Data security is comprised of the practices used to protect digital information throughout its lifecycle from any unauthorized access (e.g., cybercriminals, malicious insiders, human errors) that could result in theft, exposure, corruption, or deletion. An array of business, organizational, and IT processes and technology are foundational to data security, including access to all hardware and software as well as physical structures that house them.
A common model and framework that is the basis for data security is the CIA (Confidentiality, Integrity, and Availability) Triad. The role of each component in data security is:
- Confidentiality
Data security measures are in place to ensure that information is accessed only by authorized users with the proper credentials. - Integrity
Data security systems are implemented to ensure that information remains reliable, accurate, and protected from unwarranted changes. - Availability
Data security checks are in place to ensure that data is readily accessible and available for the ongoing needs of authorized users.
In addition to the risks related to malware and advanced persistent threats (APTs), data security aims to mitigate human-based threats, such as:
- Falling for social engineering ploys
Social engineering is one of the most effective cybersecurity threat vectors as it exploits one of an organization’s weakest data security links—people. These attacks cause data security breaches by manipulating authorized users to share sensitive information, such as credentials or personally identifiable information (PII). - Human error
Data breaches are usually associated with cybercriminals or malicious insiders, but simple human error is often a cause of sensitive data or information being exposed. This can result from accidental sharing of, granting access to, losing, or mishandling sensitive information. - Malicious insiders
These internal threats can include employees, contractors, vendors, or partners who intentionally threaten data security. Malicious insiders use their knowledge of an organization to override data security measures to steal, leak, damage, or destroy sensitive information.
Beyond protecting information from cybercriminals, data security provides other benefits:
- Helps organizations maintain a good reputation with customers, partners, and employees by providing assurances that the organization is taking measures to keep sensitive information safe.
- Delivers a competitive edge, differentiating the enterprise from others who have suffered data breaches.
- Ensures that information is available for authorized systems and users.
Why data security is important
The importance of data security has grown significantly with the rise in remote work, cloud services, and Internet of Things (IoT) devices. These trends have expanded attack surfaces exponentially, providing more opportunities for unauthorized access than ever before.
This trend continues to drive demand for data security as organizations struggle to protect sensitive information. Three of the key reasons most often cited for the importance of data security are related to compliance requirements, brand equity and value, and proprietary information.
1. Data security requirements for compliance
- Public and private organizations are subject to a wide range of standards and regulations, including strict data security requirements.
- Industry-specific regulations include:
- Anti-Money Laundering (AML)
- Customer Due Diligence (CDD)
- Family Educational Rights and Privacy Act (FERPA)
- Federal Information Security Management Act of 2002 (FISMA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Know Your Client (KYC)
- Payment Card Industry Data Security Standard (PCI DSS)
- Sarbanes-Oxley Act (SOX)
- Regulations that span all organizations in a geographic area include:
- California Consumer Privacy Act (CCPA)
- Children’s Internet Protection Act (CIPA)
- Children’s Online Privacy Protection Act (COPPA)
- European Union General Data Protection Regulation (GDPR)
- Personal Information Protection and Electronic Documents (PIPEDA)
- Industry-specific regulations include:
A data breach can also trigger significant financial losses, including fines if the data security protocols dictated by compliance requirements were not followed, along with legal fees related to addressing settlement claims related to losses and damage repair if sensitive data has to be recovered.
2. Data security to prevent damage to brand equity and value
Data security is also instrumental in addressing the reputational risk accompanying a data breach, which can result in losing customers’ trust and the subsequent ceding of market share to competitors.
The cost of a damaged brand cannot be exaggerated – a high-profile data breach can destroy years, and even decades, of brand equity and value that cannot be bought back at any price; in fact, this is cited as the top impact of a data breach, which reinforces the criticality of data security.
3. Data security to protect proprietary information
At its core, data security is meant to protect an organization’s digital assets and systems, including intellectual property, networks and servers, and critical infrastructure. In addition to financial theft, cybercriminals routinely target organizations to steal trade secrets and valuable customer information.
Other attacks focus on disruptions by targeting IT infrastructure that upends operations and critical infrastructure that can dismantle vital services, such as power or water. Data security provides the protections needed to defend against these attacks.
Types of data security
The five most common types of data security used to protect information, devices, networks, systems, and users are data encryption, data erasure, data masking, data resiliency, and tokenization. Depending on the use case, these are used separately and in combination.
1. Data encryption
Data encryption uses an algorithm to change human-readable text into a string of characters. This encrypted data can only be decoded back to plaintext by an authorized user with a unique decryption key. Encryption is an effective data security tool widely used to protect data at rest and in transit.
2. Data erasure
Data erasure is a more secure way to permanently remove data from a system than data wiping. Data erasure is key to data security, ensuring that any information left on a device is completely overwritten and verified unrecoverable.
3. Data masking
Data masking allows organizations to present users with human-readable text, but hide sensitive information using substitute text, “masking” or hide key information by substituting human-readable text for proxy characters. The content is reverted to its original form when authorized users access it.
4. Data resiliency
Data resiliency is key to data security as it ensures data availability. Employing data resiliency systems and processes, such as data backups, minimizes disruption in the case of accidental destruction or loss of data in the case of a cyber-attack (e.g., ransomware) or a cyber-disaster.
5. Tokenization
Like data encryption, tokenization replaces plaintext with a string of characters. Tokenization substitutes the plaintext for an unreadable version of the same data called a token.
This string of characters represents the original data, which is stored in a secure token vault. This data security solution protects sensitive information, such as personally identifiable information (PII) or protected health information (PHI).
Data security tools and solutions
Commonly used data security tools and solutions include:
- Access management and controls
- Authentication, such as biometrics, single sign-on (SSO), and multi-factor authentication (MFA)
- Data and file activity monitoring
- Data discovery and classification
- Data loss prevention (DLP)
- Email security
- Identity and access management (IAM)
- Network and endpoint protection, monitoring, and controls
- Real-time systems and data monitoring
- Vulnerability assessment and risk analysis
Data security strategies
A comprehensive data security strategy combines tools and solutions with processes focused on people. Following are several of the important data security strategies that should be employed with tools and solutions.
- Apply patches and keep software updated
- Create policies to ensure preparedness for a cyberattack
- Do not forget mobile data security
- Educate employees about the importance of data security
- Employ data management strategies, including:
- Data auditing
- Data minimization
- Data risk assessment
- Purge stale data and applications
- Ensure the physical security of servers and user devices, such as:
- Hiring security personnel
- Implementing access control using key cards or biometrics
- Keeping filing cabinets locked
- Locking office doors
- Shredding paper records
- Using surveillance cameras
- Know where data resides
- Partition sensitive files
- Restrict high-risk activities
- Test processes and systems
- Track user access
- Use behavior-based permissions
Data security best practices also recommend implementing administrative and operational security.
- Administrative security addresses risks that originate outside of an organization with measures such as:
- Conducting third-party risk assessments
- Developing privacy, incident response, and information security policies
- Having cybersecurity insurance
- Implementing audit controls
- Providing security awareness training
- Operational security involves protecting information from internally originating vulnerabilities with tactics such as:
- Adding security messages to log-on screens
- Developing and implementing employee onboarding and exit procedures
- Fostering a culture of security
- Monitoring users’ devices
- Training internal and external users
Trends in data security
Expanding attack surfaces from Iot devices
Internet of Things (IoT) devices present one of the gravest data security risks due to the scale and velocity of deployment—billions worldwide. These devices can be found almost everywhere, and because so many are connected to networks, they have increased attack surfaces exponentially.
Beyond the number of IoT devices deployed, their vulnerability makes them a particular threat to data security; most IoT devices were not built with security as a priority and are often deployed without security.
Because IoT devices have limited processing and storage capacity, installing data security software on them is challenging. In addition, due to the number and dispersity of them, it is difficult to keep security systems updated and install updates and security patches.
Growing threat of ransomware
While ransomware has been part of the cyber threat landscape since 1989, it has become the malware of choice for many cyber criminals. It is relatively easy to deploy with its payload delivery the same as other commonly used malware.
Ransomware is also widely accessible on the dark web. Even individuals or small cybercriminal groups can effectively utilize it, taking advantage of ransomware-as-a-service.
Data security solutions are used to combat ransomware. However, data security systems are challenged to stop ransomware as it commonly uses social engineering to bypass these solutions.
Increasing use of artificial intelligence in data security
Artificial intelligence (AI) is increasingly used with machine learning (ML) to improve the efficacy of data security solutions. AI and ML are used to automate security processes and threat detection with continuous improvement as collected data is used to enhance the identification of suspicious activity. The importance of AI for data security is that it can process large amounts of data and apply rapid decision-making based on analysis to inform incident response thousands of times faster than humans and basic software.
Another branch of AI, natural language processing (NLP), is used to combat phishing attempts as AI and ML-enabled tools can better identify malicious messages than humans. AI also enhances the accuracy and performance of biometric screening for authorization, such as facial, fingerprint, and voice recognition. It is also being used to develop additional biometric screening methods to advance data security, such as behavior recognition.
Enterprise data security
Enterprise data security requires a multi-layered approach to ensure that data and applications are always secure and available. It also includes business continuity preparedness to minimize service disruptions in the case of a cyberattack or disaster.
The scope of enterprise data security continues to expand with the growing number of people working from home, the wide use of mobile devices, and the explosion of IoT devices. Each of these use cases heavily depends on information that is often sensitive. This raises the bar for enterprise data security as complexity, the volume of users (i.e., machine and human), and attack surfaces expand.
Cloud data security
Data security extends beyond the confines of internal IT to cover the growing footprint of cloud-based infrastructure and services. Usually, data security for cloud-based infrastructure and services is provided in concert with cloud service providers and enterprise IT teams.
Cloud computing presents many of the same threats as on-premises deployments. Data security solutions have been optimized to manage cloud environments, but additional precautions must be implemented. Among the additional data security considerations for cloud-based infrastructure and services are related to protecting cloud migration and avoiding misconfigured cloud settings that create vulnerabilities.
Data security and bring your own device (BYOD)
Bring your own device (BYOD), or the use of personal computers, tablets, and mobile devices in enterprise computing environments, is here to stay and expanding despite the well-founded outcry from IT security teams about the risks this practice presents. Data security measures continue to grow to try to protect these devices.
Data security protocols employed to shore up protections against the threats BYOD brings requires employees who use personal devices to install security software to access corporate networks. The intent of this data security practice is to try to centralize control over and visibility into data access and movement to and from personal devices. Other data security tactics that help provide security around BYOD enforce the use of encryption, strong passwords, multi-factor authentication, regular installation of patches and software updates, and backups.
Monitoring is another important data security measure used to mitigate the risk of BYOD. This approach also addresses the use of unsanctioned BYOD by identifying all devices.
Staying on top of advances in data security
A presence since the advent of information, data security has played a vital role in ensuring its integrity and availability—from early manual ciphers to crypts for storing secrets. Like most technology, data security continues to evolve. To take full advantage of the power and efficacy of data security, take time to keep abreast of developing trends and the related solutions that become available.