Security Lesson #4: Build Your Data Security Strategy on Best Practices




The data security layer is about protecting the data you have. It includes the different cybersecurity practices that you use to secure your data and prevent data breaches and misuse. Data encryption and access restrictions are two clear examples of ways that you can protect your data. And while this is the layer explicitly focused on data security, it’s also important to note that in our layered cybersecurity framework, all the other layers — perimeter security, network security, endpoint security, and application security — also contribute to protecting your data.

Our last post explored the intersection of data security, data privacy, and data protection and why data security is so important. Now we’re going to look at what’s involved in data security, some common mistakes to avoid, and what best practices look like. 

Basics of data security

Data security is a critical part of any comprehensive security strategy. Part of your strategy must include ways to identify and evaluate security threats and reduce the risks related to protecting sensitive information and the IT infrastructure they reside on.

Most organizations, particularly in the accounting and healthcare industries, hold a lot of data, much of it sensitive. Managing and controlling the flow and access of that data involves protective measures against security problems, such as accidental and intentional unauthorized access. Data security and protection is part of a layered approach to security, including perimeter security, network security, endpoint security, and application security, in addition to comprehensive policy management and a robust monitoring and response plan. 

Because data security is so tightly tied to data protection and data privacy, it’s essential to understand what good data security standards are and then implement the standards appropriate for your organization. A few questions you might ask when creating your standards include: 

  • What data do you need to back up? Application data, financial analysis, intellectual property, customer data, and strategic plans are some examples. What form does that data come in: Office files, PDFs, application databases, emails, and Microsoft Teams / Slack? 
  • What kind of data classification are you doing?
  • How are you tracking and protecting sensitive data?
  • What data can your business lose access to and remain functional?
  • What is your tolerance for data recovery? 
  • Can you move to paper-based operations if needed during a technical outage, and if so, what information will you need access to for that to function correctly?

A good understanding of data security basics will help your organization prioritize what data to protect, back up, and anonymize, and how to do that effectively.

Common mistakes in data security 

Many small organizations are aware of the importance of protecting and securing data, but they’re not sure how to do it properly, or they believe that it’s not their responsibility. Because an increasingly large proportion of business operations are in the cloud, many organizations believe that the Cloud Service Providers’ security responsibilities cover data security. However, cloud customers still bear responsibility for user identity management and access control of service systems, data security, and security management and control of endpoints that access cloud services, such as hardware, software, application systems, and devices. Below are a few mistakes that can harm an organization if or when a cyberattack or system downtime occurs: 

  1. Worst: Not encrypting data at rest, not having a defined data protection strategy, or having an ill-defined strategy.
  2. Bad: Not creating a data security and protection plan based on business requirements — or allowing the IT team to define a data security strategy without incorporating business requirements.
  3. Better: Having a data security strategy based on business and regulatory requirements but not regularly reviewing business requirements and changes to regulations in your industry.

Cybercriminals are out there, searching for companies to attack, and data breaches happen regularly. Suppose your data security strategy is based on your business requirements and the regulations relevant to your industry. In that case, your organization becomes a less attractive target, because it will be harder to access and misuse your data. Clear policies and comprehensive employee training, as well as a least-privilege approach for user access, will help you build data security strategies that protect your business and your customers. 

Controlling user access minimizes data security risk

An employee can’t unwittingly give access to data if they don’t already have that access. Here’s where concepts such as “least-privilege” come into play. In a nutshell, the least privilege model is one that assumes all access rights are restricted to those that any given employee MUST have. Whether you’re the firm’s managing partner or the practice manager at a clinic, there is some data that you will not have access to, because you simply don’t need to.

In this model, even if a managing partner’s account is compromised, the criminal has limited access to unencrypted data because the partner doesn’t have unencumbered access.[1] 

Best practices for data security

Small organizations can provide enhanced data security for those inside their network, which takes care of some of the risks they might be exposed to, even when working remotely. To protect your employees and clients, follow these best practices for data security: 

  • Conduct a comprehensive business impact assessment (BIA), and create a disaster recovery and business continuity plan based on that assessment. Choose a backup strategy, technology, and frequency that meets the requirements identified in the BIA.
  • Understand your industry’s state, federal, and international regulations and the breach notification requirements associated with regulatory compliance. 
  • Evaluate the risks associated with your data and classify data appropriately, because high-risk information is more likely to be audited. Define what data needs to be encrypted and choose technology that appropriately encrypts and anonymizes data. Implement data loss prevention tools that scan outgoing and incoming emails for PII, quarantining that information to ensure that no protected information is sent via an unsecured platform. 
  • Understand who has access to what data in your organization and create smart, logical groups to limit data access to those who need it. Once you’ve created policies and groups to manage data access, review those data access policies regularly to ensure they are still appropriate. Never allow third parties or employees access to data and information that they don’t need to do their job. 
  • Train your staff on data security, data protection, and data privacy. Make sure they understand what exposure of personally identifiable information means, what exposure might look like, what defines an incident, and how to report it. For example, if you walk away from your desk to get a glass of water, and PII remains on your screen for anyone to see, or if a doctor walks out of the exam room and leaves another patient’s chart on the screen, is that an exposure?
  • Create clear policies, so your employees understand the organization’s position on data loss prevention and data protection. 
  • Implement a portal to enable sharing between your organization and your clients. In both accounting and healthcare, sensitive information is regularly shared between you and your customers, and email is not a secure information transmission method. Emailing W2s or medical records presents a significant exposure of PII, even before it gets to your business. 

How Netgain protects our clients

Netgain employs security and technology professionals who understand the threats posed by malicious actors, unexpected downtime, and lack of compliance with regulations. Our team can recommend tools and best practices and help you implement security controls and other monitoring tools that can help prevent a data breach. By creating strong security controls, you can eliminate the use of unapproved software or other services that may put data at risk and establish and enforce security policies and procedures for workers, whether they are sitting in your office or working from remote environments.

The industries we serve have complex technology challenges, and while healthcare and accounting have different regulatory requirements, both hold sensitive data. The focus on compliance is essential, but it must be accompanied by strong data security tools and policies. 

Our next security post will be a post on the Application Security layer. Application security pertains to the security measures at the application level that prevent data or code within the application from being stolen or hijacked. We’ll help you understand this layer, how to secure it, and best practices to keep your organization safe and secure.