Paul Stringfellow takes a look at how priorities have shifted to data security, and what basic principles he's developed while working on data security projects.
Over the last five years, one of the biggest shifts I’ve seen in our customers’ priorities is Data Security.
It’s a big challenge. Be it new malware, ransomware, hacking or social engineering, the threat is growing and ever evolving.
In the modern business world many of us work in, data is one of our most critical assets; it’s customer and accounting information, it’s our product's secret sauce. In many cases the data IS our business, and without it we put our organisations at risk.
But less of the stuff you already know. What can we do about this evolving data security challenge?
I’ve worked on many interesting data security projects over the last few years, and over the time developed a few basic principles and so thought I’d share them here with you;
Avoid the Data Security Myths
One of the biggest threats to a company’s data security is hiding behind some of the more common myths;
I’m not a target, no one is interested in my data
A company who doesn’t believe their data is susceptible is opening itself up to significant risk.
It may be true that no one is “interested”, but they don’t have to be. You download a bit of malware, click on the wrong link in an email and you could expose yourself to risk. It doesn’t have to be targeted.
It also may not be you - do you have customers who are potential targets? Or do you have, as we have increasingly seen, a customer who is starting to insist their supply chain has robust data security plans in place?
Data Security is too hard
Normally in association with myth number one, if a company doesn’t feel that their data is at risk, data security solutions seem like too much effort. However, if a business understands the risks, they are much more likely to support IT security efforts.
With that said it's also important that as IT Pros we don’t make security too hard. Our solutions can’t be so unwieldy that people will actively seek to work around them.
I don’t know where to start
Because of the high profile of IT Security today, there is a lot of help available. There's good impartial advice (try the governments newly opened National Cyber Security Centre) to useful software tools, like those included in cloud solutions such as Office 365.
However, to set you on your way, here’s a handful of areas you may want to explore;
Know your data. Where it is, how many copies you have, who has access to it, what type of data it is and even if anyone looks at it.
If we don’t know these things how on Earth are we going to make sure it’s secure?
Make sure we have the right tools in place. Behavioural analytics solutions are critical in securing our data, tools that can understand our normal data access patterns and quickly identify when that norm is deviated from.
Securing our data is important, as is securing the applications that access it. Our starting point is knowing what we have - not just finding out what apps we have, but also those little SaaS applications you didn’t even know existed on your network!
Once we know them, it’s important we secure them or stop them completely. Just make sure you use what is available; things like DLP templates in Exchange Online are hugely powerful.
The range of devices we use is ever growing, be it desktops or smartphones. The growing range of future devices, such as wearables and IoT, will all be accessing or generating data that needs to be secured.
Ask yourself whether you are doing the basics. Are you encrypting data and applying robust security policies? Are we patching, ensuring they are not susceptible to known vulnerabilities?
Don’t be caught out by something that hasn't been patched for 2 years!
We mentioned previously the multitude of devices that we have, and many of these are mobile and have access to our data. They might be accessing data remotely, or be walking critical data out of the door on local storage.
How are we securing these devices, as well as keeping track of and protecting the data on them?
Do you know what data is on these edge devices? Do you have a copy of it? Could you find it if you needed to?
Last but by no means least is our people, both our biggest data security risk and asset. It’s easy to blame our people when we have a data leak, but if a user clicks on a link to a malware-infested site, or falls for a phishing attack, are they the problem or have we not educated them correctly?
Do our users even understand that data security is a problem, something we should take seriously and something that puts our company at risk?
Are we giving our people all the tools they need to ensure they are an asset and not a liability to our data security?
Data security is not going to get any easier as IT models continue to change.
Technology aside, there is a huge focus around the pending General Data Protection Regulation (GDPR). It’s important to understand, not only for the impact on your business, but because it encourages lots of good practice that will be beneficial to your data security.
Data and its security is vital to a modern business. There’s lots of great help and tools out there from Microsoft and others, so understand where you are right now, and start building a robust data security plan that works for you.