Data security, data protection, data privacy. Although these terms all sound similar, and they’re all related to securing your data, they mean different things. All three are parts of the best practices you need to consider as part of your data security strategy.
Data security protects your data against unauthorized access or use that could result in exposure, deletion, or corruption of that data. Encryption of data at rest (data that isn’t actively moving from one device to another or one network to another; data stored somewhere) and data in transit is a given here – data must be encrypted in transit and at rest. Equally important is limiting access to only those who need it, which is known as the principle of least privilege, and understanding data in motion, i.e., how data is captured and shared in your organization. You can, for example, have robust controls around databases and file systems, but if your team is liberally sharing sensitive information in Microsoft Teams, on Slack, or over email without you understanding how that data is being shared or protected, your risk is much more significant than you think.
Data protection refers to your backup strategy. Backups protect you in case data is accidentally erased or lost in another way. Consider how long your business can be down without significant consequences – the answer to that will help you plan how backups of your data and systems need to be created and how often so you can get back up and running even if your data gets corrupted or a natural disaster destroys your servers. Several components of the backup strategy directly impact cost, time to recovery (Recovery Time Objective or RTO), and the likelihood of data lost (Recovery Point Objective or RPO).
Data privacy is a growing concern as different states (California and Virginia have new comprehensive consumer data privacy laws), countries, and regions work to regulate how data is handled. Regulatory fines, breach notifications, consent requirements for the use of data, and the right to be forgotten, among other concerns, necessitate more significant attention to data privacy.
Why data security is important
Data security isn’t a new issue, but the rapid shift to cloud computing environments and more employees working remotely due to the COVID-19 pandemic added new opportunities for unauthorized access to company data. Hackers haven’t missed this opportunity to increase the number of cyberattacks over the past year. Law firms process highly sensitive information on a daily basis, including information with specific regulations such as financial information, personally identifiable information (PII), and Protected Health Information (PHI) as defined under HIPAA (The Health Insurance Portability and Accountability Act of 1996). You need to intimately understand the state of your data security, have a plan to continue improving data security, and implement best practices as technologies and attack vectors continue to evolve.
The most obvious risk of not having your data security well in hand is a data breach. Data breaches can have serious consequences, with the global average total cost of a data breach in 2021 at 4.24M, according to IBM’s Cost of a Data Breach Report 2021. Meanwhile, the Verizon 2021 Data Breach Investigations Report shows threat actors are increasingly targeting small businesses at higher rates than in previous years.
Cybercriminals adapt their activities, often targeting smaller (and in the criminals’ minds, easier) organizations to attack, and then further compound their foothold by using those organizations as launching pads to reach additional targets, such as a law firm’s clients.
While external access to your data from cybercriminals is undoubtedly one concern, threats to data security can also come from internal sources, either maliciously or, more likely, through unsafe or careless practices. Almost 20% of breaches caused by malicious attacks are due to compromised credentials, and another 20% are due to cloud misconfiguration. This breakdown from the IBM Cost of a Data Breach Report in 2021 shows the impact internal training can have on data breaches and malicious attacks; phishing, compromised credentials, and social engineering combined accounted for more than one-third of all malicious breaches.
Now that you have a broader understanding of what’s involved in data security, including the differences between data security, data protection, and data privacy, and some of the industry trends in data breaches, the next step is to think about data security in your organization.
Basics of data security
Data security is a critical part of any comprehensive security strategy. Part of your strategy must include ways to identify and evaluate security threats and reduce the risks related to protecting sensitive information and the IT infrastructure they reside on.
Most law firms hold a lot of data, much of it sensitive. Managing and controlling the flow and access of that data involves protective measures against security problems, such as accidental and intentional unauthorized access.
It’s essential to understand what good data security standards are and then implement the standards appropriate for your firm. A few questions you might ask when creating your standards include:
- What data do you need to back up? Application data, financial analysis, intellectual property, customer data, and strategic plans are some examples. What form does that data come in: Office files, PDFs, application databases, emails, and Microsoft Teams / Slack?
- What kind of data classification are you doing?
- How are you tracking and protecting sensitive data?
- What data can your business lose access to and remain functional?
- What is your tolerance for data recovery?
A good understanding of data security basics will help your organization prioritize what data to protect, back up, and anonymize, and how to do that effectively.
Many small organizations are aware of the importance of protecting and securing data, but they’re not sure how to do it properly. Cybercriminals are out there, searching for companies to attack, and data breaches happen regularly. Suppose your data security strategy is based on your business requirements and the regulations relevant to your industry. In that case, your organization becomes a less attractive target, because it will be harder to access and misuse your data. Clear policies and comprehensive employee training, as well as a least-privilege approach for user access, will help you build data security strategies that protect your business and your customers.
Controlling user access minimizes data security risk
An employee can’t unwittingly give access to data if they don’t already have that access. Here’s where concepts such as least privilege come into play. In a nutshell, the least privilege model is one that assumes all access rights are restricted to those that any given employee must have. Even if you’re the firm’s managing partner there is some data that you will not have access to because you simply don’t need to. In this model, even if a managing partner’s account is compromised, the criminal has limited access to data because the partner doesn’t have unencumbered access.
Best practices for data security
Small organizations can provide enhanced data security for those inside their network, which takes care of some of the risks they might be exposed to, even when working remotely. To protect your employees and clients, follow these best practices for data security:
- Create a disaster recovery and business continuity plan and ensure your backup strategy, technology, and frequency that meets your firm’s requirements.
- Understand your industry’s state, federal, and international regulations and the breach notification requirements associated with regulatory compliance.
- Evaluate the risks associated with your data and classify data appropriately. Implement data loss prevention tools that scan outgoing and incoming emails for PII, quarantining that information to ensure that no protected information is sent via an unsecured platform.
- Understand who has access to what data in your organization and create smart, logical groups to limit data access to those who need it. Once you’ve created policies and groups to manage data access, review those data access policies regularly to ensure they are still appropriate. Never allow third parties or employees access to data and information that they don’t need to do their job.
- Train your staff on data security, data protection, and data privacy. Make sure they understand what exposure of personally identifiable information means, what exposure might look like, what defines an incident, and how to report it.
- Create clear policies, so your employees understand the firm’s position on data loss prevention and data protection.
How Afinety protects our clients
Afinety employs security and technology professionals who understand the threats posed by malicious actors, unexpected downtime, and lack of compliance with regulations. Our team implements tools, best practices, security controls and monitoring that can help prevent a data breach.