In the digital age, with plenty of unexpected events happening at an unprecedented pace, data security has never been more important. This has been further highlighted by new international regulations such as the CLOUD Act and the EU General Data Protection Regulation (GDPR) as well as the recent global health crisis.
Recent research supports this, highlighting both the motives and agents responsible for the majority of cyber attacks. According to the 2020 Verizon Data Breach Investigations Report, 70% of breaches this year were caused by people outside of organisations, and 86% were driven by financial gain.1
The COVID-19 pandemic and the events of 2020 haven’t helped to stop these vicious cyber attacks. In fact, 80% of firms have seen an increase in cyberattacks in 2020, with a rise to up to 30% in Q1 on UK businesses alone.2 With more and more companies falling victims to attacks, serious measures need to be taken in order to tackle them.
The invisible threat is of concern to all companies, regardless of their sizes. While it is a fact that larger organisations are particularly targeted, small companies are also marked, with 43% of attacks targeting them.3
Data and its analysis are no longer a matter for tech "High Tech" specialists. It concerns us all. Whether it is understanding concepts like "cloud computing" or collecting data to make better strategic decisions for your business, "data" is everywhere. Therefore, it follows that data security, and the importance of data security, are topics of increased interest. Even more so when we consider the impact that a breach has on an organisation.
In the article, we will put forward a definition of "data security", clarify the difference between data security and data privacy, and explain the importance of data security for companies. We will also present data security measures and best practices to help you protect your business.
So, exactly what is data security? Data security consists of a set of standards and technologies to help implement preventive measures, both technical and technological, that protect a company's data from unauthorised access, accidental loss, destruction, or infiltration. Data security is one of the most important tasks that IT departments have to manage, no matter if a company is large or small. When defining data security, these three elements are important to remember:
Even though data privacy is connected to data security, these two concepts should not be used interchangeably. Data privacy concerns the right to control individuals' personal data and the ways in which it is used. Data security, on the other hand, is about protecting the data itself and the way this is done.
On the 25th of May 2018, the European Parliament passed the GDPR. This law regulates the processing and collection of data throughout Europe.4 It concerns all companies, private or public, that collect or process data, regardless of their size or activities. The GDPR addresses organisations headquartered on European soil, and also international organisations that collect data from European residents, even if they are located outside the European Union (EU.) The regulation also applies to subcontractors of these organisations. If companies want to ensure data privacy and remain compliant with the EU GDPR, they must invest in data security.
Having clarified the difference between data security and data privacy, let us understand better the importance of data security for businesses.
In just a few years, the collection and the use of data has become the commonplace for all companies. Big Data and predictive analytics help to create invaluable opportunities for faster and more strategic business growth. Thus, the importance of data security is paramount, and here are the main reasons why:
To ensure business survival
Imagine that you wake up one morning to find that all your company's data is gone. In this scenario, albeit a worst-case, it is likely that your business would suffer great loss, or even cease to exist. Experts predict that the amount of data generated will continue to increase. According to an IDC report, the global datasphere will reach 175 zettabits by 2025. This represents a 61% increase compared to the present day.5 If this happens, this data would fill enough Blu-ray discs to reach from Earth to the Moon 23 times.
Data has become the lifeblood of businesses and their entire ecosystem. It is imperative to protect it and have a "back up" plan, in case of loss, in order to ensure business continuity.
To gain stakeholders' trust
Companies that hold data on customers and employees have the responsibility to protect it. If they do not guarantee protection, companies are exposed to:
Cyber attacks cost, on average, $200,000, and when a breach occurs many companies are forced out of business.6 A landmark case is that of Sony, with 77 million accounts hacked on the Playstation in 2011, a situation that forced Sony to shut off its Playstation Network for approximately 24 days. As a direct result of this, the company estimated losses as high as $2 billion US dollars.7
A further example of the importance of data security is that of five major payment card brands who, in the early 2000s, put in place the Data Security Standards (DSS) to help them fight against hackers. Composed of 12 prerequisites on data security, the regulation must be respected by all companies that have debit and credit transactions.8 This comes to show how much weight the importance of data security gained, and how difficult it is for data security to just be ignored.
To fight against cybercrime
As much as data security has progressed, so too has Cybercrime, with hackers using increasingly sophisticated methods to attack companies. Some of these attacks are even carried out by bots or are programmed.
An example of such a threat is the Distributed Denial of Service (DDoS) attacks that flood web servers with requests until the website becomes incapacitated. This is particularly crippling when the attack is on an e-commerce site.
Another example is that of "phishing", which means pretending to be a company's administrator to steal data, or ransomware (attack by attachments), also recognised as one of the most frequent acts of cybercrime in companies.
In the midst of the COVID-19 pandemic, between mid-April and mid-June of 2020, Interpol and Europol issued an alert after having observed 192,000 cyber attacks per week, which represented an increase of 30%.9 In one week, Google identified more than 18 Million malware and phishing attacks per day since the global health crisis started.10 With the urgent (and in many cases, unplanned) introduction of remote work, the situation is now even more delicate for companies. This further demonstrates the importance of data security. Minimal security, or no security at all, results in your company's door being left wide open to any cyber assailant who wants to do you harm.
To prevent this from happening, read on to learn what you can do to protect your company, and to discover which data security measures and best practices to adopt.
More often than not, leaders find themselves drowned in a flood of information and are driven by the urgency rather than the importance of data security. Given that this invisible threat can be very costly, staying informed, implementing a strategy tailored to the business, and recruiting experts in the field, are all paramount.
According to a study, 69% of companies haven’t updated their security strategy for three years or more.11 Yet, another study, among 400 small businesses, reveals that 27% have no security protocols in place whatsoever.12 For this reason, implementing data security measures and best practices to fight against new hacking techniques is essential. These five steps will guide you:
Identify your IT resources
Start by identifying all the resources that are available and the ones which need protection. Do an inventory of the physical devices used by your company, such as photocopiers, Internet of Things (IoT) devices, mobile devices, and the devices used by third parties.13 Pay attention to these resources as they could be areas of exposure.
Once the inventory of all the Internet-connected devices is carried out, the next step is to identify the software and operating systems used by your company. This will enable you to know what to change and when. Systems which have little complexity and high compatibility with your business help to maximise data security.
Determine and assess the risks
Once you have the inventory of the resources, you need to determine and assess the risks by:
Next, prioritise the risks according to their urgency and ability to be solved quickly. This way, you will close any serious gaps in cybersecurity in your business in a timely manner.
Establish policies for access
More often than not, data security measures and best practices extend to the users of these resources. If they are not trained appropriately, they can become a risk for a number of reasons, such as: misuse of their access rights, sharing of data with unknown sources, or falling prey to phishing attacks.
It is possible to limit these risks by classifying the company's data and by establishing access policies for the use of specific devices and systems. By having policies in place, in the event of an attack, not all of your company data will be compromised. The cyber attacker will only have access to individual data.
Among data security measures and best practices, we can also refer to the use of multi-factor authentication. This is a good way to protect users' data by adding extra layers of authentication. Besides a password, users will need a second or even a third authentication factor in order to gain access to their devices or accounts. These authentications might include biometric, SMS, or voice authentication.
Prepare and set up a preventive protocol
Unfortunately, no security system is infallible. Knowing how to prepare in case of an attack is essential in order to react swiftly and limit the damage to your business. It is important to identify any threat that is recurring (e.g. malware, phishing, spamming), and to know how to respond to it by containing, and then eradicating it.
After this is done, you need to question the system that was under attack and study what went wrong. Data security measures and best practices show that preparing for another attack requires investing in systems that can detect new risks. Therefore, being prepared and establishing a preventive protocol will help strengthen the security of your company’s data.
Define who manages the data security
In most enterprise organisations, the Chief Information Security Officer (CISO) manages the company's information and data security. Their role is to plan and put in place a strategy to help reduce cyber threats and keep data secure. The security strategy the CISO brings forward needs to cover the complexity of all existing regulations and policies, and must resolve to secure architectures, processes and systems.
It is important for companies to appoint an expert in data security. Yet, is it also imperative to raise awareness for the importance of data security more broadly, and to train employees accordingly. This way, the entire company will know how to react and who to notify in the event of an attack.
The pressure that international regulations present, coupled with the increase in the importance of data security more generally, are driving companies to invest increasing time and resources into data security. From human to financial resources, companies are sparing no expense when managing data security.
Throughout this article, we have explained what data security is, the importance of data security, and have presented a range of data security measures and best practices that organisations should consider. Yet, we can recognise that we are still at the beginning.
Even though the topic of data security has been covered widely in the media in recent years, the subject has grown in importance over the past few months, as many companies abruptly ‘went remote.’ In addition to this, the more companies protect their data, the more hackers will find new ways of slipping through the net.
In the end, it is not only a matter of protecting, but also of preventing cybercrime. In the digital age, human beings are still the primary decision-makers when it comes to data security protection and its measures. Therefore, for companies to win the war against cybercrime, they need to invest in people with the necessary digital expertise, in processes, and in the right technology.
1. 'Data Breach Investigations Report 2020', Verizon, 2020.
2. 'The 2020 Cybersecurity stats you need to know', FinTech News, August 2020.
3. '15 Alarming Cyber Security Facts and Stats', Cybint Solutions, June 2020.
4. 'Le règlement général sur la protection des données (RGPD), mode d’emploi', Site du Gouvernement, July 2019.
5. 'The Digitization of the World From Edge to Core', Seagate, Novembre 2018.
6. 'Cyberattacks now cost companies $200,000 on average, putting many out of business', CBNC, Octobre 2019.
7. 'Case study: Sony, Zurich and the PlayStation data breach', Herzog Fox & Neeman, Lexology, May 2015.
8. 'Types of Data Security Standards', RSI Security, May 2018.
9. 'Coronavirus cyber-attacks update: beware of the phish?', Check Point, April 2020.
10. 'Google saw more than 18 million daily malware and phishing emails related to COVID-19 last week', The Verge, April 2020.
11. '69 Percent of Companies' Security Solutions Are Outdated, Inadequate', eSecurity Planet, February 2017.
12. 'The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses', U.S Securities and Exchange Commission, Octobre 2015.
13. 'Internet des objets', Futura Tech.