Cybersecurity: Why effective data security necessary in today’s competitive world
The three aspects of data security — Confidentiality, Integrity, and Availability (popularly known as CIA triad) — need to be considered, while modelling threats to data
Businesses thrive when they leverage data successfully, as data manifests as the new fuel for their growth engine. Conversely, with cyber-attacks or when their valuable data is either leaked or locked for ransom, most businesses either lose competitive edge, incur significant losses, or even shut down.
Unsurprisingly, as per The Global Risks Report 2022, The World Economic Forum identifies cyber risks as one of the top risks to modern businesses. The cost incurred to businesses due to data breaches has also been identified to be at record high in 2022.
Poor security measures often result in cyber risks, such as data breaches and ransomware attacks, which invariably contribute to losses. Vulnerabilities in applications, misconfigurations in cloud infrastructure, legacy, or unpatched servers, and lack of appropriate processes in handling data and trained personnel are some of the prominent reasons behind most cyber-attacks.
Data security not a speed breaker, rather an accelerator
Some consider data security as a speed breaker, which slows down the speed of their businesses’ growth. This is a misconception; on the contrary, adopting the right practices can make data security the “accelerator,” which can help businesses stay ahead in the race. And here are the steps that businesses can undertake to ensure that data security does prove to be an accelerator of their growth:
The first step towards securing the data is to identify the complete data life cycle within the organization.
This involves identifying:
- Various types of data used within the organization, such as text files, images, audio, video, designs, and source code.
- Various sources that are generating the data (users, applications and machines).
- Various personnel that have access to the data.
- Various applications that are processing and storing the data.
The second step is to classify the data and map how the data flows within the organization.
- Labelling the data based on the sensitivity.
- Ensuring that data flows are mapped across different business processes.
For example, Personal Identifiable Information (PII), Personal Health Information (PHI), trade secrets, intellectual property, such as designs, documents, and source code, should be appropriately labelled as high sensitivity levels. Other data, such as internal communications, websites, and press releases could be medium or low accordingly.
- The third step is to identify and model different threats to the data and adopt appropriate measures to mitigate those threats.
The three aspects of data security — Confidentiality, Integrity, and Availability (popularly known as CIA triad) — need to be considered, while modelling threats to data. Ensuring data confidentiality means only authorized users, applications, and devices should have access to view the data. Ensuring data integrity means only authorized users, applications, and devices should have access to modify the data. Ensuring data availability means that the IT infrastructure should be up and running in order to use the data for conducting business.
Data can be in both structured or unstructured formats, but there are three predominant states of data in any organization i.e. data-at-rest, data-in-transit, and data-in-use. Appropriate measures to safeguard data in all these states are needed to prevent cyber-attacks.
Data-at-rest: Critical data is often present in laptops, mobile devices, servers, cloud, and special storage devices. Below are some of the appropriate measures to secure the data that is stored:
- Enabling full disk encryption on devices and servers. This protects the data, in case of theft or inappropriate disposal of devices.
- Ensuring regular backup of the data. This should also be followed by restoring and testing the backup as well. This measure is known to be the best recovery mechanism, in case of ransomware attack.
- Storing backup at a different geographical site ensures high availability of data, in case of natural calamities.
- Securing disposal of devices and deletion of files.
Data-in-transit: Data often moves around both internal and external to the Organization in order to carry out business processes. Appropriate measures to secure the data during such transit are:
- The use of client-side encryption for application data. This protects from accidental exposure, when transiting through insecure networks.
- The use of secure protocols, such as “https,” while using the Internet. This protects the data from being cached or logged at intermediary servers or ISPs.
- The use of secure protocols such as Virtual Private Networks (VPN), while connecting to office network or Cloud via public Internet. This protects the data, when employees are accessing internal applications remotely via public Internet.
- The use of email security gateways with rigorous security policies. This protects against data leakages via intentional or accidental sharing of critical data over email.
- The use of cloud security access broker solutions to secure data sharing via various cloud services. This protects against unintentional sharing of important files with different users (that are internal or external to an organization) via Cloud services.
Data-in-Use: Business processes need to use the data to process and leverage its value. Access to data could be needed both by personnel and different applications.
- The use of appropriate access controls and adopting principle of least privilege prevents unauthorized data access.
- The use of techniques, such as data masking and data anonymization, help mitigate exposure of sensitive information, when data is shared with third parties for valid business purposes.
- The use of advanced encryption techniques, such as homomorphic encryption and multi-party computation, also ensures that data is encrypted even while in use. Practical solutions using these techniques are now emerging, although they may still be in nascent stages.
Along with the above measures, it is also important to secure the IT infrastructure managing the data, with generic measures, such as:
- Asset inventorying and classification. This helps in identifying all the assets in which the data resides.
- Continuous vulnerability scanning and penetration testing of applications, Cloud, and Infrastructure.
- Regular patching of the IT infrastructure.
- Enabling Multi-factor authentication.
- Continuous monitoring of network traffic.
- Conducting security awareness training for all the personnel.
Adopting good data governance and securing the data also helps businesses stay compliant to various standards, such as ISO 27001:2013, PCI-DSS, and NIST-CSF, and even regulations, such as GDPR, HIPAA, and SOX, among others. Accordingly, businesses should not allow misconceptions around data security to deter them from unlocking their full potential — but rather, should secure data effectively and ace the race in this data-driven world.