The best starting point for effectively safeguarding data and protecting against breaches is to clearly understand what kind of data an organization has, where it’s located and the risks.
“It’s all about the organization having situational awareness of what their business processes are and the type of data,” “Until they have situational awareness, they are not actually going to be able to protect their organization. The bad guys have a greater ability of gaining situational awareness around their targets.”
In a video interview at RSA Conference, Hart also discusses:
- What’s involved in developing “situational awareness”;
- How organizations should determine what kinds of data needs to be protected;
- Challenges involved in protecting the internet of things and cloud-based data.
It’s impossible to go a week without seeing some reference to a data breach, whether it’s a write up on what happened years ago, or updates on breaches that are still happening. The two breaches I found most interesting where a treasure trove of business data (not credit card data) was exfiltrated, and subsequently released would have to be the Sony Hack and more recently the Panama Papers hack. With this in mind, there has never been a better time for more discussion around how we think about data protection in our businesses than now.
Thinking Through Business Data Protection
Data breach reports often shed light and provide an opportunity to learn, fortunately for us there are lots of them. They almost always confirm how similar all businesses are, regardless of size, specifically in the way we collect and manage data. This becomes increasingly more difficult as companies continue to embrace remote work cultures (i.e., geographically-distributed teams), leverage cloud-based storage solutions (i.e., Dropbox, Box, etc..) and struggle with the need of a connected workforce (i.e., mobile devices, etc..). This is especially true with many small businesses, who are often more willing to employ potentially cost-savings tactics to get their businesses off the ground, but that can also have adverse affects long term.
As a business you will be charged with collecting, storing and possibly using some form of sensitive data. This data is not always credit card information, but does include information on the business (i.e., HR, payroll, or other similar bits of data). Additionally, your organization might depend on a vendor to provide services that requires access to your own sensitive information.
One might argue that all data should be protected. Ideal, but highly impractical and impossible to scale. And in many instances, unnecessary. One alternative to assist in the process is to think about classifying the data. In the military, we had things like Unclassified, Secret, Top Secret, and so on. Using similar nomenclature doesn’t hurt, but you can always come up with your own; even as simple as Sensitive and Not Sensitive.
It’s important to become familiar with the concept of “encryption”. The act of encrypting is to take something from one readable state and turn it into an unreadable state. The key with encryption however is the ability to decrypt it when needed. Think of it as a vault. It stores valuable assets but it still provides a means to access those assets if needed.
Data in Transit
When working with data in transit, data objects are moving from point A to point B. When it’s moving between two points the data is, and should be, encrypted. Today, in many instances, it’s achieved using the Transport Layer Security (TLS) protocol and in many instances the tools we use already facilitate this form of encryption.
Data in Use
By design, data in use requires the data to be accessible while it’s being worked on. To work on it, it must be in its unencrypted state. As such, the act of securing it can be complicated. For data that’s in use, the best strategy is employing strong access controls.
Protecting our Business Data is Critical
As my company continues to grow protecting our business data continues to be top of mind. I would encourage all other business owners to consider it as well. We have a responsibility to our customers and employees to keep their information safe and away from curious eyes. To do this, above, I’ve provided a few ways to think about data protection.