Data is the lifeblood of the 21st century, and protecting it should be a top priority for everyone who touches it. Data security is also required by law, a deal-maker or breaker for some customers, and a public-interest issue that makes headlines when it fails. If a company is entrusted with sensitive data, enacting the right controls to protect it goes without saying.
Choosing the Right Data Security Controls
The right data security controls depend on business model, assessed risks, budget, time to implement and many other factors. It’s likely that the more information that needs protection, the more difficult the security-control implementation will be. Add to that the wide variety of controls available — and service organizations who can help implement them — and making the right decision becomes a high-pressure challenge.
No matter the level of customization, however, solid data security controls can be broken down into layers of protection, from back-end systems to employee laptops. And the key to success for quality, long-term controls is twofold:
- First, hone in on real solutions that solve not only current problems, but those that might present themselves with growth.
- Second, assess the time, budget and risk of implementing a quick fix now versus a protocol that will last for years down the line. Your organization’s long-term vision and business plan can help guide future-incident scenarios and anticipate problems that might arise.
Physical Data Security
Strong data security controls start with the end user and their physical access to the data, both in and out of the office. At this level of protection, it’s imperative to secure employee access to their office location via badges, biometrics or a restricted-access protocol that best protects the environment. Data security for a location-based office, for example, will be much different than a virtually connected workforce.
Likewise, and perhaps even more importantly, all employee laptops and other portable devices should be fully protected against theft or loss via controls such as encryption and two-step authentication.
This high level of security should also apply to office visitors, from sign-in requirements to escorts to guest badges and clear identification. Security cameras and alarms can also help track both guest and employee activity.
Administrative Data Security
This layer involves putting all of the policies, procedures and compliance requirements into place to maintain a safe data environment. At the user level, it involves requiring all staff to learn and agree to the company’s acceptable use policy, both during onboarding and at regular intervals after they become an employee. Make clear the company’s expectations for handling data, and the consequences for disregarding policies.
On the back end, controls include the implementation of security protocols and development of incident-management plans, should a data breach occur.
If a company manages highly sensitive data such as health or credit-card information, part of administrative data security is undergoing third-party audits and achieving regulatory compliance. Organizations that handle financial data are often required to complete a SOC 1 examination, whereas providers who handle other types of sensitive data would need a SOC 2, SOC 3 or SOC for Cybersecurity audit. Health-care data managers have a host of compliance regulations for example, HIPAA compliant and HITRUST certified.
Technical Data Security
This is the most complex layer because it involves the actual data and program security controls. Again, it starts with the end user and their access to company information, which can include everything from password requirements to two-step authentication to restrictions on who has access to which applications, servers, and functions. For example, are employees allowed to freely use Google and social media? Can program downloads and updates be made without admin privileges? What are your password requirements?
User-specific data security controls also entail proper encryption of email messages. But that can be tricky, and it’s still possible for confidential emails to end up in unsecured channels where they can be intercepted — especially if the computer isn’t properly connected to the network. Another simple yet effective layer of control is antivirus software that is always kept up-to-date and restricted program access while on guest WiFi networks.
Technical security controls should touch every layer of an organization that touches data, all the way up to cloud-based storage services and backup systems. It’s a long list that includes file management and monitoring, constant scanning for vulnerabilities, deploying patches, and much more.
To ensure the long-term viability of your data and controls, it’s important to not only choose the right controls from the outset but give them regular checkups to ensure they’re still the best fit for the business. It’s a good idea to perform system backups and test data-recovery protocols at least quarterly, and bring any potential problems to light before they grow out of control.