Data security is not just about implementing the latest tools. While tools and software are critical, good security is also about a process. The methods companies use and the procedures they develop determine the impact and scale of a cybersecurity attack. Security weaknesses lie not just in systems, but in people too. Learn about the top data security methods for large businesses with this comprehensive blog post.
Defining Data Security
Despite some minor differentiations, data security is another name for information security or computer security. Data security uses policies and technology to thwart unauthorized access to databases, computers, and websites. Furthermore, data security efforts strive to prevent data corruption. Security measures are designed to protect data throughout different stages — creating, editing, transmitting. Data security encompasses company activity on applications and platforms by using techniques like data masking, data erasure, and backup storage. Other tactics involve encryption, tokenization, authentication (like biometric verification), and key management.
What Does Data Security Protect?
With every company seeking an advantage in its respective market, proprietary information is closely guarded. Data security helps safeguard intellectual property and company assets. Moreover, almost all companies process and store customer data. Protecting the integrity of that data ensures customer loyalty and maintains a company’s reputation. From receiving data to storing it or transmitting it, companies use data security to prevent malicious attackers from stealing customer information. Protecting customer data isn’t just about reputation though, it also saves companies money since many regulations enforce penalties if inadequate security measures were in place. In short, data security strives to defend people, processes, and technology.
Small vs Large Business Data Security
For large companies, cybersecurity is important, but when breaches occur, the penalties do not always instigate data security reform. With large annual profits, fines, reimbursements, and other reparations do not always cause the type of financial damage needed to inspire better security. Or in some cases, large companies take the hit but do not implement meaningful change. Take Target for example. The 2013 breach of Target’s system that compromised credit cards, debit cards, and the Personally Identifiable Information (PII) of customers cost the company approximately USD 105 million, not even 1 percent of the company’s 2014 sales.
So what makes big businesses take security seriously? Investor confidence and customer perception have a large impact on how companies operate. Investors want predictability, at least when it comes to profits, and customers want trustworthy companies. This means that while fines or legal troubles could be avoided by improving security, the real loss companies face by failing to adequately protect data are their customer bases over the long run and investment for future innovation.
This contrasts small businesses that would fold under heavy fines and may not be involved in public trading. A 2018 business security report found that threat actors are shifting toward attacking smaller businesses. Smaller companies, thinking they are less of a target, tend to have minimal data security measures. This new trend means much of the cyber community has been stressing small business data security more than large business security. Despite this shifting threat landscape, it is vital that large businesses continue to test and improve their data security measures.
Five Large Business Data Security Methods
Many large businesses already use rigorous security methods. Since they have had years to grow and learn from the mistakes of other companies, large entities tend to already have robust threat monitoring and proactive security policies in place. Below are five methods recommended for large businesses looking to revitalize their data security methods.
- Understand the lifecycle of data – Large companies with successful security policies know their data. More importantly, they know where it is stored and how it is used. Mapping data flow enables companies to better assess weak points. Additionally, large companies employ discovery tools that enable them to make sure data is accessible by only authorized devices or personnel. These capabilities allow large companies to be GDPR compliant as well as fulfill other privacy/transparency standards.
- Encryption across the board – Large companies handle not just a lot of data but a variety of data. This heterogeneous pool of data makes them prime targets. To protect their data, large companies use encryption for computers, data at rest, data in transit, and data in the cloud. USB devices and phones should also utilize encryption if they handle sensitive data. Another important key to encryption is knowing what does and does not warrant encryption. Not all data needs to be encrypted, but PII, PHI, and intellectual property typically require encryption. Encryption serves as a security precaution for remote-working and employees traveling. With greater accessibility and flexibility when it comes to where a person works, encryption helps secure devices and maintain data integrity regardless of what network a device is on.
- Use cloud security tools – Large companies today use the cloud in some manner, whether it is for data storage or as a software platform. However, unless the cloud is created and run internally, large companies do not control the security measures of the cloud. Rather, the Cloud Service Providers (CSPs) do. This lack of control makes most IT departments nervous; consequently, they use cloud security tools for encrypting data before it is uploaded to the cloud, protecting/monitoring end-points, ranking data by risk level, and tracking data movement within the cloud. The variety of tools available continues to expand, offering companies greater control over cloud data security. Hongkiat and Softwaretestinghelp offer lists of tested and emerging software solutions for the cloud.
- Educate employees – Employees and human error cause the majority of data breaches according to a Red Team security report. Training is virtually part of every security best practice list but it can sometimes fall to the wayside for large companies managing thousands of employees. Large companies are now putting more emphasis on training both low-level employees and high-level executives in data protection. Using access management tools significantly helps large companies restrict access to sensitive data, making sure only those who need access have it. Likewise, training elaborates on office best-practices, like not leaving a device unlocked and unattended or leaving sensitive notes lying around in common areas.
- Develop BYOD policies – Developing a BYOD policy is becoming more and more critical for large companies. Allowing employees to bring their own devices can save money, but it also means those devices are not uniformly secure. Moreover, since employees usually take these devices home, they are outside the company’s safe network. To address this issue, many large companies restrict what sensitive information can be transferred to personal devices or devices that go off-premise. Another method is to offer employees the option to upgrade their device security to the level of the company’s devices. For example, some companies have an automatic delete program designed to wipe intellectual information from a device if it crosses outside a certain geolocation perimeter.
Technology for Data Security
As noted above, companies utilize a variety of tools and techniques to mitigate security threats to data. While many tools focus on external threats, authentication tools and log-in records assist in monitoring internal threats as well. Below are the common types of data security methods large companies utilize.
Data masking – Data masking uses a substitute set of data by keeping the data the same but changing the values. Encryption, character/word substitution, and character shuffling. The change in structure means the manipulated data cannot be reversed engineered. It also makes data sets easier to test without compromising data integrity.
Data erasure – Don’t keep data that isn’t necessary. If a customer cancels an account, delete the data. If a customer does not wish to be on an email list, delete the data.
Data backups – Keeping data backed up helps ensure accessibility. Backing-up data should include databases and files in addition to systems, configurations, and applications. Back-up methods should include tablets and mobile devices. Implementing storage backups mitigates the impact of a ransomware or other attack.
Encryption – Data encryption scrambles data using a code that can only be reversed with a set of keys. Data can be encrypted at rest or in motion. Asymmetric or symmetric encryption refers to the type of keys used (either the same key or two different keys are used on the sending and receiving end).
Tokenization – Tokenization replaces data with unique identification symbols. This process enables companies to retain data but in a more condensed, secure format. A number/symbol is generated that links to the location of the plaintext data in the database. Tokenization is often used when social security numbers or payment card information is stored.
Authentication – Authentication can vary from two-factor (2FA) to four-factor (4FA) and sometimes involves physical keys.
Big Business Security Threats
In many ways, big security breaches are the ones we hear about the most, but most of the attention is on the repercussions for consumers, not on how the attacks occurred or how to prevent them. Below are three high profile security breaches involving large companies and recommendations on how to improve security measures to reduce the chance of a similar attack.
Target – In 2013, hackers breached Target’s systems and compromised the PII, credit cards, and debit cards of customers. The attackers used vendor information to initially infiltrate Target’s system and then installed malware on the point of sale systems (POS). The breach involved numerous steps and access to different areas of Target’s system. At the time, Target was compliant with PCI standards. SANS Institute conducted a case study on the Target breach and recommended the following steps to prevent similar attacks:
- Don’t rely solely on mandated compliance guidelines. For example, PCI guidelines only cover payment assets and neglect other vulnerable assets.
- Conduct organization-wide risk management activities to identify threats and vulnerabilities. Then use a risk analysis matrix to select a risk level for each vulnerability.
- Use a layered security approach (e.g., Defense in Depth).
- Constantly review and monitor critical controls.
Marriott – In 2018, Marriott International revealed 500 million customer accounts were compromised. The initial breach dated back to 2014, when a company later acquired by Marriott, Starwood hotel brands, was hacked and a Remote Access Trojan (RAT) was installed. Marriott acquired Starwood in 2016, and along with it, the associated vulnerabilities. The hack exposed encrypted guest records, passport numbers, and credit card information. However, experts believe several measures could have been used to prevent and mitigate such a large-scale attack.
- De-identify information in transactional systems as well as analytical systems
- Use tokenization and encryption.
- Implement a holistic approach to cybersecurity
Facebook – In September 2018, Facebook announced that 50 million user accounts were compromised due to multiple bugs with the “View As” feature. The breach allowed hackers to gain the tokens (that link to usernames and passwords) of users. The breach also compromised accounts that used Facebook to sign in to other platforms. Experts suggest companies:
- Place limits on single-sign-in features. Single-sign-in allows people to log into third-party accounts via their credentials from another website (like a Gmail or Facebook account). However, this means that when a security breach like Facebook’s occurs, the aftermath is widespread and hard to contain.
- If using single-sign-in, require the user to re-enter the credentials rather than automatically signing in the individual. This is more secure because it requires user credentials and not just the tokens.
In addition to the above recommendations, a 2017 survey found that large businesses are more prone to phishing attacks but that two crucial aspects to big business cybersecurity rest on security software and data redundancy/back-ups. The larger the company, the more comprehensive the tools needed to monitor and test systems.
Small and medium businesses are indeed facing more threats. Yet, large companies face a greater fall-out from an attack. Large companies are more interconnected, meaning a large company hack affects many other companies. Just consider Google and Facebook’s recent hacks. Without a holistic, ever-evolving security plan, large companies will continue to succumb to massive data breaches. If you need help assessing your company’s vulnerabilities or assistance developing a more comprehensive security plan, contact RSI Security today.