Thanks to a spate of high-profile hacks like Talk Talk, PageUp, and MyHeritage, data security is on everyone’s mind. A lot of people have become more aware of the use of data and its potential loss. The stakes are high for every organisation.
Your reputation is valuable too
Loss of data, whether through a hack, negligence, or some other poor governance, causes a tremendous loss of trust with consumers. So there aren’t just the financial consequences of a data breach to consider. There’s also a reputational cost that could take years to recover. Just to take one example — Talk Talk’s data breach cost them £60m and the loss of more than 100,000 customers. This is a situation you do not want to be in
Who is responsible for securing data?
In larger organisations, data security tends to fall to a dedicated cyber-security team. They are responsible for penetration testing, ensuring firewalls and other security measures are in place, and running red and blue teams (teams of hackers who either attack or protect a system).
In a smaller organisation, it usually falls to the IT team. This is where data security becomes a lot more tricky. Some organisations don’t have the resources to dedicate to red and blue hacker teams. Plus, data security is usually something you’re a whizz at…or that you kind of get by with. Considering the value of personal data today, data security is not something you can muddle through. If you have to hope for the best, then your security is not robust enough.
How to secure your data
As a start point, your data security needs to encompass:
- Control over who has access to data.
- Clear processes to request and receive data access (with these processes communicated across your organisation).
- Physical security to protect data.
- Regular penetration testing to check the security of existing systems.
- Encryption of any personal data.
- Auditing to understand who has used data, and what it was used for.
A good foundation is to secure all data by exception. This means you consider reasons why the data can’t be accessed, not why it could be accessed. Start with giving everyone in the organisation access and then work backwards. What data does everyone need access to? What data can be restricted, or which individuals need to be restricted, and by how much?
For organisations with limited resources, there are many effective security tools that have out-of-the-box functionality to get you started. Simply turn on functions that your organisation needs (such as masking, encryption, and role-level permissions).
It’s vital to assign responsibility for data sets to a clear owner; everyone needs to know who the data owner is. This helps with data auditing and governance. If something goes wrong, a clear chain of command to report to will vastly help with patching any security flaws.
Even the best security can fail
Of course, no matter how secure your systems, breaches can still occur. When securing your systems, also consider any crisis management that you may need if the data is lost. You could have the best firewall in the world, but nothing is there to stop a rogue employee from taking a photo of data on their screen and leaking it. The right technology, protocols and processes still have their limits.
Non-sensitive data can become sensitive when analysed
People also tend to think of access to data in an isolated way. When securing data, often information such as full names and addresses are highly secured and access restricted. However, other data sets, like a date of birth and postcode might not be as secure and can lead to someone being identified. Margin is a highly sensitive and controlled figure in many organisations. But employees with access to sales and supply chain data could combine them to estimate the company margin.
When securing data, therefore, don’t just consider the data itself but what it could become. Secure the elements of sensitive data as well. Don’t fall for data that is pseudo-anonymous by believing that it’s fully secure and anonymous.
Data security should not hinder operations
Another aspect of data security to consider is the user experience of your security approach. Employees need a seamless user experience when working. Security systems must not hinder their work. It needs to run in the background without requiring their involvement. They shouldn’t even know that it’s there.
Employees are your weakest link
Speaking of which, people are often the weakest link in your security. Again, there’s very little you can do to stop someone from taking a photo of a computer screen. An integral part of data security is educating people on best practice. That includes teaching them not to write passwords down, what makes a strong password and to always lock their computers when away from their desks. Hold regular sessions to refresh their knowledge and keep people up to speed with current security threats.
Keep backing-up your data
Also back-up your data on a regular (weekly or daily) basis. In the event of a data breach or hack, that back-up will come in handy. It also gives you an opportunity to audit your data at the same time.
Take it seriously
Any organisation that uses data needs to take data security seriously. There is a risk when you store any data. It’s precious stuff, and there are a lot of people out there who’d love to get their hands on it. Following data security best practices will stop them in their tracks. Good data governance will also prevent leaks from occurring.
You cannot use data without securing it. That goes beyond physical security, pen tests and firewalls. It’s also about the mindset of your employees and their respect for data. Create a culture of accountability, and the rest of your data security will be much easier to implement.
Jason Foster — Founder & CEO — Cynozure