During the second quarter of 2023, a staggering 110 million accounts were compromised, marking a significant increase compared to the initial quarter’s 43.2 million breaches. To provide perspective, this surge translates to an alarming rate of 855 accounts being compromised every minute during the second quarter, in contrast to the previous quarter’s rate of 334 accounts per minute.(Surfshark)
Several other reports have also pointed to increasing data breaches and the need for businesses to secure their data than ever before. In this article we explore four data security strategies to secure your critical data.
Why Data Security Holds Great Importance
At present, we are witnessing a rise in various attempts to breach our defenses and steal valuable data. These malicious endeavors might result in a ransomware crisis, where an attacker withholds our data until certain demands are met. They could also lead to yet another instance of a widely known data breach, casting a negative spotlight on our organization. These attackers might simply covet our intellectual property or aim to uncover enough information to publicly humiliate us or our clients. The range of potential scenarios is extensive and unsettling.
It’s crucial that we exert all efforts to safeguard and uphold the security of our data. As with any risk management strategy, our solutions should align with what our organization can realistically accommodate in terms of budget and available resources.
Taking steps to reduce risks to our systems and information is a matter of utmost seriousness. While some organizations might need to allocate significant resources to this endeavor, others can adopt a more streamlined approach. If the sophisticated and costly security solutions available seem overwhelming for our organization, how can we initiate the process with confidence?
What is a reasonable baseline of measures to safeguard your data?
Let’s explore how to safeguard your data in four areas of focus:
- Document your data inventory
- Back up your important data
- Assess your access controls from a data protection perspective
- Be intentional about how you leverage encryption
1. Document your data inventory
Although it sounds simple, documenting your data inventory is often more challenging than it seems on the surface. This is especially true in the era of ever-increasing adoption of third-party cloud solutions and services.
As the industry has moved away from a traditional technology architecture toward the on-demand provisioning of technology assets, it’s significantly more complex for an organization to keep track of where its data resides at any point in time.
If this sounds like something that applies only to larger technology enterprises, it’s not the case. Even smaller organizations that predominantly use, for example, the O365 suite of products, users are often allowed to store data almost anywhere they want.
It’s critical to document and track not only where you think your data should be but also where your data could be. It’s functionally impossible to operationalize the other processes you need to have in place without understanding what data you have and where it resides.
A data inventory should, at a minimum, contain information about what data you have, where it is stored, who its owner is, how it is categorized in your data classification structure, which users have access to it, what users can do with it, and any audit or regulatory requirements that apply to it.
Data ownership is often an overlooked discipline, but it’s critical to be intentional about who gets to decide how any given set of data needs to be treated. For example, a data owner should be the person that decides for how long a certain data type should be retained.
Depending upon the characteristics of your data environment, you may want to document how data transits into, out of, and within your technology boundaries by way of data flow diagrams.
There are an endless number of use cases that are empowered by an authoritative data inventory, including several we recommend as part of a baseline data protection program.
2. Back up your data
Now that you know what your data inventory consists of, it’s time to capture information about how and how often your data is backed up. If you’ve not centralized this information before, you might be surprised at the amount of effort it could take to track it down.
In many organizations, the backup treatment is simply determined by how their backup solution works out of the box. Truly effective backups need sufficient intentionality in this area. If you are creating a comprehensive data inventory for the first time, it’s inevitable that you are going to find examples where highly valuable data is randomly backed up or, in some cases, not backed up at all.
Once you’ve documented the backup status of all data in your inventory, you can perform an assessment as to whether changes are needed. Likely, you will need to initiate a project through which the organization will pursue getting backups to the appropriate scope and frequency.
Part of backing up your data is ensuring you can leverage the backup copies as needed. This means testing your ability to recover data from a backup source. The first time an organization tests its ability to recover from a backup, there are bound to be surprises and lessons to be learned. This is a normal, constructive part of advancing processes and practices in this area. That shouldn’t be a discouragement.
PRO TIP – It is important to note that one of the simplest steps you can take to protect yourself from a ransomware incident is to backup your data and to verify that you can recover your data from backup copies.
3. Assess your access controls from a data protection perspective
Typically, we think about our access controls from the standpoint of who needs certain types of access to do their work. The best practice of ‘least privilege’ tells us that we need to provide only the minimum access needed by a user to perform their job duties.
In practice, however, access provisioning often results in excessive permissions. In most day-to-day operations, it is a natural tendency to over-provision access than it is to under-provision it. Granting too much access is unlikely to slow down a user while granting too little access requires iterative work and impedes a user’s ability to be productive.
Now that we have a data inventory, we should be able to have a centralized view of who has access to what data. In this area also, surprises should be fully expected.
Removing access to data can be one of the more challenging efforts needed in this process. Without careful and thoughtful analysis, users will be unfortunately impacted, but there are many reasons why this step is worthwhile.
In just one simple example, imagine a user in your organization ends up with malware on their desktop. The exposure related to the presence of the malware is greatly impacted by the data to which the user has access, the permissions the user has relative to the data, and the individual behavior of the impacted user.
Naturally, if this user has overprovisioned access, the risk exposure is greatly increased.
PRO TIP – Drawing down user access to data can be a sensitive initiative within any organization, but the current threat landscape makes it clear that it’s something we all need to approach in a serious manner.
4. Be intentional about how you leverage encryption methods
Encryption comes in different forms these days, and our options depend greatly upon the kind of technology assets that are present in our organization. In some organizations, it might be most important to ensure an encryption program is running on all laptops. In another organization, it might be a higher priority to strategically encrypt databases that contain confidential information.
Network-level encryption is a completely different domain and can be critically important for some. Some organizations may find it critical to ensure staff are encrypting sensitive data before sharing it via email. The variations are many.
From an organizational standpoint, it’s imperative to be strategically intentional about how encryption solutions and practices are applied.
As was the case with our backups, we often find that the implementation of encryption methods hasn’t been strategic at all. Rather, they map back to the original requirements of the projects that resulted in any given encryption method.
Our data inventory allows us to assess the treatment of our data, including whether a given data set is protected via encryption methods. Any gaps identified are likely to require a project-level effort to be addressed.
PRO TIP – The project we initiate relative to smartly advancing our use of encryption will require thoughtful planning and prioritization. In most organizations it’s likely to be a multi-year effort. But it’s undeniably a critical component in our data security and protection approach.
Summary
If your organization has hesitated or outright ignored looking at how you are and are not caretaking your data, you are not alone. It’s common for this area of cybersecurity and risk management programs to feel overwhelming. And since the technical solutions and their respective controls tend to be layered through technology architecture, it can feel significantly challenging to develop a holistic view of what is needed. These steps can help you get started safeguarding your data, regardless of your current state.
Next steps…
If you’d like help talking through the specifics of your organizational needs and how to get started, contact us now.