We’ve all seen the news headlines in recent years about data breaches – organisations of all types becoming the target of hackers or incidents happening as a result of malicious activity on the payment pages of business entities. The list goes on. We covered this topic more in-depth in our first whitepaper called 10 Most Interesting Data Breaches in 2019: Key Takeaways for Businesses and you can download it here. It’s imperative that organisations take proactive and strategic steps to secure their customers’ and employees’ data. Simply put, data security means keeping data safe from accidental and malicious damage. This article intends to serve as an expert’s guide on data security management. As you continue to read, you’ll discover the best practices and learn about the importance of data security in business.

Data security in 99 words

Data is any type of stored digital asset, whereas security refers to the protection of these assets. Data security is about the processes as well as technologies that organisations should be using to safeguard their digital information. It means that data security is critical to protecting confidential information. It involves putting in place specific controls, standard policies, and procedures to secure data from a range of issues, such as destructive forces and accidental loss. It can even concern the physical aspects of security to restrict access or data corruption. So, data security goes beyond basic security technologies like a firewall.

Why is data security important now more than ever?

Many organisations face the risk of a data breach exposing confidential information of users or employees. The frequency of such incidents has been increasing rapidly and result in tremendous costs for the affected companies. According to Cost of a Data Breach Report by IBM, the global average cost of a data breach increased to 3.31 million EUR in 2019 which was around 2.9 million EUR in 2014.

The same report also illustrates that data breaches with less than 10.000 compromised records incurred a cost of nearly 1.9 million EUR in 2019, whereas it was 1.6 million EUR in 2017. All these numbers clearly show that the threats from cyber criminals are bigger than it ever has been, making data security more important.

Main threats to data security

There are numerous potential threats to data security that organisations are trying to avoid. These include phishing attacks, ransomware, social engineering and many more. However, here we’re going to cover four unheard types of data security threats to keep you informed:

• Data access on personal devices: Smartphones and other personal devices are ubiquitous, making our lives convenient. The bad news is that the convenience brings risks. What happens when the company’s data is moved to a personal device? This may sound simple, but it’s a threat that can have devastating consequences. If intruders manage to hack a personal device, they can easily obtain access to company data.
  
  
• Patch management: Believe it or not, many cyber incidents start with outdated software. From a security standpoint, patches are most often of interest as they’re mitigating software flaw vulnerabilities. It’s crucial to update any software, otherwise, it will compromise the organisation’s security. In short, it’s good to remember that not staying up-to-date on patches will leave company’s systems vulnerable to known attacks that can be prevented by proper patching.
  
  
• Open access to controlled information: You may wonder who should access the company’s data, and under which circumstances? These are very critical questions. If everyone is granted access to data, it simply means that hackers will have multiple points of entry. So, access control is a fundamental component of data security that organisations should absolutely pay attention to.
  
  
• Weak password security: Passwords are usually seen to be low-hanging fruit because most people use poor passwords from a security standpoint. In other words, users choose something easy to remember, and worse yet, they use it for several digital accounts. In fact, weak passwords are causing security nightmares, putting data at risk. If organisations want to keep their data secure, they must ensure that their employees are aware of successful password policies. Make sure to check 5 password security best practices that we’ve rounded up for you.

3 data security standards you must know about

Data security standards are the countermeasures formulated for information systems or organizations that protect the confidentiality, integrity, and availability of information. The following are three standards you must be familiar with.

1. NIST 800-53

NIST 800-53 suggests standards and blueprints to recommend how government agencies in the United States should architect, implement and manage their information security systems. This standard is important because it provides a standardized framework for information security that fosters strong risk management across the entire Federal Government. NIST 800-53 compliance offers an industry advantage, and meeting NIST 800-53 control standards brings profit, and that’s seen to be a main reason to run a business. For detailed information about NIST framework, please have a look at our blog post where we explained NIST cybersecurity framework components.

2. FIPS 200

The Federal Information Processing Standards (FIPS) are standards published by the National Institute of Standards and Technology, used by the U.S. federal government in relation to computer systems. As regards the scope of applicability, FIPS 200 applies to all Federal Government information systems, except national security systems and specific classified information. This standard briefly says that there are 17 security-related areas where federal agencies should satisfy certain minimum requirements. Some of these areas include awareness and training, incident response, media protection, risk assessment and others.

3. PCI data security standard (DSS)

Payment card industry (PCI) security standards are technical and operational requirements defined by the Payment Card Industry Security Standards Council with the intention to protect cardholder information. It applies to all entities globally that store, process, and transmit cardholder data. So, any business that accepts or processes payment cards, it must adhere to the PCI DSS. In one of our previous articles we’ve explained how you can protect yourself from credit card fraud.

What is data security management?

Data security management is a way to preserve the integrity of data and to ensure that the data isn’t accessible to unauthorized parties or corrupted/modified by a susceptible person. We can say that data security management prepares plans, organizes, and manages data security activities. Moreover, it determines data security key performance indicators (KPI), which will inform when things don’t go according to plan. We’d also like to share the fundamentals of data security that are included in data security management strategy:

• Encryption: In the most basic sense, encryption takes readable data and transforms it, making it unreadable by anyone who doesn’t hold a decryption key.
  
  
• Data masking: Data masking or data obfuscation, is a technique organisations use to hide data. The main function of masking data is to safeguard sensitive information from third-party vendors and operator errors.
  
  
• Authentication: Authentication is the act of determining whether users are who they claim to be. If a user enters the correct credentials, the system considers the identity is valid and gives access.
  
  
• Two-factor authentication: This is an additional layer of security utilised to ensure the authenticity of the users trying to obtain access to an online account. Simply, this is an addition to the traditional password-only approach.
  
  
• Payment security: Businesses have responsibility to keep the purchasing process under control and minimize the risk of fraud at each step of checkout process. Business should also comply with global standards like PCI DSS, as we mentioned above.
  
  
• Data erasure: It is the act of deleting data from all electronic devices, most usually done to clear space for newer files. Deleting files on your hard disk does not remove the files entirely, so it’s important to erase data, securely and permanently.

Data security management best practices

Strong and well-formulated data management is critical. However, the task is particularly complex. That said, we share three best practices which you can follow to keep intruders out of your networks and protect your business from expensive consequences.

1. Switch your focus to data-centric security

Traditional security technology mainly focuses on where your data is. There’s actually a problem with that – when data moves somewhere else, another solution is needed, otherwise, data is going to remain unsecured. However, data-centric technology focuses on what needs to be protected – where data resides becomes less important. The implementation of this technology is strictly controlled from a centralized management system. In that way, organisations can make sure that their data is protected according to their security policies.

2. Make a data recovery plan

What would happen to your organisation if it experienced a terrible data loss? The question may seem simple, but the answer is hardly straightforward. It’s quite likely that any organisation could find itself on the edge of disaster due to a cyber incident. Therefore, having a data recovery plan may greatly help an organisation to recover its business operations quickly, and ultimately, may minimize the impact an unfortunate incident could leave.

3. Get your workforce on board with cyber defense

Cyber security must be seen as an organisation-wide commitment. This means that there’s a need to establish and promote a culture of security within the workforce. In that regard, senior leaders must feel obligated to explain the catastrophic effects of cyber incidents to employees, including financial losses and damaged corporate reputation. Additionally, they must be ready to engage in-person and show a human approach to the organization’s concerns when needed.

Final thoughts on data security management

We assume that now you’re ready to start your data security management journey. We live in an era where technology is developing exponentially, and data becomes more valuable than you think, not only to you, but to criminals as well. Given that. our advice is to stay informed, guard against data breaches, and protect your company’s information from disclosure or destruction.

Swiss Cyber Forum is committed to developing the digital safety as well as security of society through unique events, education and global conferences. Our goal is to assist society in understanding and preventing the cyber attacks. Therefore, we’ve designed a Cyber Security Specialist training with Swiss Federal Diploma where you will learn how to intelligently assess the cyberspace and anticipate relevant threats to your organization. Download the brochure and see more information. Excited about cyber security careers? Then read why choose cyber security as a career and 3 cyber security career advice no one tells you.