Data Security: Protecting sensitive data from unauthorized access
In Security Lesson #1, we talked about the importance of a business impact analysis and the nine questions you need to ask to help you build the right level of resilience into your organization, regardless of the size and focus of your business. Now we’re going to take a closer look at the data security layer in our layered approach to cybersecurity. First, we’re going to explore what data security involves and why it’s so important.
Although these terms all sound similar, and they’re all related to securing your data, they mean different things. All three are parts of the best practices you need to consider when building your data security strategy.
- Data security protects your data against unauthorized access or use that could result in exposure, deletion, or corruption of that data. Encryption of data at rest (data that isn’t actively moving from one device to another or one network to another; data stored somewhere) and data in transit is a given here. But even more important is limiting access to only those who need it (this is known as the principle of least privilege) and understanding data in motion, i.e., how data is captured and shared in your organization. You can, for example, have robust controls around databases and file systems, but if your team is liberally sharing sensitive information in Microsoft Teams, on Slack, or over email without you understanding how that data is being shared or protected, your risk is much more significant than you think.
- Data protection refers to your backup strategy. Backups protect you in case data is accidentally erased or lost in another way. In the last post, one of the questions we asked was about how long your business can be down without significant consequences, because the answer helps you plan how to create backups of your data and systems — and how often — so you can get back up and running even if your data gets corrupted or a natural disaster destroys your servers. Several components of the backup strategy directly impact cost, time to recovery (Recovery Time Objective or RTO), and the likelihood of data lost (Recovery Point Objective or RPO).
- Data privacy is a growing concern as different states (California and Virginia have new comprehensive consumer data privacy laws), countries, and regions work to regulate how data is handled. Regulatory fines, breach notifications, consent requirements for the use of data, and the right to be forgotten, among other concerns, necessitate more significant attention to data privacy.
Data security isn’t a new issue, but the rapid shift to cloud computing environments and more employees working remotely due to the COVID-19 pandemic added new opportunities for unauthorized access to company data. Hackers haven’t missed this opportunity to increase the number of cyberattacks over the past year. CPA firms process personally identifiable information (PII) and highly sensitive financial information, and healthcare clinics process Protected Health Information (PHI) as defined under HIPAA (The Health Insurance Portability and Accountability Act of 1996). As a result, you need to intimately understand the state of your data security and have a plan to continue improving data security at your organization and implementing best practices as technologies — and attack vectors — continue to evolve.
The most obvious risk of not having your data security well in hand is a data breach. Data breaches can have serious consequences, with the global average total cost of a data breach in 2020 at 3.86M, according to IBM’s Cost of a Data Breach Report 2020. Meanwhile, the Verizon 2021 Data Breach Investigations Report shows threat actors are increasingly targeting small businesses at higher rates than in previous years. In last year’s report, large organizations experienced more than 2.5 times the number of breaches as small businesses; in this year’s report, the gap is just under a 17% increase.
Cybercriminals adapt their activities, often targeting smaller (and in the criminals’ minds, easier) organizations to attack, and then further compounding their foothold by using such organizations as launching pads to reach additional targets, such as a CPA firm’s clients.
While external access to your data from cybercriminals is undoubtedly one concern, threats to data security can also come from internal sources, either maliciously or, more likely, through unsafe or careless practices. Almost 20% of breaches caused by malicious attacks are due to compromised credentials, and another 20% are due to cloud misconfiguration. This breakdown from the IBM Cost of a Data Breach Report in 2020 shows the impact internal training can have on data breaches and malicious attacks; phishing, compromised credentials, and social engineering combined accounted for more than one-third of all malicious breaches.
Now that you have a broader understanding of what’s involved in data security, including the differences between data security, data protection, and data privacy, and some of the industry trends in data breaches, the next step is to think about data security in your organization. Stay tuned for the next post, which will explore data security basics, some common mistakes organizations make when implementing data security, and best practices that will help you keep your organization secure.