Research has revealed that data loss is a top concern of IT executives, according to data management firm Iron Mountain, which has compiled five steps to securing data to mark Data Protection Day.
The international initiative, now in its ninth year, is aimed at raising awareness among consumers and businesses of the importance of safeguarding data, respecting privacy and creating trust.
The 28th of January was chosen because on that day in 1981, the Council of Europe passed Convention 108 on the protection of individuals’ personal data, the root of all data privacy and protection legislation.
Iron Mountain senior product and solutions marketing manager Jennifer Burl said businesses of all sizes can benefit from tips on how to improve their data security.
“According to the National Cyber Security Alliance, 50% of targeted cyber attacks are directed at companies with fewer than 2,500 employees,” she added.
Burl said there are five steps that businesses can take to keep data safe and secure to avoid legal and regulatory trouble.
Step 1: Learn where your data lives
“You can't complete your security plan until you know exactly what you're protecting and where it's stored,” said Burl.
More on data protection
- Why digital governance and data protection matters
- EU companies unaware of proposed data protection law
- Security Think Tank: Sony attack a reminder to protect company data
- Where the cloud fits in your data protection scheme in 2015
- Data protection, privacy and the IT department
- NTT.Com Security exposes data protection opportunity
Most businesses store data on multiple media types: local disks, disk-based backup systems, offsite on tape and in the cloud. Each technology and format requires its own type of protection.
Step 2: Implement a need-to-know policy
To minimise the risk of human error (or curiosity), create policies that limit access to particular data sets.
Designate access based on airtight job descriptions. Also be sure to automate access-log entries so no one who's had access to a particular data set goes undetected.
Step 3: Beef up your network security
“Your network is almost certainly protected by a firewall and antivirus software. But you need to ensure those tools are up-to-date and comprehensive enough to get the job done,” said Burl.
New malware definitions are released daily, and antivirus software needs to keep pace with them.
The bring-your-own-device philosophy is here to stay, and your IT team must extend its security umbrella over smartphones and tablets that employees use for business purposes.
Step 4: Monitor and inform your data's lifecycle
Create a data lifecycle management plan to ensure the enterprise's secure destruction of old and obsolete data.
As part of this process, companies should:
- Identify the data you must protect, and for how long;
- Build a multi-pronged backup strategy that includes offline and offsite tape backups;
- Forecast the consequences of a successful attack, then guard the vulnerabilities revealed in this exercise;
- Take paper files into account, since they can also be stolen;
- Inventory all hardware that could possibly house old data and securely dispose of copiers, outdated voicemail systems and even old fax machines.
Step 5: Educate everyone
“Data security is ultimately about people," said Burl. "Every employee must understand the risks and ramifications of data breaches and know how to prevent them, especially as social engineering attacks increase.
“Talk with your employees about vulnerabilities like cleverly disguised malware web links in unsolicited email messages. Encourage them to speak up if their computers start functioning oddly."
Build a security culture in which everyone understands the critical value of your business data and the need for its protection. “Because when you think about it, every day is data privacy day,” said Burl.
Educating users to protect the economy
Content management firm Intralinks said many people bring bad security habits from home into business, so educating users is not just about protecting them, but also about protecting the economy.
Human error will never be eradicated as people will always make mistakes
Tony Pepper, Egress
Intralinks chief technology officer for Europe Richard Anstey said it can be counter-intuitive to tell people to use strong passwords as it creates a false sense of security that people then bring into work.
“When dealing with very sensitive information, such as internet protocol, people need to know about very secure measures, such as information rights management,” he said.
According to Anstey, security is about knowing what the danger is and how to deploy the appropriate level of protection.
“If we want a truly data-secure society we need to start by ensuring people know what value their data has, then they can make informed decision about how to secure it,” he said.
Too much focus on outside threats
Encryption firm Egress has warned that too many businesses are focusing on outside threats.
An Egress Freedom of Information (FOI) request to the UK’s Information Commissioner’s Office revealed 93% of data breaches occur as a result of human error.
Egress chief executive Tony Pepper businesses should start looking closer to home to prevent data breaches.
“Mistakes such as losing an unencrypted device in the post or sending an email to the wrong person are crippling organisations,” he said.
Pepper added that the FOI data shows a total £5.1m has been issued for mistakes made when handling sensitive information, whereas to date no fines have been levied due to technical failings exposing confidential data.
“Human error will never be eradicated as people will always make mistakes. Organisations therefore need to find ways to limit the damage caused by these mistakes,” he said.
According to Egress, policy needs to be supported by user-friendly technology that enables safe ways of working without hindering productivity, while providing a safety net for when users make mistakes.
Businesses need proactive approach to data security
Data governance firm Axway said businesses need to take a proactive approach to data security in the face of malicious hackers and data breaches.
If we want a truly data-secure society we need to start by ensuring people know what value their data has
Richard Anstey, Intralinks
Axway Go-To-Market Program vice-president Antoine Rizk said in an increasingly connected world, businesses need to proactively monitor their data flows to prevent costly data breaches.
“However, many large organisations still wait for something to go wrong before addressing the flaws in their security strategies – a move that backfired in some of the most infamous security breaches of 2014,” he said.
Axway predicts that in 2015, bring your own device will quickly evolve into bring your own internet of things, with employees bringing wearable devices into the work place.
“For such increased enterprise mobility to open windows of opportunities for businesses, without paving the way for hackers to access private data, security must evolve at the same rate as the devices themselves,” said Rizk.
“Organisations also need to know what data employees are bringing into and taking out of the office to ensure that malicious attacks and conspicuous activity is blocked,” he said.
Important to highlight risks on mobile platforms
Application protection firm Arxan said that on Data Protection Day it is important to highlight the increased risks on mobile platforms, particularly in the banking and payments sector.
Arxan director of sales for Europe Mark Noctor said the firm predicts the security risks in the financial sector will be a key threat area for 2015.
“With this in mind, it is vital that mobile application security takes priority as bank, payment providers and customers seek to do more on mobile devices,” he said.
Arxan research revealed 95% of the top 100 Android financial apps and 70% of iOS apps have been hacked in the past year.
The company said: “We would advise banking and payment customers who are considering the use of a mobile financial application to take the following steps to increase security:
- Download banking and payment applications only from certified app stores;
- ask your financial institution or payment provider if their app is protected against reverse engineering;
- do not connect to an email, bank or other sensitive account over public Wi-Fi. If that’s unavoidable – because you spend a lot of time in cafés, hotels or airports, for example – pay for access to a virtual private network that will significantly improve your privacy on public networks;
- Ask your bank or mobile payment provider if they have deployed application self-protections for the apps they have released in app stores. Do not rely only on mobile antivirus, anti-spam or your enterprise-wide device security solutions to protect apps that reside on your mobile device from hacking or malware attacks."