10 Data Security Best Practices to Avoid Data Breaches

News of a major data breach seems almost commonplace.

From Equifax to Capital One, countless companies have faced the fallout of compromised customer data. This raises a critical question: are you confident your business is taking the necessary steps to safeguard sensitive information?

Data breaches are entirely preventable with tools like data-centric security software. By prioritizing cybersecurity, you can protect your customers and avoid becoming the next headline. 

We've consulted security professionals to help navigate this crucial aspect of business. They'll share their insights on effective data security methods. But before diving in, let's clearly understand what data security entails.

Some sectors demand high data security to meet data protection rules. For example, firms that receive payment card information must use and retain payment card data securely, and healthcare institutions in the United States must adhere to the Health Insurance Portability and Accountability Act (HIPAA) standard for securing private health information (PHI).

Even if your firm is not subject to a rule or compliance requirement, data security is critical to the sustainability of a contemporary business since it may affect both the organization's core assets and its customers' private data.

Common data security threats

Data security threats come in many forms, but here are some of the most common:

• Malware: Malicious software or malware includes viruses, ransomware, and spyware. Malware can steal data, encrypt it for ransom, or damage systems.
  
• Social engineering: Attackers use deception to trick people into giving up sensitive information or clicking malicious links. Phishing emails are a common example.
  
• Insider threats: Unfortunately, even authorized users can be a threat. Employees, contractors, or partners might steal data intentionally or accidentally due to negligence.
  
• Cloud security vulnerabilities: As cloud storage becomes more popular, so do threats targeting these platforms. Weak access controls or misconfigured cloud services can expose data.
• Lost or stolen devices: Laptops, smartphones, and USB drives containing sensitive data can be physically lost or stolen, leading to a data breach.
  

Types of data security 

Data security encompasses several types of protection for safeguarding data, devices, and networks. Here are some common types:

Data encryption

Data encryption protects information by using algorithms and mechanisms to scramble data, rendering it incomprehensible without the correct decryption keys.  Encryption is particularly effective when transmitting sensitive data, such as sending files via email. Even if a hacker attempts to steal data, they won’t be able to access it without the necessary keys. 

Data masking 

Similar to data encryption, data masking conceals sensitive information but uses a different approach. It replaces raw data with fictional information, making it unusable for unauthorized individuals. 

For example, a company could substitute real credit card numbers with fake ones in a dataset to prevent exposure that leads to fraudulent transactions. This technique preserves confidentiality when sharing or displaying data with eyes that don’t require access to the specifics. 

Data erasure

Not all sensitive data needs to be retained indefinitely, and holding on to it longer than necessary can pose risks. Data erasure, sometimes called data clearing or wiping, obliterates sensitive information from storage devices and systems. It’s a technical task that IT security professionals perform to reduce the chance of unauthorized individuals gaining access. 

It’s essential to note that data erasure is more permanent than data deletion, which allows you to recover information. Data erasure ensures that data is entirely unrecoverable. 

Data resiliency

Accidental destruction or data loss due to malicious activity can cause severe business losses. Organizations can mitigate risk by increasing their data resiliency or ability to recover from an unexpected breach or data impact. This includes developing and deploying business continuity plans and data backups to prevent disruptions. 

Organizations boost their data resiliency by addressing security weaknesses and protecting the impacted datasets moving forward. 

10 data security best practices

Several methods, policies, and behaviors can enhance your overall data security strategy for the best results. While there isn’t one magic data security solution, leveraging a combination of these top best practices (or all) will improve your organization’s security posture. 

1. Discover and classify your data sets

It’s much harder to protect your data and sensitive information if you don’t understand the types of data you gather, where it lives, and how sensitive it is. The first step to implementing an effective data security strategy is to familiarize yourself with your data and take targeted action to mitigate the risks. 

There are several ways you can classify and label your datasets. Imperva outlined and defined three general categories of data to start with:

• High sensitivity: Data whose breach, loss, or unauthorized access would catastrophically impact the organization or individuals.

• Medium sensitivity: Data intended for internal use only. Its exposure or leakage wouldn’t necessarily have a catastrophic impact, but we prefer that it doesn’t fall into the hands of unauthorized users.
• Low sensitivity: Public data intended for sharing and public use.

Once your data is classified, the next critical step is to label all your information accordingly. For example, medium-sensitivity documents intended for internal use could benefit from a footer that reads, “Intended for internal use only.” 

Ensuring employees understand the data they use and what they should use it for aligns team members to a shared security structure. 

2. Outline clear and concise data security policies 

Data security policies specify the administration, handling, and usage of data within an organization to safeguard information and prevent data breaches. They help employees understand their level of access to and responsibility for business data. These requirements and instructions also help businesses adhere to data protection regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). 

Creating a data security policy is a multi-step process. Apono’s step-by-step guide outlines six essential elements of a robust policy, namely: 

• The security tools the organization will use to support the effective implementation of their policy 

“As a small business, we try to centralize our tools into as few products as possible. For instance, we chose our file share solution based on its ability to consolidate other services we need, such as group communication, shared calendars, project management, online editing, collaboration, and more. So, we chose NextCloud on a virtual private server. One SSL certificate covers everything it does for us. We use a static IP from our internet service provider and enforce secure connections only. The second reason we went this route was that it encrypts the data it stores. Hacking our NextCloud will only get you gibberish files you can't read. It saved us a lot of money implementing our solution and has free iOS and Android apps.”

- Troy Shafer, Solutions Provider at Shafer Technology Solutions Inc.

• The policy scope, including who it affects and how it overlaps or intersects with other organizational policies 
• An overview of the organization’s data and who owns each dataset

• All relevant policy stakeholders, including who created it, who will enforce it, and who to reach out to with questions or concerns 

“To avoid being a company that experiences a data breach, start by buying in. Acknowledge your company requires non-IT executive attention to this security initiative. Understand that you can hire and retain the right kind of security leadership if you plan to do it internally. If your company has less than 1,000 employees, it’s probably a mistake to 100% use in-house security, and it would be better served by hiring a risk management company to assist with the long-term effort of your data security efforts."

- Brian Gill, Co-founder of Gillware

• Timelines for critical activities, including policy implementation, regular policy reviews, and audit cadence 
• Clear policy objectives and expected outcomes 

3. Develop a thorough incident response plan

While it’s impossible to prevent data breaches and loss entirely, businesses can set themselves up for smoother recoveries by considering incident response before an incident occurs. Companies create incident response plans to manage security incidents and outline proper next steps to minimize the impact. 

Incident response plans are most effective when detailed and evergreen. They provide helpful procedures and resources to aid in the attack's aftermath. Codified playbooks and instructions, a robust communication plan, and a process for regularly updating the plan can set your organization up for success. 

The Cybersecurity & Infrastructure Security Agency (CISA) offers some additional Incident Response Plan (IRP)  Basics to consider, including: 

• Printing the incident response plan documents and the associated contact list so all key stakeholders have a physical copy readily available in emergencies. 
• Preparing press releases or a guiding template in advance so it’s easier to respond if and when an event occurs.
• Conducting attack simulation exercises to carry out the IRP as instructed. 
• Holding formal retrospective meetings after incidents to gather areas of improvement.

4. Invest in secure data storage protection

There are many ways firms collect and store data. From physical copies of records in secure filing cabinets to cloud storage solutions, data storage allows organizations to retain and access information seamlessly. 

Whether your organization uses physical storage, cloud storage, or a combination of both, securing these systems is critical. Physical storage, like external hard drives and flash drives, is susceptible to physical damage and theft. On the other hand, cloud storage opens the door to hackers via phishing attempts and stolen passwords without the right security solutions enabled. 

Secure data storage protection includes: 

• Protecting data storage systems against physical damage from natural events such as fires and floods.
• Limiting access to the physical location of data storage mechanisms with controlled access and user activity logs. 
• Protecting against unauthorized access when utilizing cloud storage solutions using password protection, encryption, and identity verification as needed.

“To protect data privacy, consumers and big enterprises must ensure that data access is restricted, authenticated, and logged. Most data breaches result from poor password management, which has prompted the growing use of password managers for consumers and businesses. Password manager software allows users to keep their passwords secret and safe, in turn keeping their data secure. In addition, they allow businesses to selectively provide access to credentials, add additional layers of authentication and audit access to accounts and data.”

- Matt Davey, Chief Operations Optimist at 1Password

5. Follow the principle of least privilege

Proper access control is one of the best ways an organization can protect itself through proper access control. Industry professionals suggest following the principle of least privilege (PoLP) when administering access to business information. 

Palo Alto Networks defined the PoLP as “an information security concept which maintains that a user or entity should only have access to the specific data, resources, and applications needed to complete a task.”

In other words, it’s better to play it safe by giving individual users the minimum access required to complete their job functions rather than equipping them with more information. The more eyes and hands that data sets fall into, the greater the potential for data breaches and misuse of critical information. 

IT and security teams should collaborate with other business units to define the amount of access and which data team members need to do their jobs. 

“Data breaching is one of the worst nightmares for anyone since an unauthorized person can access sensitive data. To ensure the high security of your confidential data, you should be selective about whom you allow access."

- Aashka Patel, Data Research Analyst at Moon Technolabs

6. Monitor access to sensitive information and user activity

Consider using activity monitoring tools to keep a real-time pulse on your data. Comprehensive real-time monitoring can provide automatic notifications for suspicious activity, application monitoring, and access logs. Keeping frequent tabs on user sessions related to sensitive data access can help you spot and investigate questionable employee behaviors. You may even be able to stop an employee from exposing sensitive information before it escalates to serious breaches.

“When it comes to data security, we regularly implore people not to store sensitive data in the cloud! After all, the ‘cloud’ is just another word for 'somebody else's computer'. So any time you put sensitive data up 'in the cloud,' you are abdicating your responsibility to secure that data by relying on a third party to secure it.

Any time data is on a computer connected to the Internet or even to an intranet, that connection is a possible point of failure. The only way to be 100% certain of a piece of data's security is for there to be only one copy on one computer, which isn’t connected to any other computer.

Aside from that, the weakest link in any organization is often the users - the human factor. To help minimize that, we recommend that organizations disable the so-called 'friendly from' in an email when the email program displays the name, and even the contact picture, in an inbound email.”

- Anne Mitchell, CEO/President at Institute for Social Internet Public Policy

7. Conduct regular security assessments and audits 

Putting your security practices to the test via assessments and audits allows businesses to identify gaps and weaknesses in their security posture before it’s too late. While the cadence and structure of inspections and audits vary based on an organization’s size, complexity, data regulations, and data types, cybersecurity company Vivitec suggests conducting assessments annually at a minimum to maintain continuous compliance. More frequent assessments, such as quarterly or semi-annually, as recommended by QS solutions, can provide additional assurance that your security measures remain effective.

8. Enforce strong passwords, VPN and multi-factor authentication (MFA) 

Enforcing password requirements protects business information. While employees might feel tempted to create short and easy-to-remember passwords across various work-related systems, doing so makes it easier for hackers to access accounts. 

According to the Psychology of Passwords 2022 by LastPass:

• 62% of respondents use the same password or a variation of it across systems
• 33% create stronger passwords for their work accounts 
• 50% change their passwords after a data breach

Without password policies and requirements, organizations leave these decisions up to employees, who may not always choose secure password protection. Require long passwords, a combination of characters, and password expiration timelines. Enable multi-factor authentication wherever possible to add an extra layer of security, ensuring that even if a password is compromised, unauthorized access remains unlikely. 

“Many websites collect personal information, which, combined with data on your IP address, can be used to disclose your identity completely. So, knowing how to use a VPN is an absolute must for two reasons: first, your information will be encrypted. Second, you will use your VPN provider's address, not your own. This will make it harder to reveal your identity, even if some of your data will be compromised during data breaches."

- Vladimir Fomenko, Founder of King-Servers.com

9. Incorporate access removal into your employee offboarding 

Neglecting to revoke access for former employees is a common security oversight. A recent study by Wing Security found that 63% of businesses surveyed have former employees who can still access some organizational data. To prevent unauthorized access, partner with human resources to create a thorough offboarding checklist that prevents former employees from accessing business-critical data. 

10. Conduct regular security awareness training 

Equip employees with the data security knowledge they need to uphold data integrity and act in a way that enables them to prevent data breaches and exposure. Conduct training using various formats to ensure it appeals to all users, and consider providing training on an annual basis to test employee knowledge and applications of the information. 

“Phishing email awareness and training initiatives can help reduce the unauthorized access of valuable data. Train employees not to open attachments from unknown sources and not to click on links in emails unless validated as trusted.

It’s also important to be aware of another form of phishing email, spear phishing, that is far more concerning. Spear phishing targets certain individuals or departments in an organization that likely have privileged access to critical systems and data. It could be the Finance and Accounting departments, System Administrators, or even the C-Suite or other Executives receiving bogus emails that appear legitimate. Due to the targeted nature, this customized phishing email can be very convincing and difficult to identify. Focusing training efforts towards these individuals is highly recommended.”

- Avani Desai, President of Schellman & Company, LLC

Data security trends

It’s better to be safe than sorry

No matter the size of your business, it’s imperative that you learn from the mistakes of others and take the necessary steps to strengthen your data security efforts so that you don't experience a data breach and put your customers' personal information at risk. Apply these data security best practices to your business sooner rather than later. If you wait too long, it could be too late.

If you’re working hard to protect and save your data, you must ensure you’re employing the right method.

Learn about continuous data protection and how it helps with data security.

This article was originally published in 2019. It has been updated with new information.