Data security is about where and how your data is stored and this article explores some of the fundamentals that should be asked of all solutions, especially those that reside in the cloud. I assume no understanding of science or advanced networks but I can try to provide an introduction to the areas that need attention:
How do you protect your digital data from the unwanted actions of unauthorized users, such as a cyber-attack or a data breach? What makes your data interesting and is yours even worth bothering with? In short, if it’s worth something to you, then it’s worth stealing, if only to sell it back to you.
The truth is that any business with an Internet presence is open to attack by anyone in the world. For example:
• Ransomware locks your data until you pay for it to be released
• Personally Identifiable Information may be used to break into bank accounts
• A single password may enable access to many systems
• Intellectual property has a value
• Information can change perceptions or even sway elections
The cost of mistakes
Your business is legally responsible for keeping your data and that of your clients’ safe. This is challenging because it means that you need to become a cyber security expert. Worse, data security is complex and fast moving and it’s no surprise to see so many organisations outsourcing security. In any case, the financial penalties associated with doing nothing, especially under the new GDPR, could be severe.
A generally accepted route to managing multiple threats is the Risk Register. These normally rate the risk to the organisation under two headings, usually on a scale of 1 to 5. The first of these criteria is Damage Level where 1 might be low impact with 5 representing cessation of business.
The second criteria is Likelihood. Some risks might have a devastating effect on the organisation but are extremely unlikely to occur. These would typically be scored as 1 being very unlikely with 5 representing highly probable. To generate an overall rating you simply multiply one score by the other. This is not precision science but it will give you a guide. Clearly, those risks with the highest scores deserve your closest attention.
Within your means
As ever, businesses must operate within their means and the priorities highlighted by the risk register will provide a guide to where money and resources should be deployed. For a great many risks you can apply some kind of mitigation. Some organisations apply a numerical value to the mitigation factor to come up with a third figure:
(damage * likelihood) – mitigation = overall risk.
Security standards help businesses take a formal approach to risk. Common instances include:
• ITIL IT service management
• COBIT Good-practice framework
• ISO 2700 The international data security standard
• PCI Mandatory when dealing with credit card information
The links in the chain
Data security is surely the final proof that a chain is only as strong as its weakest link and your data must be defended at every stage. This protection should include encryption and appropriate tools to defend against malicious software and viruses. Whoever is running your security must keep these measures updated and should take steps to ensure that relevant suppliers and/or clients are also taking proper precautions.