We break down the definition of data security and what it means for your company.
Chances are you had a diary or a journal as a kid. Maybe you only successfully wrote in it for a week or two, but man was it a great listener. The perfect place to write lists of all the things that were really ticking you off — but Mommm won't let me sleep over! — and to jot down all your preteen problems.
And chances are you had a lock on that diary. And you hid it under your mattress. And you might have even written in code or invisible ink or switched names around to keep your deepest, darkest thoughts top secret. Because if someone got into it and read your thoughts, you'd be embarrassed, and you might even have gotten in serious trouble.
What you were doing with your diary — hiding it, putting a lock on it, using a secret code — that was all data security. Juvenile data security, sure. But it follows the same principles that companies follow today to keep data safe when the stakes are much, much higher. But since you can't just lock up your business's data and carefully store it under your pillow, we've made this primer to get you thinking about the definition of data security in the corporate world — and what it means for your team today.
What Does Data Security Mean?
"Data security refers to the protection of data from unauthorized access, use, change, disclosure and destruction."
The definition of data security is broad, but in essence it means the protection of data from unauthorized access, use, change, disclosure, and destruction — encompassing network security, physical security, and file security. Far from a single, unified process, data security involves a wide and complex set of answers to a wide and complex series of problems that can arise when trying to secure information.
Data security can include both the protection of your physical location — through locks and video cameras to prevent intruders — and safeguards, such as password protection and two-factor authentication (2FA).
In addition to a password, 2FA requires a user to input a second time-sensitive code, sent to their device, for an extra layer of protection. If a hacker guesses the password, she or he must also have your physical device handy to recover your code and enter the site.
The definition of data security can touch on experimenting with new features, like Apple's FaceID for mobile devices, or simply upgrading old systems to patch holes in your software.
For individuals, data security can take the form of precautions like backing up your devices on a regular basis and creating passwords that are long and complex (challenging for hackers to guess), and even everyday steps like keeping your computer safe in a backpack compartment instead of loose in an open bag.
But for companies, data security often requires more thought.
Key data-security considerations for companies
For companies, there are additional criteria to think through before implementing new data-security policies and procedures, including the following:
- What size is your company?
- Where is your company located? (Are you in one physical location or spread out as a remote team?)
- What is your industry?
- What devices are you securing? (Desktops, tablets, mobile devices?)
- Who needs to have access to what data?
- How much time and effort can your internal team expend on security?
- What is your current level of data-security expertise?
Taking the definition of data security as a series of layers that protect your sensitive information, such as personal data from new customers, will help you understand how to better bolster your entire organization against unauthorized users.
There are a lot of different measures that you can take to protect and secure your company's digital information that all fall under the umbrella of "data security." But instead of going with a DIY or piecemeal method, taking more holistic action after thinking through your needs will ensure that you don't miss critical portions.
What Are Best Practices for Data Security?
There are many parts to a comprehensive data-security solution. What follows here is not meant to be a step-by-step breakdown of everything you need to do to create perfect data security; it's an overview of the heavy hitters that come together to create a good foundation for data security. What a best practice looks like for your business will depend on many factors, such as size, industry, location, and existing tools and policies.
- Manage your identity by restricting access to sensitive documents. Sometimes called data classification, managing who can see what based on their user ID is a great way to keep sensitive information restricted to only those who need to see it. This limits the amount of damage that can be done if someone's username or login details are stolen. IAM companies like Auth0 are set up to handle different permissions based on the user, and this is a key point in a good data-security policy.
- Encryption is one of the best tools that we have to keep data safe, but it isn't a monolith. You can't just decide to encrypt all of your data and call it a day — that's not exactly how it works. Often, software tools that you use for your business will have some sort of encryption offered, and that's a great place to start. Your information-backup service, for example, should be able to encrypt that data for you. You should also make sure you encrypt transmissions to add another layer of security onto any information you send.
Think of encryption as taking your plain data and turning it into a secret code that only you can make heads or tails of — not the bad guys. We don't recommend using historical documents as keys to encryption, though.
- Be prepared for the mobile workforce. As mobile devices take over the workplace, your security threats grow. You need a mobile security plan to keep everyone in line. This should include an enforced protocol for employees, like staying off public Wi-Fi on work devices and having a company-mandated antivirus on mobile devices.
- Protect user data at the source. When customers and employees log in for the first time (or repeated times), you can verify and secure their information with secure authentication practices like social login. This not only simplifies the process and reduces the risk of churn, but it also helps organize all of this sensitive data in a single location instead of in multiple databases and spreadsheets that can easily be lost.
Preparing for Threats
- Test how good your system is. The best defense is a good offense, and the best offense in secure data recovery is working to ensure you don't lose your data in the first place. Either create an internal team to stress-test your system, or find someone outside your company to do it, but don't leave your security to chance.
- Educate your employees. Common data-security attacks like spear-phishing emails and USB traps target employees who are unaware of the risks and have let their guard down. Circulating everyday tips like those from Wombat Security or implementing Inspired eLearning's executive training can go a long way toward mitigating these risks.
- Have an incident-management plan. When you find out that your company's security has been compromised, the last thing you want to do is panic. Having a comprehensive protocol can keep blood pressure down and limit the damage done. Yes, IT needs to be aware of what to do, but you should also create guidelines for management, letting employees know, and next steps for recovery. (See how Reddit handled their recent breach.)
- Make a secure data recovery plan in case of corruption or the unhappy scenario where something you need has been deleted or compromised. For many teams, this means having a backup copy of data that is regularly updated. The backup itself will have to be protected and should also be separate from the rest of your data.
- Know how and when to let go. When it's time to get rid of information, you need to know how to dispose of it properly. When you have to throw out sensitive information on paper, you shred it. You cut up your credit cards and write "VOID" on checks before disposing of them. Digital data is no different. Make sure that when you're wiping information, it's really gone and not lingering somewhere that will come back to bite you.
- Don't forget physical copies. If any of your backups are on paper, are stored on a thumb drive, are X-rays or microfilm or negatives — or anything else that's physical and totally separate from your digital systems — don't forget about them. When you're deleting digital information, make sure that part of the process is double-checking to see whether that information has a physical counterpart and, if so, destroying it in kind.
Compliance risks (check)
"There are rules and regulations that govern what you should and cannot do with your business's data, and they can help lower your risks."
There are rules and regulations that govern what you should and cannot do with your business's data, and they can help lower your risks. Especially if you are dealing with sensitive information, looking toward these laws and guidelines will help give you a better sense of what is appropriate for your company. For example, it's likely that companies in the medical field are required to follow HIPAA requirements.
You can also reduce compliance risks by following open standards. Take identity management, which has guidelines that are available for everyone to follow, with the explicit purpose of being as safe and responsible as possible. Auth0, for example, is OpenID Connect certified, which means we follow the official OpenID specifications and have done the legwork to keep your data secure.
Of course, everyone is talking about the GDPR and related laws like the California Consumer Privacy Act(CCPA). These points for data privacy and sharing will help broaden and deepen your existing protocol.
To ensure that you are exposed to the least risk possible, be thorough in your investigation of the laws that apply to your company and the best practices that have developed in your field or for your concerns. This will depend heavily on industry and location, but it needs to be done correctly to ensure that your data security is as good as possible.
The Importance of Mobile Data Security
In the first half of 2018 alone, mobile attacks hit 150 million — and attacks are set to rise 24% each year.
For this reason, the need for better mobile data-security solutions is urgent.
The number of mobile-phone users, currently over 3 billion, is set to top 3.8 billion by 2021.
This creates an enormous surface for attacks in the next few years.
There are several steps you can take to enhance your mobile data security:
- Regularly update all apps to protect against spyware threats.
- Delete inactive apps. (Providers could have suspended or removed access to them due to a security breach.)
- Before downloading new apps, check the list of permissions requested. (If these seem too invasive, employees should skip the download because it could contain mobile malware.)
- Create unique passwords for every new mobile account. Never default to standard logins.
- Use communication apps that encrypt data transfers to restrict access.
- Require 2FA to access internal tools.
- Make sure employees know how to access their devices remotely. If a device is lost or stolen, being able to quickly delete or transfer information is critical.
Mobile data security isn't just for smartphones and tablets. This now includes smart watches and other wearable tech, along with video conferencing and other workplace productivity tools. Mobile security threats will continue to multiply as IoT devices become more common. Teams need to keep up with the latest mobile data-security procedures to stay safe.
Stay safe, be smart
Creating a comprehensive data-security policy for your company can be a tedious task, but it's one of the most important things you can do for your company and for your customers — we don't need to remind you how bad a breach can be.
And if you need a head start on using identity management as part of a comprehensive data-security solution, there's no better place to look than Auth0. We can help you cover a variety of compliance risks, manage your data classification, and encrypt user information. Read our case studies and learn more about the security and standards we use to dig deeper into our solutions.