6 Steps to Manage Data Security in 2021

cover image

It’s Data Privacy Day! Every year on January 28, policymakers, regulators, NGOs, research institutions, and businesses from North America, Europe, and other parts of the world come together to celebrate the event, aiming to raise awareness on data privacy and share insights on the latest data security practices. Since 2007, the event has facilitated the development of new security tools that help protect personally identifiable information (PII).

Over the past 15 years since the annual celebration was first introduced, global usage of online services skyrocketed. For instance, ecommerce sales as a percentage of total retail sales in the UK has increased from 3% in 2007 to over 30% in 2020, while the percentage of online banking users in the EU doubled between 2009 and 2019. This increase in internet usage has made it much easier to store and share data in digital forms, hence the focus of cybersecurity has gradually shifted from protecting IT infrastructures to protecting data.

As COVID-19 swipes across the globe, the world is now forced to not only shop but also to work online. As a result, organizations now face the responsibilities and challenges of protecting customer information, employee information, and corporate information.

What are some of the best practices to cope with these data security challenges? How can an organization ensure that it is fully prepared for the latest threats and vulnerabilities? In this article, we will discuss six steps for an organization to manage its data security risks in 2021.


1. Secure access to servers with multi-factor authentication and access control

The first step an organization must take is to adopt an identity management system that enables multi-factor authentication (MFA). Apart from having conventional passwords, a second layer of authentication method such as OTP (one-time passwords) or biometric authentication must be in place to protect the user account credentials from brute force attacks and credential stuffing. By doing so, an organization can ensure that only legitimate users can access the accounts.

Many organizations have robust identity management policies with MFA, but fail to implement a strong access management process, mostly because they believe that threats only come from the outside. However, the more people who are granted access, the more risk it poses to the data. Thus, when it comes to sensitive data, it is important to grant access only to the least necessary number of users. An access management solution helps manage access from within the organization, so that only those employees who need to view the data on a regular basis are given authorization.


2. Encrypt all sensitive data

After reducing the risk of unauthorized access with a reliable identity and access management (IAM) process, it is still important to encrypt all sensitive data as a last line of defence. It is strongly recommended to adopt a database encryption solution based on the plug-in method, as it helps an organization to easily encrypt their databases without compromising the search capability of the database management system (DBMS).


3. Back up all sensitive data

Even after data are encrypted, threat actors could still re-encrypt them with ransomware so that the decryption key held by the legitimate user would no longer work unless the attackers decrypt their second layer of encryption. This is why having a data backup in an air-gapped network where only one or two people have access would ultimately eliminate the threats of ransomware attacks.


4. Delete repetitive and unnecessary data

As important as backing up sensitive data, it is a good idea to delete all the redundant data that are not useful for the organization’s operations. Retaining unnecessary data not only increases the risk of them being stolen, but also might violate data privacy regulations such as the GDPR. For instance, H&M’s German subsidiary was hit with a massive fine of €35.2 million just for keeping records of its employees’ private lives, all of which were deemed unnecessary to their business.


5. Conduct periodic security audits and ensure prompt software updates

Even after an organization has adopted all of the most advanced security hardware and tools, it is still necessary to conduct professional security audits on a regular basis to make sure that its IT infrastructure is not exposed to any new risks and vulnerabilities. Moreover, software updates and patches must be installed promptly since hackers often exploit the flaws outlined in the software update releases to attack those who do not update regularly.


6. Keep employees informed about cybersecurity

The cybersecurity team should provide the necessary education and knowledge regarding security to all staff members. Looking back at 2020, a significant portion of data breaches occurred due to human errors. Countless cases of data leakage were caused by a simple misconfiguration in the AWS S3 bucket. Another common cause was when employees fell into phishing scams and ended up paving the attackers a pathway into their corporate network.

As more and more employees are expected to work from home following the pandemic, employee education on cybersecurity becomes an integral part of corporate security. In the end, a chain is only as strong as its weakest link, and an organization’s cybersecurity is only as reliable as its least reliable employee.


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security