But although most companies collect and use data, they aren’t directly in the data security business. Which means they could use a set of best practices.
Ian Ashworth, senior sales engineer with the Synopsys Software Integrity Group, offers a short list of fundamentals.
Classify your data
All data isn’t the same, nor is it equally valuable to an organization, to its competitors, or to attackers. “The first step to keeping data safe is to classify it,” Ashworth said. “This is a fundamental element of any information security program. Keeping data safe can be costly, so classifying it ensures that the right proportion of any spend is efficient and justified.”
Classification is also directly focused on the confidentiality component of the CIA triad (confidentiality, integrity, availability) for data.
A good tool to help classify data is metadata (data about data), which can help find personally identifiable information (PII). Ashworth said a good way to start is with high-level classifications like restricted, confidential, or sensitive.
“From there you can look within and classify individual attributes or fields such as payment cards, which have very distinctive data patterns, or rely on the metadata, which might aptly and accurately name a field and lead to it being classified as PII,” he said.
Establish a data use policy
This sets conditions for who can access certain data and for what purposes. These should be granted on a least-privilege basis. If you don’t need it to do your job, then you don’t need access to it.
“A website may require read-only access to data for the purposes of displaying it,” Ashworth said. “To edit or modify it, you would need to have a reason, such as the owner wishing to change their registered phone number on an account. That higher level of edit control might only be available to the account owner and system administrator.”
Those controls could be contractual or enforced through authorization based on a person’s electronic identity.
“There is a common acronym, AAA (authentication, authorization, and accounting), in cyber security parlance that refers to measured access controls to certain digital resources,” he said.
Encrypt your data
“Layers of security do play a part in defending against unauthorized prying eyes, but the most critical measure is encryption,” Ashworth said.
And for encryption to be effective, it has to be both rigorous and comprehensive, applying to data both when it’s at rest and in transit. That means organizations need to map their data—both where it’s stored and how it flows from one place to another. You can’t protect assets if you don’t know where they are.
Encryption can also ensure the second element of the CIA triad—the integrity of the data. Hash algorithms, which are very difficult to reverse or attack, can let an organization that has been breached know if its data has been modified.
“If data is passed through such a hashing algorithm and the hash is stored independently, then if the original text is changed, a different hash would result, confirming it is no longer the original stored text,” Ashworth said.
Done correctly, encryption means that even if an organization is breached and data is compromised, it’s useless to attackers.