic principles of protecting data and have awareness of common phishing attacks, malware, social engineering, and other efforts that criminals use to gain insider access to resources and data.
- Business leadership must treat data like the asset it is to enable the resources, tools and culture necessary to protect it. Collecting data also brings liability, making it a business imperative to protect it.
- The IT team is responsible for leading the organization’s charge towards actively implementing and maintaining best practices for data security.
2. What data needs to be protected?
Data is a small word that encompasses enormous impact and variety. How you view data depends on your lens. To understand data in a broader sense, you could consider these 13 data categories. But to look at data from a security perspective, the most important categories to understand are structured and unstructured data.
Structured vs. unstructured data
- Structured data is organized by identified fields and stored in a database. This data can be machine-generated or human-generated. Structured data can generally be retrieved by an individual field or in any combination of fields. It is then used to provide analysis, visualizations, calculations, insight, and other useful information when it is integrated with another application. Databases containing structured data can be stored on-prem, in the cloud or using a hybrid model.
- Unstructured data is part of everyday operations for a business. Emails, text documents, spreadsheets—these all represent unstructured data and are primarily information assets. They have value and should be part of an overall security strategy, but the value of the information contained is available through general human cognitive abilities, such as reading and comprehension.
3. Where should you start when building a data security strategy?
These are the primary areas necessary for a proactive data security strategy.
Discover data locations: Identify where all of your organization’s data is stored—including file servers, database servers and cloud services. This first step is essential because you can’t protect data that you aren’t aware of it.
This part of discovery can include interviews with application owners and the use of tools already in the environment, such as network scans, DLP reports and CASB reports. If tooling does not exist, consider bringing in help with data risk assessment.
Classify data: Identify the contents of the discovered datastores. This process requires cross-operational discussions throughout your organization. Each department will best understand what data they are using and how. Have them assist with classifying their data sets.
Data discovery/classification tools can speed up the process by scanning the datastores and then reporting on the sensitive information stored, such as PII, PHI and PCI data. Simplicity works best— public, private and internal use only classifications are easily understood across the enterprise.
Monitor access: Activity monitoring will tell you who and what is accessing your data—users, applications, batch processes, etc. Monitoring/auditing access of your sensitive information establishes a baseline for normal activity. This baseline is used to create policy around what should be allowed, and what should be considered an anomaly.
Apply policy: For data at rest, identify whether files or documents need to be encrypted, how often they should be backed up, and what level of availability is needed to meet SLA requirements.
Data in motion requires an understanding of who can access the data and who should be able to access the data. This involves understanding current access by people, processes and applications through access monitoring, then removing any unnecessary access. This can also be called an entitlement review. And it includes knowing if your data can be moved, stored or shared, and then appropriately placing the needed controls.
Assess vulnerabilities and remediate: Check and recheck your operation systems, database system and data store vulnerabilities. Patch and configure as needed to keep these systems up-to-date and secure. Vulnerability assessments are another area where automated tooling is necessary. These tools can be bundled with access monitoring solutions or as standalone solutions.
Modify policies: Based on your data classification and activity monitoring, regularly revisit your policies and update as needed to ensure that all data use cases are addressed correctly. Along with a regular review schedule, you should also be alerted any time access patterns change or when new requirements are implemented so that you can keep your policies current.
4. When should you apply your data security strategy?
A proactive data security approach requires the application of your established data security controls and protections without stopping. Structured data is rarely static. As you continue to use and acquire data, a proactive approach is an ongoing process. The following all require the application of your data security controls to ensure they are comprehensive and applying the protections needed to the necessary data.
- At data inception, which includes developing or implementing a new application or when onboarding data because of a merger or acquisition
- When adding a new datastore
- When a new regulation is imposed that affects your organization
5. Why is protecting data necessary?
Not only is everyone in an organization responsible for protecting data; everyone in an organization is also affected when a data breach or data loss occurs.
Proactive data security helps your organization:
- Enable business continuity by avoiding disruption to day-to-day commerce and functions
- Meet compliance and regulatory requirements to avoid fines, penalties and legal issues
- Protect your reputation and standing as a trusted organization and build brand loyalty
- Gain and maintain a competitive advantage using accurate, accessible data
- Prevent job loss at your organization—something that occurred at nearly one-third of breached companies in previous years
Build a strategy and automate tasks with a trusted partner
A robust data security strategy extends across your enterprise and can become complex. There are data security solutions, consultants and third-party integrators available to assist.
An outside review of your data can be invaluable to avoid becoming bogged down internally. Security solutions can help automate many of these process applications so your team can easily stay on schedule with the maintenance needed to keep your data security program at peak performance.