September 10, 2024
by Mara Calvello / September 10, 2024
News of a major data breach seems almost commonplace.
From Equifax to Capital One, countless companies have faced the fallout of compromised customer data. This raises a critical question: are you confident your business is taking the necessary steps to safeguard sensitive information?
Data breaches are entirely preventable with tools like data-centric security software. By prioritizing cybersecurity, you can protect your customers and avoid becoming the next headline.
We've consulted security professionals to help navigate this crucial aspect of business. They'll share their insights on effective data security methods. But before diving in, let's clearly understand what data security entails.
Data security is securing company data and preventing data loss due to illegal access. This includes safeguarding your data from attacks that can encrypt or destroy it, such as ransomware, and those that can alter or damage it. Data security also guarantees that data is accessible to anybody in the business who needs it.
Some sectors demand high data security to meet data protection rules. For example, firms that receive payment card information must use and retain payment card data securely, and healthcare institutions in the United States must adhere to the Health Insurance Portability and Accountability Act (HIPAA) standard for securing private health information (PHI).
Even if your firm is not subject to a rule or compliance requirement, data security is critical to the sustainability of a contemporary business since it may affect both the organization's core assets and its customers' private data.
Data security threats come in many forms, but here are some of the most common:
Data security encompasses several types of protection for safeguarding data, devices, and networks. Here are some common types:
Data encryption protects information by using algorithms and mechanisms to scramble data, rendering it incomprehensible without the correct decryption keys. Encryption is particularly effective when transmitting sensitive data, such as sending files via email. Even if a hacker attempts to steal data, they won’t be able to access it without the necessary keys.
Similar to data encryption, data masking conceals sensitive information but uses a different approach. It replaces raw data with fictional information, making it unusable for unauthorized individuals.
For example, a company could substitute real credit card numbers with fake ones in a dataset to prevent exposure that leads to fraudulent transactions. This technique preserves confidentiality when sharing or displaying data with eyes that don’t require access to the specifics.
Not all sensitive data needs to be retained indefinitely, and holding on to it longer than necessary can pose risks. Data erasure, sometimes called data clearing or wiping, obliterates sensitive information from storage devices and systems. It’s a technical task that IT security professionals perform to reduce the chance of unauthorized individuals gaining access.
It’s essential to note that data erasure is more permanent than data deletion, which allows you to recover information. Data erasure ensures that data is entirely unrecoverable.
Accidental destruction or data loss due to malicious activity can cause severe business losses. Organizations can mitigate risk by increasing their data resiliency or ability to recover from an unexpected breach or data impact. This includes developing and deploying business continuity plans and data backups to prevent disruptions.
Organizations boost their data resiliency by addressing security weaknesses and protecting the impacted datasets moving forward.
Several methods, policies, and behaviors can enhance your overall data security strategy for the best results. While there isn’t one magic data security solution, leveraging a combination of these top best practices (or all) will improve your organization’s security posture.
It’s much harder to protect your data and sensitive information if you don’t understand the types of data you gather, where it lives, and how sensitive it is. The first step to implementing an effective data security strategy is to familiarize yourself with your data and take targeted action to mitigate the risks.
There are several ways you can classify and label your datasets. Imperva outlined and defined three general categories of data to start with:
Once your data is classified, the next critical step is to label all your information accordingly. For example, medium-sensitivity documents intended for internal use could benefit from a footer that reads, “Intended for internal use only.”
Ensuring employees understand the data they use and what they should use it for aligns team members to a shared security structure.
Data security policies specify the administration, handling, and usage of data within an organization to safeguard information and prevent data breaches. They help employees understand their level of access to and responsibility for business data. These requirements and instructions also help businesses adhere to data protection regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Creating a data security policy is a multi-step process. Apono’s step-by-step guide outlines six essential elements of a robust policy, namely:
“As a small business, we try to centralize our tools into as few products as possible. For instance, we chose our file share solution based on its ability to consolidate other services we need, such as group communication, shared calendars, project management, online editing, collaboration, and more. So, we chose NextCloud on a virtual private server. One SSL certificate covers everything it does for us. We use a static IP from our internet service provider and enforce secure connections only. The second reason we went this route was that it encrypts the data it stores. Hacking our NextCloud will only get you gibberish files you can't read. It saved us a lot of money implementing our solution and has free iOS and Android apps.”
- Troy Shafer, Solutions Provider at Shafer Technology Solutions Inc.
“To avoid being a company that experiences a data breach, start by buying in. Acknowledge your company requires non-IT executive attention to this security initiative. Understand that you can hire and retain the right kind of security leadership if you plan to do it internally. If your company has less than 1,000 employees, it’s probably a mistake to 100% use in-house security, and it would be better served by hiring a risk management company to assist with the long-term effort of your data security efforts."
- Brian Gill, Co-founder of Gillware
While it’s impossible to prevent data breaches and loss entirely, businesses can set themselves up for smoother recoveries by considering incident response before an incident occurs. Companies create incident response plans to manage security incidents and outline proper next steps to minimize the impact.
Incident response plans are most effective when detailed and evergreen. They provide helpful procedures and resources to aid in the attack's aftermath. Codified playbooks and instructions, a robust communication plan, and a process for regularly updating the plan can set your organization up for success.
The Cybersecurity & Infrastructure Security Agency (CISA) offers some additional Incident Response Plan (IRP) Basics to consider, including:
There are many ways firms collect and store data. From physical copies of records in secure filing cabinets to cloud storage solutions, data storage allows organizations to retain and access information seamlessly.
Whether your organization uses physical storage, cloud storage, or a combination of both, securing these systems is critical. Physical storage, like external hard drives and flash drives, is susceptible to physical damage and theft. On the other hand, cloud storage opens the door to hackers via phishing attempts and stolen passwords without the right security solutions enabled.
Secure data storage protection includes:
“To protect data privacy, consumers and big enterprises must ensure that data access is restricted, authenticated, and logged. Most data breaches result from poor password management, which has prompted the growing use of password managers for consumers and businesses. Password manager software allows users to keep their passwords secret and safe, in turn keeping their data secure. In addition, they allow businesses to selectively provide access to credentials, add additional layers of authentication and audit access to accounts and data.”
- Matt Davey, Chief Operations Optimist at 1Password
Proper access control is one of the best ways an organization can protect itself through proper access control. Industry professionals suggest following the principle of least privilege (PoLP) when administering access to business information.
Palo Alto Networks defined the PoLP as “an information security concept which maintains that a user or entity should only have access to the specific data, resources, and applications needed to complete a task.”
In other words, it’s better to play it safe by giving individual users the minimum access required to complete their job functions rather than equipping them with more information. The more eyes and hands that data sets fall into, the greater the potential for data breaches and misuse of critical information.
IT and security teams should collaborate with other business units to define the amount of access and which data team members need to do their jobs.
“Data breaching is one of the worst nightmares for anyone since an unauthorized person can access sensitive data. To ensure the high security of your confidential data, you should be selective about whom you allow access."
- Aashka Patel, Data Research Analyst at Moon Technolabs
Consider using activity monitoring tools to keep a real-time pulse on your data. Comprehensive real-time monitoring can provide automatic notifications for suspicious activity, application monitoring, and access logs. Keeping frequent tabs on user sessions related to sensitive data access can help you spot and investigate questionable employee behaviors. You may even be able to stop an employee from exposing sensitive information before it escalates to serious breaches.
“When it comes to data security, we regularly implore people not to store sensitive data in the cloud! After all, the ‘cloud’ is just another word for 'somebody else's computer'. So any time you put sensitive data up 'in the cloud,' you are abdicating your responsibility to secure that data by relying on a third party to secure it.
Any time data is on a computer connected to the Internet or even to an intranet, that connection is a possible point of failure. The only way to be 100% certain of a piece of data's security is for there to be only one copy on one computer, which isn’t connected to any other computer.
Aside from that, the weakest link in any organization is often the users - the human factor. To help minimize that, we recommend that organizations disable the so-called 'friendly from' in an email when the email program displays the name, and even the contact picture, in an inbound email.”
- Anne Mitchell, CEO/President at Institute for Social Internet Public Policy
Putting your security practices to the test via assessments and audits allows businesses to identify gaps and weaknesses in their security posture before it’s too late. While the cadence and structure of inspections and audits vary based on an organization’s size, complexity, data regulations, and data types, cybersecurity company Vivitec suggests conducting assessments annually at a minimum to maintain continuous compliance. More frequent assessments, such as quarterly or semi-annually, as recommended by QS solutions, can provide additional assurance that your security measures remain effective.
Enforcing password requirements protects business information. While employees might feel tempted to create short and easy-to-remember passwords across various work-related systems, doing so makes it easier for hackers to access accounts.
According to the Psychology of Passwords 2022 by LastPass:
Without password policies and requirements, organizations leave these decisions up to employees, who may not always choose secure password protection. Require long passwords, a combination of characters, and password expiration timelines. Enable multi-factor authentication wherever possible to add an extra layer of security, ensuring that even if a password is compromised, unauthorized access remains unlikely.
“Many websites collect personal information, which, combined with data on your IP address, can be used to disclose your identity completely. So, knowing how to use a VPN is an absolute must for two reasons: first, your information will be encrypted. Second, you will use your VPN provider's address, not your own. This will make it harder to reveal your identity, even if some of your data will be compromised during data breaches."
- Vladimir Fomenko, Founder of King-Servers.com
Neglecting to revoke access for former employees is a common security oversight. A recent study by Wing Security found that 63% of businesses surveyed have former employees who can still access some organizational data. To prevent unauthorized access, partner with human resources to create a thorough offboarding checklist that prevents former employees from accessing business-critical data.
Equip employees with the data security knowledge they need to uphold data integrity and act in a way that enables them to prevent data breaches and exposure. Conduct training using various formats to ensure it appeals to all users, and consider providing training on an annual basis to test employee knowledge and applications of the information.
“Phishing email awareness and training initiatives can help reduce the unauthorized access of valuable data. Train employees not to open attachments from unknown sources and not to click on links in emails unless validated as trusted.
It’s also important to be aware of another form of phishing email, spear phishing, that is far more concerning. Spear phishing targets certain individuals or departments in an organization that likely have privileged access to critical systems and data. It could be the Finance and Accounting departments, System Administrators, or even the C-Suite or other Executives receiving bogus emails that appear legitimate. Due to the targeted nature, this customized phishing email can be very convincing and difficult to identify. Focusing training efforts towards these individuals is highly recommended.”
- Avani Desai, President of Schellman & Company, LLC
Share your knowledge: Help others within your industry and grow your personal brand by contributing to the G2 Learning Hub.
Data security is constantly evolving to combat new threats. Here are some key trends:
No matter the size of your business, it’s imperative that you learn from the mistakes of others and take the necessary steps to strengthen your data security efforts so that you don't experience a data breach and put your customers' personal information at risk. Apply these data security best practices to your business sooner rather than later. If you wait too long, it could be too late.
If you’re working hard to protect and save your data, you must ensure you’re employing the right method.
Learn about continuous data protection and how it helps with data security.
This article was originally published in 2019. It has been updated with new information.
Mara Calvello is a Content Marketing Manager at G2. She received her Bachelor of Arts degree from Elmhurst College (now Elmhurst University). Mara writes customer marketing content, while also focusing on social media and communications for G2. She previously wrote content to support our G2 Tea newsletter, as well as categories on artificial intelligence, natural language understanding (NLU), AI code generation, synthetic data, and more. In her spare time, she's out exploring with her rescue dog Zeke or enjoying a good book.
Regardless of your industry, your business's data needs protection. This is especially true as...
Databases become complex quickly and protecting the data they hold poses a challenge for many...
If you gather sensitive and personal data, it’s critical to protect it. Database encryption...
Regardless of your industry, your business's data needs protection. This is especially true as...
Databases become complex quickly and protecting the data they hold poses a challenge for many...