Data Security Management: An In-Depth Guideon 29 November 2021
Your Link“We now live in a business landscape where information and technology have become critical to enterprises all over the world,” says Magda Chelly, public speaker, author, former CISO, and cybersecurity expert.
As businesses rapidly expand and embrace new technologies such as cloud networks, the internet of things (IoT), and artificial intelligence, they become more reliant on technology to run and manage their operations. Gone are the days when customer data was kept in locked boxes and filing cabinets. Most client data is now digital rather than printed. “The result of these changes is that security attacks are also now digital—data breaches, for example, have become more routine,” Chelly explains.
What does it take to keep striving for success in this digital frontier? You need to become very familiar with data security management, a concept you’ll learn more about in this guide.
Table of Contents
Chapter 1: What is data security management?
Data security management is the practice of analysing, overseeing, controlling, and safeguarding an organisation’s data to ensure authorised parties only access and use it in intended ways.
“The hunger for more and more data in business has exponentially increased the risk of attacks to steal that data,” says Alina Clark, data analyst and cofounder of CocoDoc. “That’s because data is a critical asset for businesses.”
From a security standpoint, Clark says the biggest risk associated with data is a breach. Breaches may be caused externally, but they're more frequently caused by internal events. For instance, data leaks are frequently tied to employees, rather than third-party access. “As such, it’s essential to train employees on good data handling skills. Not only that—you need to strategise your data security management approach and implement a data security management system.”
Chapter 2: Data Security Threats
What looms on the cyber horizon? Experts share the top five threats your business could face below.
Phishing attacks occur when an attacker poses as a trusted contact and persuades a victim to click on a malicious link, download a malicious file, or provide sensitive information, account details, or credentials.
“Phishing attacks are the most dangerous, damaging, and prevalent threat to small businesses,” says Gerrid Smith, CMO of Joy Organics. “Phishing is responsible for 90 percent of all data breaches, has increased by 65 percent in the last year, and has cost businesses more than $12 billion.”
Devon Fata, CEO of Pixoul, agrees about phishing’s prevalence, noting how these attacks “remain the preferred method for criminals to gain access to a company's systems. By sending emails claiming to be from the IT department, for example, it's easy to fool unwary employees into giving away login credentials and other key security data.”
2. Password Reset Exploits
Password reset systems represent a security threat not everyone thinks about. Fata says that when these systems are improperly designed, hackers armed only with a username or email address can often not only gain access to a system but lock legitimate users out.
Dana Wills, information security consultant at Asteros, says the top data security threat comes from lack of proper employee security awareness training. Untrained employees are more likely to fall victim to social engineering and phishing attacks, which are the most common ways attackers breach organizations.
“All employees and contractors should undergo training on how to spot and respond to scam emails, malicious phone calls, and safe social media use, as well as any position-specific instruction, such as secure coding,” Wills explains.
4. Outdated Software
“Using outdated software is often how attackers propagate throughout networks once they've gotten in through phishing,” says Wills. Attackers exploit unpatched systems to gain increasing amounts of access until they can successfully steal user data.
“Organisations should work to create and continuously strengthen their vulnerability management programs until they can quickly identify and address security issues,” Wills explains. “This includes conducting comprehensive vulnerability scans and penetration tests, and auditing cloud environments for security issues.”
Bradley Bonnen, CEO of iFlooded Restoration, calls out malware as a significant security threat. This threat category covers a wide range of cyber dangers, including trojans and viruses. It's a catch-all phrase for malicious malware written by hackers to gain access to networks, steal data, or wipe data from systems. Malware is usually spread by malicious website downloads, spam emails, or connecting to infected computers or gadgets.
“Malware attacks are particularly dangerous because they can cripple gadgets, resulting in costly repairs or replacements,” Bonnen explains. “They can also provide attackers with a backdoor into data, putting customers and employees in financial and even physical danger if the attacker finds their contact information.”
Chapter 3: Data Security Laws
A number of data security laws exist within the UK. Following are the three most prevalent ones.
1. General Data Protection Regulation (GDPR)
The GDPR is said to be the “toughest privacy and security law in the world.” While this law was passed in the EU in 2018, its requirements apply to any organisation that targets or collects data related to people in the EU. So a company in the US or Australia can be penalized for going against GDPR regulations if it has EU customers or otherwise collects data related to EU residents.
As part of the law’s scope, you must:
- Process data according to seven protection and accountability principles (including transparency and accuracy)
- Demonstrate that you are GDPR compliant
- Handle data securely by implementing appropriate technical and organisational measures
- Follow strict guidelines on consent to process a person’s data
- Abide by specific situations in which you are allowed to process data
2. UK Data Protection Act 2018
The UK’s Data Protection Act 2018 (DPA) controls how personal information is used by various entities in the public and private sectors. This act is said to be the UK’s “implementation of the GDPR.”
While nearly identical, the DPA has subtle distinctions that set it apart from the GDPR. For example, the DPA is split into several different parts—each applying in different situations and performing different functions:
- Part 2: General processing (UK GDPR). This part supplements the GDPR and is applicable to most organisations; it should be read in tandem with the GDPR.
- Part 3: Law enforcement processing. This part is specific to authorities with “law enforcement functions” when processing data for law enforcement purposes.
- Part 4: Intelligence services processing. This part is for intelligence services, such as MI5, SIS, and GCHQ.
3. Privacy and Electronic Communications Regulations (PECR)
In concert with the GDPR and DPA, the PECR provides specific privacy rights to people as it relates to electronic communications. It includes specific rules for:
- Marketing calls, emails, texts, and faxes
- Website cookies and similar technologies
- Security of communication services
- Customer privacy for traffic and location data, directory listings, and more
Chapter 4: Data Security Management Best Practices
What can you do to help safeguard your organisation’s data? The following four best practices offer a great starting point.
1. Practice penetration testing.
Ewen Finser, CEO of The Digital Merchant, recommends penetration testing or “pentesting” as it’s sometimes called. This is a practice where people—typically experts you would hire externally—invade your computer system strategically to identify weaknesses and gaps in your network or system.
“Pentest is a type of ethical hacking that will define the security posture of your system when being attacked by cybercriminals,” Finser explains. “As much as possible, you want to find loopholes in your system and fix them. Through pentesting, you’ll be able to identify your system’s weaknesses, improve them, and push your system toward being impenetrable.”
2. Employ two-factor authentication.
“Two-factor authentication for logins has become more common throughout IT,” says Fata. “By requiring not only a password but a confirmation code from a separate device, usually a phone, you greatly increase the security of user credentials while also making things easier on the user. There is less emphasis on memorizing passwords or answers to security questions.”
3. Implement user-based access.
Blake Burch, CEO of Shipyard, says every user and tool that accesses company data should do so through separate user profiles. That way, you can efficiently track down the who, what, and when aspects of data access events.
“Too often, companies get in the habit of using multiple tools and having a single user provide the credentials once that everyone then uses,” Burch explains. “The result is a situation where it's impossible to know the particulars of a data access event, which is troublesome when data has been corrupted or stolen.”
4. Document your security policies and procedures.
“It’s critical to have clear documentation around cybersecurity policies and procedures,” says Daivat Dholakia, VP of operations at Essenvia. It’s difficult to protect yourself against cyber attacks and deal with any incidents if you don’t have a clear policy in place.
“Companies should have a handbook for how sensitive data is to be handled, as well as what to do if data gets compromised,” Dholakia explains. “They should also outline the specific consequences that will occur if a person knowingly violates or breaches the company’s data protection. Having clear outlines will let people know how to act, the consequences of their actions, and what to do in a cyber crisis situation.”
Chapter 5: Data Security Tools
How do you keep your organisational data protected? Check out the five tools industry experts recommend below.
Firewalls are security devices that can be hardware or software (or both) that monitor incoming and outgoing network traffic and decide whether to restrict traffic based on a set of specified security rules. These devices prevent unwanted traffic from entering the system, thereby preventing infection from harmful malware.
“Firewalls sit in between the user’s device and the internet and, by examining every packet, stops bad traffic from entering the user’s device,” says Daniela Sawyer, founder and cyber security manager at FindPeopleFast. “Some good firewalls maintain a list of bad IP addresses from the internet and alert users of any data transfer attempt from these addresses. This tool can further help users in avoiding potential phishing attacks by warning them about a phishing site.”
Short for virtual private network, a VPN is a virtual network tunnel established between two systems on the internet. It transfers data between two nodes in encrypted form and makes any in-between node unable to understand the transmitted data, thus making the system immune to attacks.
“VPNs provide security even in open public Wi-Fi hotspots,” says Sawyer. “Since the data flows in encrypted form, even ISPs can’t track users’ activities. It protects users from profit-seeking ISPs that collect and sell users' browsing-related data to other companies.”
3. Endpoint Security Solutions
These types of security solutions safeguard endpoints, such as desktop and laptop computers, mobile devices, and IoT devices. Attackers often target endpoints to gain access to a broader network of devices, system resources, and other assets.
“With the rise of fully remote companies comes the prevalence of the bring-your-own-device culture,” says Nick Drewe, CEO of Wethrift. He says employers often require remote workers to provide their own equipment—a practice that tends to compromise cybersecurity. Drewe says your best approach is to invest in a data security management system that includes endpoint security, or implement a standalone endpoint security solution.
“Ensure that your files are protected end-to-end and that your users have limited access,” Drewe explains. “Keep track of everyone accessing your platform. Also, if possible, ask your employees to use company-provided endpoint security applications on their devices during work hours.”
4. Antivirus Software
Antivirus software is generally considered your first layer of protection or defense for your data. This kind of software actively searches for bad viruses, trojans, and rootkits and works to block them before they can do any damage to your system.
“Your data can easily fall victim to viruses, so antivirus software is incredibly important and an effective way to prevent it from being stolen, damaged, or modified,” says Dholakia.
5. Physical Authenticators
A physical authenticator is a tangible device that helps address the “something you have” aspect of security authentication. Typically found in key fob form, these devices allow for password-less entry into a system or physical structure.
“Many companies use physical authentication tokens for logins and other use cases,” says Melanie Hanson, CEO of EducationData Loan Finance. “For example, you see businesses using RFID key fobs to control building access. This type of tool helps the biggest vulnerability of any system—the users—more readily abide by desired security practices.”
Conquer Your Business Process Goals With A Winning Collaboration Solution
Glasscubes is a robust, secure collaboration solution that enables you to share and manage important documents, keep track of projects, and stay in touch with team members across the organisation.
Your data security management efforts are supported by secure file sharing and user-level access features. You control who has access to what data. There’s also built-in auditability—you can track all actions taken by employees within our solution.
Further, Glasscubes uses the highest levels of SSL encryption, and data is encrypted in transit and at rest. In addition, all data is distributed across a minimum of three different physical locations across the UK for additional protection.
With Glasscubes, you can:
- Request files from clients in a secure, easy-to-use manner. Avoid the hassle of hunting down important information and doing follow-ups to get what you need.
- Collect, process, and approve information through customisable, automated forms and workflows that include user assignees, assignee follow-ups, and completion alerts.
- Create customised workspaces for each project team in your portfolio. Team members can share resources and communicate with one another in their specific workspace, and you can access them all for easy oversight.
Want to see how other companies are using Glasscubes to support their teams? Check out these case studies from happy clients.
Explore other topics
client portals for accountants