Welcome to the Part 2 of the Four Seasons of Data Management Series! If you missed the first part, check out “Spring’s Inception” that speaks to how to handle new data coming in to your organization right from the start. During the ‘Summer’ or Primetime of data management, data is active and ripe in term of its usage – and so are the threats that lurk around it. There is so much to talk about and we won’t cover them all, but we will cover quite a bit of the essentials.
Today’s Risk-filled Environment
Cyber criminals are getting savvier. Gone are the days when the crime is carried out by individuals with limited budget who hack systems merely to fulfill their thirst of self-satisfaction or ego. Today, many are carried out by organized crime and syndicates with ample funding, and pledge to harvest profits from the data they steal. Their target? Mostly companies with coveted sensitive, personal, financial, or restricted information – big and small. Recent incidents: BEL USA LLC, ICG America, and Virginia Tech to name a few. With significant focus being placed on cyber security, let’s not forget the need to secure the physical assets and facilities where the information resides. Advocate Medical Group (AMG) is suffering the impact of computer burglary last July, where four computers storing 4 million unencrypted patients’ data were stolen from their facility. It was a summer to remember for AMG – with class action lawsuit, federal and state investigations currently in progress. shows the following on global data breach incidents:
37% involved a malicious or criminal attack from outside hacker and insider theft 35% involved human error or negligent employee or third party 28% related to system glitch or business process failure.
So how can we safeguard our sensitive data? Interestingly, although we hear more of data breach committed by external hackers/thefts, a recent summary of the Forrester report: “Understand the State of Data Security and Privacy report” by CSO shows that the majority of data breaches in the last 12 months were actually carried out by insiders, current or former employees – intentionally or inadvertently. This fact alone screams for the fundamental – more vigorous access controls and security awareness/training – which are part of these 5 Data Management Best Practices:
- Access Controls
- Architecture and Integration
- Data In Transit
- Encryption
- Security Awareness
Check Your Access Controls
Let’s take a look at several key access controls – see if they are already part of your organization’s access policy:
- Establish access classification, policies and procedures.
- Ensure that user IDs are unique and require authentication
- Provide access right based on least privilege (i.e. access to ONLY what is required for user to perform job, as determined by management)
- Establish lockout procedure after consecutive attempts. Do not auto-release the lock-out for business systems hosting sensitive data.
- Limit concurrent access control sessions, and enforce session lock and session idle termination capabilities.
- Review and remove inactive user accounts or temp accounts (at least quarterly).
- Review access when users change role/transfer within the organization. Note: this is often overlooked, causing a user having accumulated privilege with potential to create significant damage.
- Revoke user access from network, systems, facility immediately upon termination
- Exercise segregation of duties and dual control for key admin activities to prevent a single user from having too much authority to swindle the system.
- Control all network access, control points, and methods of remote access and teleworking.
All set? Let’s move on.
Understand Your Enterprise Architecture and Integration Touch Points
You now sleep better at night because your data is classified appropriately, your critical business system is adequately protected and under watchful eyes in terms of its access controls and data governance. Great! But can you be certain that your sensitive data does not flow elsewhere? Are there integrations with other systems which might share sensitive data? If so, do those ‘other systems’ pass the data to yet another system, perhaps to the data warehouse for analytics, or even outside the organization? The questions can go on and on … but the idea is to understand your enterprise architecture and all of the integration touch-points associated with your critical business systems. Solid understanding of data flow is crucial in order to safeguard all possible points of entry to sensitive data.
Protect Your Data on the Move
Protecting data within your own network is hard enough, but you now have to also protect it when the data flows outside the network – to third party vendors, suppliers, payrolls, others – whether it is a one-time transfer or on-going transfer/integration. Check out ‘Planning for Your Future’, which outlines controls you want to consider when transmitting data outside your network.
Encryption – The Necessary Evil
I have worked with encrypting/decrypting files; keeping track of all the keys before – not my cup of tea – it is a pretty laborious activity. But it was absolutely necessary! It is also absolutely necessary to encrypt your enterprise database (‘data at rest’) containing sensitive information, and having a policy/process to manage all of those cryptographic keys – from creation, storage, replacement, and destruction. One more thing – encryption is also required for sensitive data stored on any devices such as laptops, memory sticks, desktop, backup tapes, etc. It’s another protection layer in case your device is lost or stolen. Think of Advocate Medical Group (AMG) mentioned earlier – the data breach incident wouldn’t be as terrible should the devices and data were encrypted.
Security Awareness Program
With a large percentage of data breach caused by human factor or negligence shown in Ponemon report, organizations should regularly evaluate and improve their security awareness and training program, in addition to technically securing the information asset. Organization should also periodically remind and educate employees, and third parties, on data handling policy and procedure – which should clearly outline how to handle data of various classifications, in secured manner. Check out ‘Why Security & Privacy Training Fails‘ that speaks more about this. Finally, if you haven’t already, embrace the campaign “Stop. Think. Act.” in just about everything you do, including protecting your organization and personal data.
What’s next?
You made it – Thank you for getting this far! If you are tired just from reading this blog, think of your security and IT folks who actually have to act on each one of them, and more. Stop by at their desks and give them a pat on the back – they are your unsung heroes! And check back in two weeks as we continue our journey to the next season of data management – ‘Fall’ Retirement – the period when data becomes inactive, obsolete, and no longer being used. See you soon!
Stay tuned for the rest of ‘The Four Seasons of Data Management’ Series:
Part 1: ‘Spring’ Inception
Part 2: ‘Summer’ Primetime
Part 3: ‘Fall’ Retirement
Part 4: ‘Winter’ Removal
