We continue to see an increase in activity related to numerous attack vectors focused upon stealing data.
These nefarious attempts could lead to a ransomware incident in which a threat actor refuses to give your data back unless certain conditions are met. They could result in yet another highly visible data breach, this time it being your organization getting all the bad publicity. They might simply be after your intellectual property or looking to get access to enough information to publicly embarrass you or your clients in some way. The list of scenarios is long and unpleasant.
We need to be doing everything we can to secure and protect our data. As with all risk management our solutions need to fit what our organization can support from a budget and resource commitment standpoint.
We must be serious about reducing risk to systems and information. Some organizations need to make a significant investment in this area while others may need to take a leaner approach. If the robust, expensive solutions out there are perhaps too much for your organization, how do you even think about getting started?
What is a reasonable baseline of measures to safeguard your data?
Let’s explore how to safeguard your data in four area of focus:
- Document your data inventory
- Back up your important data
- Assess your access controls from a data protection perspective
- Be intentional about how you leverage encryption
1. Document your data inventory
Although it sounds simple, documenting your data inventory is often more challenging than it seems on the surface. This is especially true in the era of ever-increasing adoption of third-party cloud solutions and services.
As the industry has moved away from a traditional technology architecture toward on-demand provisioning of technology assets it’s significantly more complex for an organization to keep track of where their data resides at any point in time.
If this sounds like something that applies only to larger technology enterprises, it’s not the case. Even smaller organizations that predominantly use, for example, the O365 suite of products, users are often allowed to store data almost anywhere they want.
It’s critical to document and track not only where you think your data should be, but also where your data could be. It’s functionally impossible to operationalize the other processes you need to have in place without understanding what data you have and where it resides.
A data inventory should, at a minimum, contain information about what data you have, where it is stored, who its owner is, how it is categorized in your data classification structure, which users have access to it, what users can do with it, and any audit or regulatory requirements that apply to it.
Data ownership is often an overlooked discipline, but it’s critical to be intentional about who gets to decide how any given set of data needs to be treated. For example, a data owner should be the person that decides for how long a certain data type should be retained.
Depending upon the characteristics of your data environment you may want to document how data transits into, out of, and within your technology boundaries by way of data flow diagrams.
There are an endless number of use cases that are empowered by an authoritative data inventory, including several we recommend as part of a baseline data protection program.
2. Back up your data
Now that you know what your data inventory consists of, it’s time to capture information about how and how often your data is backed up. If you’ve not centralized this information before you might be surprised at the amount of effort it could take to track it down.
In many organizations, the back up treatment is simply determined by how their backup solution works out of the box. Truly effective backups need sufficient intentionality in this area. If you are creating a comprehensive data inventory for the first time, it’s inevitable that you are going to find examples where highly valuable data is randomly backed up, or in some cases, not backed up at all.
Once you’ve documented the back up status of all data in your inventory, you can perform an assessment as to whether changes are needed. Likely, you will need to initiate a project through which the organization will pursue getting back ups to the appropriate scope and frequency.
Part of backing up your data is ensuring you can leverage the backup copies as needed. This means that testing your ability to recover data from a backup source. The first time an organization tests its ability to recover from a backup there is bound to be surprises and lessons to be learned. This is a normal, constructive part of advancing processes and practices in this area. That shouldn’t be a discouragement.
PRO TIP – It is important to note that one of the simplest steps you can take to protect yourself from a ransomware incident is to backup your data and to verify that you can recover your data from backup copies.
3. Assess your access controls from a data protection perspective
Typically, we think about our access controls from the standpoint of who needs certain types of access to do their work. The best practice of ‘least privilege’ tells us that we need to provide only the minimum access needed by a user as to perform their job duties.
In practice, however, access provisioning often results in excessive permissions. In most day-to-day operations it is a natural tendency to over-provision access than it is to under-provision it. Granting too much access is unlikely to slow down a user, while granting too little access requires iterative work, and impedes a users ability to be productive.
Now that we have a data inventory, we should be able to have a centralized view of who has access to what data. In this area also, surprises should be fully expected.
Removing access to data can be one of the more challenging efforts needed in this process. Without careful and thoughtful analysis, users will be unfortunately impacted, but there are many reasons why this step is worthwhile.
In just one simple example, imagine a user in your organization ends up with malware on their desktop. The exposure related to the presence of the malware is greatly impacted by the data to which the user has access, the permissions the user has relative to the data, and the individual behavior of the impacted user.
Naturally, if this user has overprovisioned access, the risk exposure is greatly increased PRO TIP – Drawing down user access to data can be a sensitive initiative within any organization, but the current threat landscape makes it clear that it’s something we all need to approach in a serious manner.
4. Be intentional about how you leverage encryption methods
Encryption comes in different forms these days and our options depend greatly upon the kind of technology assets that are present in our organization. In some organizations it might be most important to ensure an encryption program is running on all laptops. In another organization it might be a higher priority to strategically encrypt databases that contain confidential information.
Network-level encryption is a completely different domain and can be critically important for some. Some organizations may find it critical to ensure staff are encrypting sensitive data before sharing it via email. The variations are many.
From an organizational standpoint, it’s imperative to be strategically intentional about how encryption solutions and practices are applied.
As was the case with our backups, we often find that the implementation of encryption methods hasn’t been strategic at all. Rather, they map back to the original requirements of the projects that resulted in any given encryption method.
Our data inventory allows us to assess the treatment of our data, including whether a given data set is protected via encryption methods. Any gaps identified are likely to require a project-level effort as to be addressed.
PRO TIP – The project we initiate relative to smartly advancing our use of encryption will require thoughtful planning and prioritization. In most organizations it’s likely to be a multi-year effort. But it’s undeniably a critical component in our data security and protection approach.
If your organization has hesitated or outright ignored looking at how you are and are not caretaking your data, you are not alone. It’s common for this area of cybersecurity and risk management programs to feel overwhelming. And since the technical solutions and their respective controls tend to be layered through technology architecture, it can feel significantly challenging to develop a holistic view of what is needed. These steps can help you get started safeguarding your data, regardless of your current state.
If you’d like help talking through the specifics of your organizational needs and how to get started, contact us below.