Data Strategy Course – Data Security
Section 2.5 Data Security Module
Hello and welcome to my course – on ‘Data Security’. This is Ade Awokoya from LBAcademy. I am a Digital Transformation Adviser, enabling support for Business to innovate on a digital platform, with a focus on your business model.
In this session, on Data Security, we’ll be covering the fundamentals and best practices of good data management, the technology that’s available to help and discuss how and when business should apply them as they grow.
Data security is the practice of protecting digital information from unauthorised access, corruption, or theft throughout its entire life cycle. It’s a concept that encompasses every aspect of information security from the physical security of hardware and storage devices to administrative and access controls, as well as the logical security of software applications. It also includes organisational policies and procedures.
The business value of data has never been greater than it is today. The loss of trade secrets or intellectual property (IP) can impact future innovations and profitability.
Basic Concepts
Look at Data security from the organisational perspective. At the operational level staff are interested in bits and bytes. At the organisational level the manager should be interested in broad concepts and in risk to the organisation and costs.
The framework is very simple, which is why I think it’s so effective, since it basically looks at cybersecurity in an organisation– what you do, what are the operations? This is basically how you manage cybersecurity operationally in an organisation. We really need to consider error factors since people don’t succumb to technology, and that means that we have to be worried about policy and procedure.
Basic Models
I want to focus on a basic model that will help you think about designing security for a system that you may be managing. Essentially it’s about managing confidentiality, maintaining data integrity as well as availability. This model looks at how we go about thinking through cybersecurity controls for systems.
But the success of our controls really depends on how much we trust those controls. There are some assumptions here that the designs we put in place meet the goals of our security needs for the system. We also are assuming that the sum total of all the controls we put in place achieve the goals that we’re outlining for our security systems. At the same time, we assume that the implementation is correct, which is more of a function of the human beings doing the installation.
Well, in designing security for a system you need to assume that that system will be breached. But it does mean we develop different strategies that make our systems resilient in the face of breach. So we essentially are also faced with the fact that these controls are going to cost a significant amount of money.
So how do we prioritize the controls that we come up with? We need to do a basic risk assessment, understanding the likelihood of a breach at a particular vulnerability that we’ve identified against the cost of protecting it. And so you can see that doing a risk assessment helps you think through the value of the assets that you’re protecting against the cost of loss and the likelihood of loss.
- Use a firewall to secure your internet connection
You should protect your Internet connection with a firewall. This effectively creates a ‘buffer zone’ between your IT network and other, external networks. In the simplest case, this means between your computers and ‘the internet’. Within this buffer zone, incoming traffic can be analysed to find out whether or not it should be allowed onto your network.
Two types of firewall
You should use a personal firewall on your internet connected laptop or computer. Some routers will contain a firewall which could be used in this boundary protection role. Configure and use a firewall to protect all your devices, particularly those that connect to public or other untrusted Wi-Fi networks.
- Choose the most secure settings for your devices and software.
So, you should always check the settings of new software and devices and where possible, make changes which raise your level of security.
Use passwords
Your laptops, desktop computers, tablets and smartphones contain your data, so both your devices and your accounts should always be password-protected. Passwords – when implemented correctly – are an easy and effective way to prevent unauthorised users accessing your devices.
Passwords should be easy to remember and hard for somebody else to guess. You must change all default passwords before devices are distributed and used. The use of PINs or touch-ID can also help secure your device. For ‘important’ accounts, such as banking and IT administration, you should use two-factor authentication, also known as 2FA. A common and effective example of this involves a code sent to your smartphone which you must enter in addition to your password.
3 Control who has access to your data and services
To minimise the potential damage that could be done if an account is misused or stolen, staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them.
Check what privileges your accounts have – accounts with administrative privileges should only be used to perform administrative tasks. By ensuring that your staff don’t browse the web or check emails from an account with administrative privileges you cut down on the chance that an admin account will be compromised. This is important because an attacker with unauthorised access to an administrative account can be far more damaging than one accessing a standard user account.
Access to software
Another simple and effective way to ensure your devices stay secure and malware-free is to only use software from official sources. The easiest way to do this is to only allow your users to install software from manufacturer approved stores, which will be screening for malware. For mobile devices, this means sources such as Google Play or the Apple App Store.
4 Protect yourself from viruses and other malware
Malware is short for ‘malicious software’. One specific example is ransomware, this form of malware makes data or systems it has infected unusable – until the victim makes a payment.
Viruses are another well-known form of malware. These programs are designed to infect legitimate software, passing unnoticed between machines, whenever they can. There are various ways in which malware can find its way onto a computer. A user may open an infected email attachment, browse a malicious website, or use a removable storage drive, such as a USB memory stick, which is carrying malware.
How to defend against malware
Anti-malware measures are often included for free within popular operating systems. For example, Windows has Defender. These should be used on all computers and laptops. For your office equipment, you can pretty much click ‘enable’, and you’re instantly safer. Smartphones and tablets should be kept up to date, password protected. If you can avoid connecting to unknown wi-fi networks, this will help to keep your devices free of malware too.
Allowed list can also be used to prevent users installing and running applications that may contain malware. The process involves an administrator creating a list of applications allowed on a device. Any application not on this list will be blocked from running. This is a strong protection as it works even if the malware is undetectable to anti-virus software. It also requires little maintenance.
Sandboxing. Where possible, use versions of the applications that support sandboxing. For instance, most modern web browsers implement some form of sandbox protection. A sandboxed application is run in an isolated environment with very restricted access to the rest of your device and network. In other words, your files and other applications are kept beyond the reach of malware, if possible.
5 Keep your devices and software up to date
No matter which phones, tablets, laptops or computers your organisation is using, it’s important that the manufacturer still supports the device with regular security updates and that you install those updates as soon as they are released. This is true for both Operating Systems and installed apps or software.
Manufacturers and developers release regular updates which not only add new features, but also fix any security vulnerabilities that have been discovered. Applying these updates (a process known as patching) is one of the most important things you can do to improve security. Operating systems, programs, phones and apps should all be set to ‘automatically update’ wherever this is an option. This way, you will be protected as soon as the update is released.
However, all IT has a limited lifespan. When the manufacturer no longer supports your hardware or software and new updates cease to appear, you must replace it with a supported product if you wish to stay protected.