While many companies have deployed extra measures to secure employees’ remote access to corporate resources and apps, it is important to think of all the necessary security measures to be taken in protecting sensitive data. Careful planning and forward-thinking security is the best way to protect your most precious asset – your data – either while it is in transit or at rest. Data breaches are usually the result of stolen identity or IT configuration errors that allows access to unauthorized users, resulting in the loss of control of our most sensitive Personal Identifiable Information (PII) data about employees, customers, and partners. Whether the data breach is from stolen identities or human error, privacy breaches of unencrypted data can result in severe penalties under data protection regulations such as GDPR or CCPA.
Even if a data breach is not a privacy violation, it may entail industrial espionage by state-sponsored actors who may take advantage of the crisis to steal precious sensitive or secret data. In either case, any data breach will harm your business’ reputation significantly, which also means loss of revenue when customer trust is damaged.
Below are a few tips for your IT and security operations teams, even when working remotely, to proactively protect your business as you expand the secure support of remote workers.
Discover and classify your data
Before implementing any cybersecurity strategy, it’s important to first conduct a data sweep. This will help you understand what data you have collected or produced and where the most sensitive and valuable data resides. If your business is taking an ‘encrypt everything’ approach, data discovery with risk analysis will help prioritize where to deploy data security solutions first.
Understand the risks related to data
Once you understand the data you have and produce, the next step is to identify the risks associated with all the different file servers and databases that used across your many different IT environments. While there is no silver bullet to defend against a cyberattack, having a risk-based approach is essential to prioritize where to focus your data security investment. This has never been more important than now, as the surge of cloud adoption is often leaving IT and security teams blind to where the riskiest data now resides.
Encrypt all sensitive data
While it is critical that your business restrict who can access sensitive data, it is encryption and tokenization that ensures this data cannot be used in the event it is accessed by unauthoriszed parties. Data discovery, classification and risk analysis helps set priorities for data security implementation. However, regardless of where it is stored or where it migrates (on your own servers, in a public cloud, or a hybrid environment) encryption must always be used to protect sensitive data. Some U.S. states have recently joined various countries around the world in adopting data privacy or data protection regulations, mandating (or at least recommending) that sensitive data should be protected with encryption. In addition, most data breach notification regulations don’t apply to compromised encrypted data. Therefore, the best way to protect your business from post-breach legal costs, IT fire drills, fines and embarrassment is to have an encryption strategy in place.
Securely store your keys
When data is encrypted, an encryption key is created that must be used to decrypt and access the data. Consequently, securely storing these encryption keys is of utmost importance to your business. But some forget that encryption is only as good as the key management strategy employed, therefore keys must be protected in a FIPS 140-2 validated solution, separate from the data itself, and support strong separation of duties. The based laid plans for encryption deployment come undone very quickly when encryption keys are found in spreadsheets or cloud storage buckets.
Pay attention to access management
It’s important that your business adopt strong access management techniques that at minimum supports two-factor authentication, to help ensure only authorized employees have access to data and systems. Two-factor authentication involves an individual having something they possess – like a message on their smartphone – and something they know, rather than simply relying on one form of protection such as a static password, which can be easily hacked. Now with the accelerated migration to cloud services and the increased support of remote workers, you should consider deploying an access management solution that goes beyond two-factor to determine access privileges, and deploy a SaaS solution that doesn’t require on-site IT to support.
Back up your business data
However, these previous steps only protect a business’ data from attempts to steal it. When it comes to disaster recovery, it may be required to transfer operations to alternate locations. The best way to mitigate this potential situation is to back up all critical business data that can ensure a return to normal operations quickly. Back up is also important as a countermeasure to attacks such as ransomware. The backed-up data should be stored either in the cloud or offsite and kept secure with two-factor authentication and encryption. It is all too often that hackers breach a company’s assets because they gain access to less protected back up or archived data.
Reduce risk with a security partner
Partnering with a third party, like a MSSP or a specialized cybersecurity company, can reduce data security risks businesses face. Not only can having the right partner reduce risk, it reduces strain on your business, enables you to focus on running the business, and provides a competitive advantage.
Leadership buy-in is crucial
To ensure the effectiveness of the above steps, IT security professionals should seek leadership buy-in. Only if the C-Suite understands the importance and fully supports the implementation of these security precautionary measures will they be successful. Business executives need to realize that business continuity in times of crisis is a corporate responsibility and that any security risks are enterprise risks.
Thales recently released the 2020 Thales Data Threat Report-Global Edition that outlines many of the security challenges organizations face today. It also provides concrete recommendations to improve security especially as more data and applications are moved to the cloud. Thales also offers a great resource to help you plan an encryption strategy, The Enterprise Encryption Blueprint.