5: Data Security

Data security is the process of safeguarding the sensitive assets of an organisation from unauthorised access through a mix of procedures and instruments and preventing unwanted access to sensitive data.

Data Security can often be used interchangeably with terms like “Data Protection” and “Data Privacy”. However, the difference lies in the reasons for securing data. It encompasses employing cybersecurity techniques such as encryption, access controls (both physical and digital) and more to protect your data from being misused. In short,

• Data Security is about protecting data from cyber threats (both internal and external).
• Data Protection is about ensuring that data is handled and stored in a compliant way.
• Data Privacy is about protecting rights of individuals with respect to their personal data.

Importance of Data Security in a workplace

• Protection against data breaches
• Maintaining customer trust
• Protecting trade secrets and intellectual property that are crucial to the company's business operations and competitiveness.
• Compliance with legal and regulatory requirements and thereby avoid financial penalties

Industry Best Practices

Here are some best practices that an organisation can implement to protect the company’s and its customers’ confidential data:

1. Appoint a Data Protection Officer

Regulations like GDPR require businesses to appoint a DPO(Data Protection Officer). These autonomous individuals are responsible for overseeing an organisation's compliance with data protection laws and regulations for key business stakeholders like employees, customers, and providers.
Some key activities carried out by a DPO may include:

• Serving as a point of contact for data protection authorities and individuals whose data is being processed by the organisation.
• Assisting with Data Protection Impact Assessments(DPIA).
• Managing data protection training and awareness programs for the organisation.
• Regularly monitoring compliance and providing guidance on data protection matters to the organisation.

2. Develop a Data Security Policy

In today’s day and age, it is imperative to develop a written policy that outlines how data will be protected and specify the roles and responsibilities of employees in maintaining data security.

It is crucial to consider the ‘CIA triad’ when considering how to protect customer data:

• Confidentiality
• Integrity
• Availability

Components of such policy should Include:

• Classify data and Identify the types that need to be protected. Classification will help you determine the appropriate level of security measures needed.
• Identify which employees, contractors, or other parties need access to data and specify the level of access they should have. Access controls can be physical, technical or administrative. These controls should be granted in strict accordance with the principle of least privileges.
• Define Data Security measures that would be Implemented based on the types of data and the parties that have access to them. These measures may Include things like data encryption, access controls & passwords.
• Establish defined procedures to handle data breaches which can Include responding to data breaches, including steps for reporting the breach, determining the extent of the damage, and taking steps to prevent future breaches.
• Communicate data security policy to employees and get it reviewed by C-level executives.

3. Implement version management & database auditing

Implementing version management and database auditing are important steps in ensuring data security in the workplace. Version management involves keeping track of changes made to data and storing multiple versions of the same data, so that previous versions can be easily accessed if necessary. This can help ensure data integrity and facilitate recovery in the event of data loss or corruption. Database auditing involves tracking and logging all access to a database, including who accessed it, when, and what changes were made. This can help detect unauthorized access and identify potential security breaches. Database auditing can also aid in compliance with legal and regulatory requirements, such as HIPAA, PCI-DSS, and GDPR.

Both of these techniques require a set of tools, policies, and procedures to be put in place, and regular monitoring, testing and review.

4. Educating employees

According to a study conducted by IBM and The Ponemon Institute,some of the root causes of data breaches were compromised credentials (often due to weak passwords) and phishing scams.
Regularly training employees on data security best practices, including recognizing and avoiding phishing attempts, can be a strong defense against data breaches.
While technologies like firewalls are important for protecting your data against security threats, your teams’ vigilance might be even more so crucial.

In addition , it is important to keep the software and systems updated, and to educate employees on how to use the tools and systems in a secure way.

Case Study

A Case of Equifax

Equifax is a major credit reporting agency that collects and maintains personal information on millions of consumers, including sensitive information such as social security numbers, birth dates and addresses.

On September 7, 2017, Equifax announced that a data breach had occurred between May and July of that year. The company stated that the personal information of approximately 147 million consumers, including names, addresses, social security numbers, birth dates, and some driver's license numbers, had been compromised. It was later revealed that in addition to the aforementioned data, 209,000 consumers had their credit card information exposed and that certain dispute documents with personal identifying information of approximately 182,000 consumers were accessed.

The cause of the breach was ultimately traced to a vulnerability in the company's website software, specifically in the software package known as Apache Struts. Equifax had failed to patch the vulnerability even after a patch had been made available by Apache and the breach occurred because the hackers were able to exploit that specific software.

Consequences of the data security breach;
The breach caused significant damage to Equifax's reputation and financial performance, with the company losing a significant portion of its value in the stock market. The company faced intense criticism for the way it handled the incident, including a delay in disclosing the breach and inadequate follow-up assistance for affected consumers. Equifax also faced multiple class-action lawsuits and regulatory penalties.

As a result of the Equifax data breach, the incident raised many questions about the security practices of credit reporting agencies and the handling of sensitive personal information.

This incident serves as an example of how failure in implementing measures for data security can have a significant impact on the affected individuals, on the reputation and financial performance of a company and on the industry as a whole. It underlines the importance of having robust data protection measures in place, as well as transparent and effective incident response plans in the event of a data breach.