Data security is the phrase on everyone’s mind at the moment, in the wake of high-profile Australian data breaches in the last year. And if it’s not on your mind – it should be!
As 9Yards Information Security Consultant Andrew Bialek says, “Data is an organisational asset and should be treated as such. The impact on an organisation would be multifaceted – losing business as well as the major impact on your customers or the greater public.” Addressing data management weaknesses before they have the chance to be exploited in a breach is an invaluable activity, saving organisations and their customers alike.
Thankfully, when you know better you can do better – a standard we always aim to uphold with our clients. Here we look at five common data security mistakes organisations aren’t aware they are making.
1. Conflating data security and cyber security
While cyber security is certainly part of data security, they are not one and the same. Cyber security focuses on protecting systems and networks from external threats, while data security is the overarching description for the protection and proper handling of data across its whole lifespan in all its applications.
How to fix it: Be clear on the difference! Develop comprehensive data security policies, including data classification, access controls, encryption and de-identification or destruction. Your approach should be supported by well defined and established data governance and data management. Ensure employees know the part they play in upholding these security practices.
Everyone in your organisation needs to know:
- which role or person is responsible for specific data domain security and privacy,
- who has developed and continues to manage data security and privacy policies
- what processes and mechanisms are in place to support data security.
2. Having lax data security procedures
Naturally, the organisations most susceptible to data breaches and unauthorised access are those with lax data security procedures. Having insufficient policies, lack of regular security audits and inconsistent adherence all contribute to vulnerabilities.
“You need to build the classification for each data domain, and to understand the standards you need to build the governing data security and privacy policies. Part of that is: who actually takes care of it, and who is responsible for monitoring and verifying that the policies and standards are applied?” says Andrew.
When it comes to responsibilities, Andrew says, “If you don’t have ownership defined, you usually don’t have the controls because nobody really knows whose responsibility it is. Without ownership via data governance, you can’t really maintain, monitor or implement standards or controls. All of the things that create a mesh of what you really call data security.”
How to fix it: Develop and enforce robust procedures for data management and data governance. Provide training and awareness programs to employees, and ensure everyone knows their role in maintaining data security.
3. Sending valuable or classified data by email
Email is such a ubiquitous communication channel, it can be easy to forget that it is not secure by default. Sending valuable or classified data through email exposes it to the risk of interception or unauthorised access.
“People have files with lots of details across them and send them via email,” Andrew says. “But you wouldn’t want to carry or transmit data that’s related to credit cards or privacy information, for instance – anything of that nature that falls under specific policies of protection or risk – without encryption.”
How to fix it: Ensure clear policies and data classification for transmitted data and implement secure transfer protocols or encrypted communication channels for sensitive data sharing. Secure collaboration platforms or access-controlled cloud storage can be appropriate options. Educate employees about the risks of emailing sensitive data, and provide secure alternative methods.
4. Carrying data in non-secure storage
While it sounds like something out of a spy movie, carrying a physical, non-secure storage device on one’s person is a surprisingly common occurrence. It might feel like a low-risk option, but it can lead to data breaches if the device is lost, stolen or compromised.
“If you lose it, you are already exposing all of the hierarchies, the controls, the measures – all compromised in a second,” says Andrew.
How to fix it: If physically carrying data is the appropriate option, ensure that it is encrypted with a well defined encryption algorithm or mechanism that is accepted by the security services in your organisation. You should also implement strict procedures for data transfer to portable devices, including access controls, usage logs, and a schedule for data purging. Anyone who is carrying data in such a way should understand the importance of reporting lost or stolen devices promptly.
5. Assuming the biggest data security threats are external – or even intentional
While external and intentional attacks are very real risks, sometimes the call is coming from inside the house! Underestimating the risks posed by internal sources – both acts of unintentional human error and deliberate maliciousness from disgruntled employees – can be devastating.
How to fix it: Implement appropriate access controls and user permissions that align with organisational roles and responsibilities – avoid generic treatment of data access. Conduct frequent data access/utilisation audits of classified and at-risk data, and monitor mechanisms to prevent unauthorised access and detect suspicious activities. Ensure these are appropriately updated as soon as positions change or people leave your organisation.
Ready to run a health check on your organisation’s data security?
Data security mistakes can have severe and long-lasting consequences, but by being aware of them and taking proactive measures, you can significantly reduce these risks. By prioritising strong data management and following best practices, you can safeguard your data assets and your reputation in one.
To have a preliminary discussion with a 9Yards Information Security Consultant about how we could work together to fortify your data security, get in touch with our experts.
