Learn how PurpleSec’s experts can help protect your organization’s data against cyber attacks.
Users Online
· Members Online: 0
· Total Members: 188
· Newest Member: meenachowdary055
Forum Threads
Latest Articles
Articles Hierarchy
9 Data Security Strategies You Need To Implement In 2022
9 Data Security Strategies You Need To Implement In 2022
Author: Eryk Waligora / Last Updated: 5/20/22
Reviewed By: Michael Swanagan, CISSP, CISA, CISM & Rich Selvidge, CISSP
View Our: Editorial Process
There are 9 strategies and best practices to follow when implementing a data security strategy in 2022 including identifying data security risks, conducting an asset inventory, implementing a data security policy, mobile data security, securing your database, securing data in the cloud, tracking user behavior, respecting data privacy, and enforcing and maintaining least-privilege.
What You’ll Learn
- What data security is and the differences between data privacy and data protection.
- How and why data breaches are still so prevalent in 2022.
- Common solutions every organization should implement to protect critical data.
- Compliance laws and regulations that govern data security practices.
- 9 proven strategies and best practices for protecting an organization’s data.
Data is integral to every aspect of life. It allows us to analyze financial trends, informs us on our health, it even helps to suggest new purchases we didn’t know we needed.
As one of the core assets used by businesses today, data helps to make informed decisions and generate continuous streams of revenue…making its security a top priority.
Securing data is and can be a significant challenge for enterprise and SMB organizations alike.
In this article, I’ll explain what data security is and why it’s important.
Next, I’ll highlight the steps necessary for an organization should take to reduce its risk.
Lastly, I’ll provide actionable tips on what you can do to secure your data.
What Is Data Security?
Data security is the process of assessing and implementing controls to protect digital assets and reduce risk.
Digital assets may include databases, files, accounts, and other information that is sensitive or critical to operations.
This makes sense when we think about securing data in a corporate environment.
In any given office or workspace there are plenty of systems and devices used to store and transmit all kinds of business data.
Physical devices, software, and applications all store data that may be of value for an attacker or could be compromised by an unintended leak.
One of the most common devices we use every day are workstation computers, which can store data either internally on premises, virtually on a cloud network, or in some sort of hybrid of the two.
No matter the method, there are potential risks in how your workstation data is stored.
This includes physical theft and destruction, network failure, or account take over, resulting in compromised data.
Another important source of data storage are databases. Almost every organization has some form of database to compile financial and personal identifiable information (PII).
These are key assets that attackers target because it’s an already neat and accessible bundle of valuable information that can be used for ransom, sold to the highest bidder, or leaked to the public.
Mobile devices, like smartphones and tablets, are also data hubs.
Essentially hand-held computers, these types of devices can retain large amounts of data, everything from apps, email, notes, and more.
What makes things harder for organizations is to be able to fully track where these data sources are located at all times and what’s on them, presenting an added security risk.
Printers are data storage points too! Many multi-function printers and copiers have internal hard drives that can store sensitive information that can be shared and leaked. (remember this next time you attend an office holiday party!)
So far, I’ve mentioned what data security is and common places where data is stored throughout the network.
Once the data storage points are located, the next step in securing data is to understand the type of data – is it private or confidential, who should have access to it, and what are the rules for protecting the data in the various places it is stored.
This leads us to a common question:
What’s The Difference Between Data Privacy and Data Protection?
- Data privacy is an individual’s guaranteed right to their personal information. Organizations typically establish policies around the highly sensitive nature of this type of data.
- Data protection on the other hand is the enforcement of data policies, not only to protect privacy, but the integrity and access of all data. This is accomplished by setting controls, authentication, encryption, and backups.
Remember, data privacy and data protection are not the same, nor do they demand the requirement of the other.
They do, however, fall under the umbrella of data security and are essential to forming proper assurances.
If data goes unprotected, or if private information is exposed, this can have severe consequences on an organization.
How PurpleSec Protects Your Sensitive Data
Our vulnerability management services and penetration testing services provide a holistic approach to securing what’s most important to your organization.
Why Is Data Security Important?
In the wrong hands, lack of a good data security framework can lead to data loss or data leakage, which can l lead to negative consequences for the business.
An organization can be extorted for large sums of money by a threat actor, unintentional error can be made by an employee, or an attack from a disgruntled employee can compromise the business.
An organization’s reputation can also be damaged, either from the content exposed in the data leakage or data loss itself or by the negative public image earned from the security failure.
Either scenario has the potential to impact the business standing in the eyes of customers, vendors, stakeholders, and possibly government regulators, depending on the type of data that was leaked.
How And Why Are Data Breaches Still Happening Today?
- Low barrier of entry for attackers – You don’t have to be a highly skilled hacker to breach an organization’s data. Most times, the capabilities required can be easily learned online and deployed without many additional resources. This is one of the primary reasons why social engineering is so effective as a point of entry to a network.
- Increased attack surfaces – While technology has become more connected to make our lives easier, it has also opened the flood gates to greater potential points of entry for attacks or data leaks.
- Reporting and response failures – Because businesses don’t want to suffer poor public relations and retain their integrity, many organizations do not publicly notify a breach to their data, which makes response and downstream remediation difficult. We can’t learn from what we don’t know.
- Geopolitical turmoil – The ongoing rivalries and tensions between countries across the globe embolden politically motivated nation-state threat actors.
- Not enough cyber security professionals – Simply put, there are far more open roles than there are cyber security professionals. This causes heavy workloads for some employees and strain on an organization to sufficiently operate its security objectives.
The growing number of new threats and attack vectors are constantly changing.
Cybercriminals are making fortunes off exploiting individuals and organizations due to a lack of knowledge or weak security practices.
Zero-day vulnerabilities have been increasingly taking advantage of this lucrative opportunity to exploit and steal data.
The graph below shows the rise between 2012 and 2021.
Who are what is the motivation behind the uptick in the attacks over the last decade?
This is sometimes a difficult answer because threat actors and motivations vary.
Some are in it for the money, seeking financial gain from sensitive data theft or ransomware.
Others can be politically based, infiltrating an opposing party or government across ideological lines with the goal of impacting an election or economy.
Many of these attacks aren’t done by lone amateurs but are sponsored by nation-state actors, such as China, Russia, and North Korea.
Seeking to cause chaos and fear by disrupting systems and supply chains is another, more direct, motivation carried out by attackers.
As the saying goes, “An attacker has to only be right once. Everyone else has to be right every time”.
But with the attack surface being so widespread and the bar for skills required to initiate an attack so low, being right every time can seem daunting.
So, what to do?
While there are no guarantee attacks can be completely eliminated, an organization can significantly reduce risk and improve its data security without a heavy lift.
This includes strategically implementing a framework to identify risks and deploying solutions to monitor, alert, and recover data loss.
These actions go a long way in closing the door on potential attackers attempting to exploit vulnerabilities.
Recent Data Security Breaches
Recent data breaches at high profile organizations have shown us exactly how an organization can suffer.
Ransomware gangs have been highly successful at infiltrating an organization’s network and demanding massive payouts.
On February 10, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on the growing technical sophistication of attackers and the increased threat to organizations globally.
Ransomware can demand anywhere between tens of thousands to tens of millions in payment.
The Kaseya data breach impacted around 1500 companies and was hit with a staggering $70 million ransom.
Because Kaseya’s platform is used by managed service providers (MSPs), which service many other companies, a domino effect took place, impacting all organizations linked to Kaseya.
This, unfortunately, is a common effect when large organizations are breached.
In another incident, the Accellion data breach showed us the danger of zero-day vulnerabilities in action.
A ransomware group exploited a known vulnerability, then threatened to sell the company’s stolen data unless payment was received.
Accellion services massive institutions all over the world, including the University of California, Trinity Health, and the City of Toronto.
However, ransomware and financial gain are not the only methods and motives used by threat actors in a data breach.
An organization might not even be the direct target in an attack either.
The Saudi Aramco data breach is a case where third-party vendors, used by the organization, were breached.
The attackers reportedly aimed to show off their hacking capabilities, instead of demanding restitution. Regardless, personal data on over 14,254 employees were exposed.
These cases are part of an overall trend in data breaches taking on a serious trajectory.
Consider the graph below from Statista that shows the stark rise in the number of data breaches between 2005 and 2020.
While there was a dip at the end of 2019 (most likely due to the chaos around the early stages of the global pandemic), the Identity Theft Resource Center’s annual report states that data breaches then increased 68% in 2021, compared to the previous year.
How PurpleSec Protects Your Sensitive Data
We’ve helped dozens of SMB and enterprise organizations work towards building more secure systems. Learn how our experts can help with your project today.
Common Data Security Solutions
Knowing what to protect and how critical for any security strategy and plan.
Having a general plan that covers all operational aspects of the business is important but putting the right mechanisms in place to protect your most valuable assets, or “crown jewels”, is essential.
Through a process of asset management, organizations can inventory, set necessary controls, and keep their most precious data under lock and key.
To determine the type of security required to protect assets, organizations should conduct an inventory assessment, which will discover any gaps in security that may exist.
If this step is not performed, there will be blind spots in identifying the whereabouts of sensitive data on endpoints, internal/external storage, and corporate applications.
Note: by implementing this step, it may require additional resources to complete, internal or external.
Based on the results of the assessment, the organization can then proceed to the next step by mapping out the appropriate security solutions to protect their corporate data.
Here are a few common data security solutions:
- Security Awareness
- Data Encryption
- Data Classification
- Data Loss Prevention
- Data Backup And Recovery
- Data Segmentation
- Vulnerability Management
- Network Firewalls
- Physical Security
- Endpoint Protection
Security Awareness
Most security failures aren’t due to technical issues. Instead, it comes down to plain and simple human error.
Having effective training and awareness in place to prevent employees from being victims of social engineering, being responsible with their devices in and out of the office, and how to properly manage and share their data will reduce security risks.
Interactive training modules, software update check ins, and routine email phishing simulations are all common practices to help ensure reinforce this type of security.
Data Encryption
Data encryption is a technology that uses complex algorithms to conceal and protect data.
The level of encryption could be as simple as hiding a login password, work files and emails, or can include entire networks.
Without encryption, any data leak or unauthorized user with access can easily see and expose the data content.
Encryption helps to ensure the safety of your data even when it is stolen or exposed.
Data Classification
Data classification is a process in which data is analyzed and organized into distinct categories based on its content, file type, or metadata.
Classifying categories further as either public, private, or restricted data is important for reducing the overall level of risk, improving productivity, and facilitating better decision making.
Data Loss Prevention
Data loss prevention is a strategy that detects potential data breaches or data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in-motion (network traffic), and at rest (data storage).
Destroyed, mishandled, or stolen data can have devastating financial impacts on a business.
Having a plan in place to mitigate loss is an important practice in cyber defense.
Data Backup And Recovery
Data back up and recovery, simply put, is maintaining a copy or archive of important data. It is a way to ensure that your data remains safe and intact.
Backup and recovery are important not only if there is a system failure or damage, but even in the case of a ransomware incident, where a threat actor could hold your data for payment.
Data Segmentation
Data segmentation is a process where data is separated into more than one network subset. By splitting the data into decentralized areas, this allows for less opportunity of full access.
If damage or attempted theft occurs, only a partial amount of the data will be at risk and not the full amount.
Vulnerability Management
Vulnerability management is the management of weaknesses surrounding assets that may be exploited by a threat actor, damaged, or misused.
Having a program in place to get a full picture of an organization’s vulnerabilities can help determine what needs be fixed, or “patched”, by level of priority, which is also called Vulnerability Patch Management.
This system allows an organization to defend against immediate threats.
Network Firewalls
Network firewalls are digital blockades that protect private data by filtering traffic and stopping unauthorized access.
It can also prevent malicious software from infecting a computer. This is a common line of defense that hardens an organization’s data security.
Physical Security
Physical security for data security is the protection of digital assets in the real world. Types of physical security can include cameras, locks, motion sensors, and human guards.
It’s essential to not only protect data from online hackers, but hackers in the physical world.
Securing a laptop from theft with a desk lock or conducting physical penetration testing to simulate theft and determine security gaps are an important part of keeping data safe.
Endpoint Protection
Endpoint protection is a process of centrally managing endpoints (desktops, laptops, mobile devices, servers, etc.).
With so many devices out in the world and in the office these days this leads to many more potential entry points to access data.
To secure these endpoints, organizations will commonly deploy anti-malware/anti-virus software to help in detection and response of any anomalous activity from malicious software that could infect the greater network.
Now that we’ve looked at the many data security solutions available for us, it’s important to understand how operating a plan for security with these solutions work under the current compliance laws and regulations.
Data Security Compliance Laws And Regulation
With so much sensitive data collected and maintained by organizations there’s a need to not only protect this data from attackers, but to protect data usage in compliance of established law to protect the organization, and often the public.
Note: A data policy is different from a data law or regulation. A data policy refers to an agreement determined by an organization and accepted by employees, customers, users, or patients.
Whereas a law or regulation is made by a governmental institution intended to protect the rights of those whose data is used by an organization.
Once a law or regulation has been created, an organization must follow the rules set in place.
If an organization fails to follow the rules it can be subject to financial, legal, and operational penalties.
This enforcement is designed to incentivize organizations to comply and to help guarantee protection for the public.
For these reasons, data security compliance is essential.
Many organizations will direct their Governance, Risk, and Compliance (GRC) security team, which works closely with legal and other policy-related departments, to create a strategy in making sure their usage of data is compliant to laws and regulations at the state, federal, and even international level.
This area of security helps to prevent an organization from running the risk of being charged with non-compliance.
Here are a few current laws and regulations that are important to know for data security compliance:
- The Cyber Incident Reporting for Critical Infrastructure Act of 2022
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- Sarbanes-Oxley (SOX)
- Payment Card Industry (PCI)
- Graham-Leach-Bliley Act (GLBA)
- Family Educational Rights and Privacy Act (FERPA)
The Cyber Incident Reporting for Critical Infrastructure Act of 2022
This Act was designed as a response to the growing number of ransomware attacks and data breaches impacting the US government and critical infrastructure industries, such as telecommunications, healthcare, energy, and food.
The main component of the Act requires organizations that fall under one or more of the 16 sectors of critical infrastructure, as defined by the Presidential Policy Directive 21, to report a cyber incident to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of the incident occurring.
The goal of this new policy is to strengthen US defense against attacks by increasing response times and monitoring.
Health Insurance Portability and Accountability Act (HIPAA)
HIPPA is a requirement from the Secretary of the U.S. Department of Health and Human Services (HHS) to regulate the protection of privacy and security of personally identifiable information (PII) and other health information.
Think of all the data you provide whenever you make a visit to your doctor: insurance, payment method, address, phone number, medical history, health concerns, lab tests and scans.
All this data is protected under HIPPA so that the healthcare industry cannot expose your personal data to the public or unauthorized third parties.
General Data Protection Regulation (GDPR)
The GDPR is one of the strongest data security and privacy laws in the world.
Crafted by the European Union (EU), it obligates organizations to abide by strict regulations on what kind of EU citizen data can be collected and maintained, and how.
One of the most important requirements is transparency. An organization must inform an individual of what personal data has been collected on them and what that data is being used for.
Because there isn’t a comparable data security law elsewhere, many international organizations default to GDPR as an international standard for data privacy and protection compliance.
Sarbanes-Oxley (SOX)
The SOX Act was passed by Congress to protect the public from falling victim to financial fraud or error by finance and other businesses in the US.
It requires all organizations operating in the US to formalize and enforce a data security policy that explicitly outlines how its data is protected.
With the rise in the digital economy, this regulation is important for the financial security of all Americans.
Payment Card Industry (PCI)
PCI is a compliance certification that demonstrates a financial institution’s ability to successfully maintain certain security standards for payment cards.
One of the major compliance factors involves credit card number security.
A certified organization must encrypt card numbers before they can transmit them over a network and must store the encrypted data in a secure environment.
Although this compliance certification is technically voluntary, it’s recognized as a basic safeguard and legitimacy factor in order to do business with other entities.
Graham-Leach-Bliley Act (GLBA)
The GLBA is a safeguard against misuse of personal financial data.
It sets compliance standards to protect consumer financial data from being shared between a financial institution or business and other third parties.
A company must explain to the consumer if or how their data will be shared with other entities, commonly loan, insurance, bank, and other financial services.
It’s a way to ensure privacy for the consumer over their most sensitive financial data.
Family Educational Rights and Privacy Act (FERPA)
The FERPA protects the privacy of students’ educational records from being shared or exposed without the explicit consent of the student or student’s parents.
It applies to any public or private educational institution that receives federal funding from the US Department of Education.
This form of data security compliance is important not only for educational institutions but for the third-party organizations that may do business with them.
Understanding the rules around student record data is vital for any organization to not suffer penalties from the federal government.
After defining at what data security is, why it’s important, the solutions that are available, and the need for compliance, the business can now proceed with creating a strategy that will secure their organization’s data.
How PurpleSec Protects Your Sensitive Data
We’ve helped dozens of SMB and enterprise organizations work towards building more secure systems. Learn how our experts can help with your project today.
Data Security Strategies To Implement In 2022
For an organization to be properly secure it must have a clear roadmap on how it will achieve its security goals.
The purpose of this section is to introduce the top strategic components that will aid in the build out of a mature data security program.
Following these best practices will help enable an organization to be more aware, hardened, compliant, and proactive about data security.
- Identify Data Security Risks
- Conduct An Asset Inventory
- Implement A Data Security Policy
- Mobile Data Security
- Secure Your Database
- Data Security In The Cloud
- Track User Behavior
- Respect Data Privacy
- Enforce And Maintain Least-Privilege
While the following components are not presented in a strict order, it’s best practice to start with is a risk assessment and asset inventory before properly securing data with the necessary controls and processes.
Once data is secured, it can then be tracked and monitored for assurance. Awareness and training programs can also follow at this point.
Regardless of where an organization proceeds, executing these key strategies will help the organization reduce the risk of data loss and improve its data security program.
1. Identify Data Security Risks
A security risk assessment is performed for organizations to assess, identify, and modify their overall security posture.
A complete assessment brings any and all security gaps to light.
In doing so, management can determine the next steps to remediate the weaknesses, often requiring greater resources such as funding, new tools, or more personnel.
With a detailed assessment in hand, it can be used to justify these improvements to organization stakeholders for support.
An organization can conduct a data risk assessment in-house, using their own teams and resources, or pay for a service that specializes in risk assessments.
If a data risk assessment is conducted by a third party, there are many legal steps involved to make sure the access and handling of data is protected.
To begin a risk assessment, an organization needs to identify all valuable data assets to test their security risk.
Once all testing and evaluation is complete, the best way to deliver an assessment is in a report format.
Technical aspects can be included in either appendixes or supplied as a supplemental document, but the goal is to have a readable source that can be easily referenced and understood by all parties.
2. Conduct An Asset Inventory
An asset inventory for data security is the identification of your most valuable assets in order to determine an associated level of risk.
A proper inventory is accomplished by first understanding the various classifications your organization has placed on its data.
After determining classifications, you can begin to map your assets to organize their structure and flow.
Once you have a full view of all assets you can then look to what potential threats exist in the context of your organization’s own data.
By classifying, mapping, and identifying the threat landscape you can prioritize risks and act on reducing your business’s attack surface.
3. Implement A Data Security Policy
An effective aspect of a good data strategy is for an organization to develop its own data security policy.
This helps set controls, expectations, and enforcement of the human element in securing data.
Without policies, users would have no direction or understanding of how to properly collect, leverage, or share data.
Some common policies that can be implemented to protect your data include:
- Workstation security
- Acceptable use
- Remote access
- Bring you own device (BYOD)
Having a policy that is laid out clearly and accessible for everyone will allow for a more consistent data security.
4. Mobile Data Security
With technology becoming increasingly more mobile, our data is constantly moving in and out of new environments.
This of course opens many potential risks. Mobile data security, whether it be a smartphone or tablet, involves securing the data located on or accessed from a mobile device.
Without a security process in place, a device that is stolen, damaged, or lost can become at risk of compromising corporate data by potentially infecting an organization’s wider network.
Setting proper access controls such as multi-factor authentication (MFA), avoiding untrusted and public WiFi networks, and centralizing native device and operating software (OS) security tools are some of the easiest and most effective ways of implementing mobile data security.
5. Secure Your Database
Database security requires the necessary tools, controls, and measures to properly maintain a database’s overall integrity.
Attempted unauthorized access, purging, downloading, and sharing of data are potential risks of an unsecured database.
There are several considerations in determining a database’s integrity, including its physical or virtual server, the database management system, third-party applications, the network infrastructure in which the database is accessed, and even the data itself.
Compromised databases can result in data breaches, intellectual property theft, or fines and penalties for non-compliance.
The best way to secure your database is to set basic administrative (backend) network access controls, always update database software to its latest version, encrypt the stored data, apply multi-factor authentication (MFA) for user access, back up and segment all data, and routinely audit.
These procedures are integral to strengthening your database security.
6. Data Security In The Cloud
Data that’s located in the cloud is a particular area of security based on the data’s location.
By its very nature, the cloud is designed to incorporate a wider network and range of accessibility.
Data can be accessed in virtually any location, which allows for greater efficiency and productivity. But from a security perspective, these qualities open a unique set of entry points and attack vectors.
There are a couple of key stakeholders when it comes to the responsibility of protecting data in the cloud; private and public cloud.
The first is private cloud, where the enterprise organization is entirely responsible for maintaining their own data centers.
Second is the public cloud, in which cloud vendors like Microsoft Azure or Amazon Web Services (AWS) own and operate the infrastructure and the enterprise organization is responsible for areas such as the virtual network, applications, and the data.
Implementing access control policies, devising encryption solutions, providing regular employee training, and securing endpoints are some of the best ways to begin securing data in the cloud from unauthorized access.
Compliance, monitoring, and auditing are added steps to make sure your security measures are effective or need the necessary improvements.
7. Track User Behavior
Tracking and analyzing user behavior is a form of security that recognizes individuals’ approaches to how data on a network is leveraged.
This could be to satisfy compliance factors, abuse done by public users, or even to determine the protentional of insider threats, or malicious activity done by employees.
Having this perspective allows for data to be intelligently monitored.
A common intelligence tool that can be applied to tracking user behavior is a Security Incident and Event Management (SIEM).
A SIEM logs behavior and analytics, providing insights used to make strategic decisions.
In addition to specific tooling, speed and adaptability are key to tracking user behavior.
Creating a custom-built architect to instantly answer relevant queries is an important function for timely results.
Having analytics scalable for any team to leverage as needed is also a desirable feature.
8. Respect Data Privacy
Respecting data privacy is not only an ethical consideration for an organization to adhere to, but a legal and financial one.
With the massive amounts of data being generated, maintained, and shared, there comes a certain level of delicateness required to preserve the privacy of users.
Failing to ensure privacy could mean failing to comply to laws and regulations, which puts an organization at risk of penalties, lawsuits, and even breaches.
Developing a policy is the first step in respecting data privacy.
Having a policy as a framework, controls can be securely put in place to make sure access and usage are properly aligned to an organization’s operational structure.
Finally, ongoing security awareness training is important to keep employees up to date and knowledgeable on the need for handling private data with care and within organization policy.
9. Enforce And Maintain Least-Privilege
Least-privilege access is exactly what it sounds like: a process in which the minimum level of access is granted to a user.
This model of “less is more” restricts users and applications from gaining administrative access to sensitive data.
Having full access granted to everyone would obviously be a bad idea. So, only specific users can leverage data.
A user can request access, but that decision is left to the administrative control and is typically based on a policy of who may or may not gain access.
This is the essential gatekeeping process that helps to track and reduce over access, and by default, greater inherent risk.
Maintaining a clear least-privilege policy and assigning administrative governance are the first steps in creating proper enforcement.
Wrapping Up
The world is more data driven than ever before, and new technology has allowed for greater ease of integration and distribution of data for users. This has its advantages and its concerns.
With evermore attack surfaces available for advantageous threat actors seeking to steal key assets, new laws and regulations requiring strict compliance, and privacy expectations, data security is the foundation for every security program.
This article has walked through the importance of properly securing data and how to do it.
Your organization now has the necessary information to develop and implement a strategy for a successful data security protection program.