Data Éclosion Logo

Data security: the role of data governance

Digital data security

Data governance ensures the optimal use of data assets by implementing specific roles, processes and work rules. In addition, well-designed data governance ensures data protection and security by putting in place rigorous policies and procedures to minimize the risk of loss, leakage and attacks.

Security and data governance
Security and data governance

Data governance encompasses the actions, methods, and responsibilities related to data management, promoting stakeholder buy-in to organizational policies. It is based on a framework that defines strategic, tactical, and operational roles and responsibilities to ensure effective, secure, and responsible use of data.

Indeed, it must be said that companies store more and more data from many sources and their policies must be more and more demanding to ensure security and data protection.

To force them to do so, many countries have adopted data protection regulations:

  • GDPR (General Data Protection Regulation): European Union
  • CCPA (California Consumer Privacy Act): United States
  • HIPAA (Health Insurance Portability and Accountability Act) : United States
  • PIPEDA (Personal Information Protection and Electronic Documents Act): Canada
  • POPIA (Protection Of Personal Information Act): South Africa
  • LGPD (Lei Geral de Proteção de Dados pessoais) : Brazil
  • PDPA (Personal Data Protection Act): Singapore
  • PDPA (Personal Data Protection Act): Taiwan
  • DPA (Data Protection Act): United Kingdom
  • APPI (Act on the Protection of Personal Information) : Japan

But before we talk about data protection, let’s talk about data security.

What is data security?

Data security is essential to protect digital information from unauthorized access, loss, disclosure and manipulation. This practice should be applied at all stages, from creation to eventual destruction of the data.

Why is data security important in business?

Data is a valuable resource that a company generates, stores and exchanges. Protection against corruption and unauthorized access is crucial to protect the company against these risks:

  • Financial loss
  • Damage to reputation
  • Loss of confidence among consumers
  • Damage to its brand image

A simple method to assess digital security is the CIA Triad. There are three crucial components: Confidentiality, Integrity and Availability.

Here’s how these fundamentals ensure the security of your organization’s data:

  • Confidentiality : only authorized users with appropriate credentials can access the data. An organization can use two-factor authentication or other access controls to build trust.
  • Integrity : prevents unauthorized changes to data. Companies can look at data encryption as a way to maintain data integrity.
  • Availability : ensures that data is available for business continuity. Distributed Denial of Service (DDoS) attacks or even the physical destruction of company servers – intentionally or accidentally – cause service unavailability. The solution is a redundancy of IT resources.

Additionally, by implementing an effective data security strategy, organizations can successfully protect their information assets from malicious cybercriminals, insider threats and human error, which continue to be among the top sources of data breaches today.

Government regulations also play an important role in preventing cybersecurity threats:

In 2023, the European Union adopted the NIS2 Directive (EU) 2022/2555, replacing the Directive (EU) 2016/1148. According to experts at ENISA (European Union Agency for Cyber Security), NIS2 is undoubtedly having a positive impact on improving the EU’s cyber security by providing multiple methods such as:

  • The construction of the CyCLONe (Cybersecurity Competence Center for the European Union) cyber crisis management structure.
  • Elevate compliance with security standards and reporting regulations to create a more unified approach.
  • To foster a more secure online environment, member states should incorporate topics such as supply chain management, vulnerability assessment, mitigation, basic Internet protection mechanisms and cyber hygiene practices into their national cybersecurity strategies.
  • Member States can foster collaboration and promote knowledge sharing by introducing new concepts such as peer reviews.
  • The integration of mobile industries into the broader economic and social landscape requires a wider range of organizations to comply with enhanced cybersecurity standards.

Data protection and data security

Data protection and data security are two separate concepts. Data protection includes data security. It intends to protect sensitive data and defend the confidentiality of information.

To inventory and facilitate the audit of sensitive or personal data, the use of a data catalog is particularly recommended. By doing so, companies speed up the work of the auditors and greatly reduce the bills of the audit firms.

In practice, data protection can be divided into three categories:

  • Data backup and recovery ;
  • Data Security;
  • Confidentiality of information.

So data security is indeed an essential ingredient of data protection – personal or otherwise.

Data protection categories
Data protection categories

Data security and data sovereignty

Data protection is paramount in the digital age and knowing who you can share data with adds another layer of complexity. Unfortunately many companies are now using cloud services without understanding the security implications, posing a considerable risk to their sensitive information.

From a practical perspective, data privacy involves managing the process of sharing information with third parties. We need to know where this data is stored and what the regulations are in the countries we work with. Making sure your customers’ data stays safe – wherever it is – is critical.

With the globalization of data exchanges, digital sovereignty is a legitimate issue.

Data sovereignty and national laws

Data sovereignty is supposed to ensure that national laws apply to data that is hosted in its country of origin. This is generally true, but care should be taken with the exceptions.

Indeed, The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a US law passed in 2018. This law allows U.S. authorities to access data stored by U.S. companies, even if that data is stored on servers located abroad. It also allows foreign governments to request access to data stored by U.S. companies. The CLOUD Act has raised concerns about privacy and data sovereignty for users and businesses located outside the United States.

As a result, the Law can sometimes pose a threat to the security of your data.

What are the data security risks and challenges?

The rise of digitalization has brought with it significant cybersecurity challenges. The growing dependence on the Internet has made data security a top priority. The more technologically advanced a company becomes, the more vulnerable it is to cyberattacks. The irony is that while digital transformation helps organizations become more efficient and profitable, it can also make them vulnerable.

Without using proper data governance and security processes, companies are subject to:

  • Fines and legal battles : if a company does not comply with data privacy regulations, it can face costly penalties. It is also possible that it could be subject to civil lawsuits from customers whose data has been compromised.
  • Reputational damage: when customers discover that their data has been leaked, it can lead to a decline in trust in the organization and a loss of customers.
  • Loss of intellectual property: companies are always looking for ways to get ahead of their competitors. However, if hackers expose or steal sensitive information, they may be at a disadvantage.
  • Cyberattacks: Cyberattacks can destroy an entire network and wreak havoc on any business. There are many types of cyber attacks that organizations must deal with.

Despite the well-documented instances of these cyberattacks, security measures must improve sufficiently to address the growing threat to individuals and organizations.

Types of cybersecurity attacks

Accidental exposure

Accidental exposure can result from simple error or negligence, such as an employee leaving an internal document on a cloud service without password protection.

A data breach also results from poor security measures and human error. Employees are typically unaware of their company’s security policies and mismanage data.

Insider threats

Types of internal cybersecurity threats
Types of internal cybersecurity threats

Surprisingly, one of the worst threats to data security is its staff. Inside dangers are people who inadvertently or deliberately compromise a company’s data.

These threats can be divided into three categories:

  1. Compromised insiders: unbeknownst to them, their account credentials have been compromised by an attacker who can now use their identity to conduct malicious activity.
  2. Malicious insiders: they deliberately attempt to extract data from their company or inflict damage to satisfy their personal interests.
  3. Nonmalicious insiders: unintentional harm can be caused by employee negligence or lack of knowledge of safety policies and procedures.

Phishing and other social engineering attacks

Phishing is a form of social engineering where hackers attempt to steal sensitive information with fake emails, SMS or messages.

For example, they try to extract login information and credit card information to their advantage.

Here are two common techniques:

  • Social engineering: manipulating and deceiving victims into divulging confidential information. The attacker seeks out the target to obtain information about its vulnerabilities, gain its trust and encourage security compromising actions.
  • Ransomware or malware: ransomware is one of the most pressing cybersecurity issues. In 2021, ransomware affected 66 percent of organizations; attacks increased by about 78 percent from 2020. Ransomware locks up computer systems until victims disclose confidential information or pay a ransom. Many companies pay the ransom in silence. In this regard, it is worth noting that many countries want to legislate to make reporting cyberattacks a legal requirement.
Ransomware statistics in 2022
Ransomware statistics in 2022

IoT attacks

The Internet of Things (IoT) is susceptible to data security threats. Hackers can gain access to your personal devices and sensitive information by targeting monitoring devices, such as smart watches, baby monitors, smart refrigerators or smart lights. Compromising IoT devices will allow hackers to exploit data security for malicious purposes.

Quantum attacks

Although quantum computers are not yet fully developed, they pose a potential threat to the security of data stored today. Today’s cryptographic algorithms could be broken much faster with a quantum computer, meaning that data stolen and stored by hackers today could be decrypted in the future. Therefore, it is important to develop new forms of cryptography that can withstand the computing power of quantum computers.

In summary, while quantum computers are not yet a reality, the threat they pose to today’s data is very real and must be addressed.

Examples of catastrophic data theft or breach

Yahoo

In 2016, Yahoo fell victim to one of the largest cyber attacks in history, affecting over 1 billion user accounts. The hackers were able to access users’ names, email addresses, phone numbers, dates of birth, passwords and answers to security questions on their accounts. Authorities attributed the attack to a Russian state-sponsored hacker group.

The attack had significant consequences for Yahoo, including loss of user confidence, declining advertising revenue and thecancellation of the Verizon buyout deal.

In 2017, Yahoo was fined $35 million for failing to disclose the attack to investors.

LinkedIn

In June 2021, the personal data of some 500 million LinkedIn users was stolen and put up for sale on the dark web by a hacker who used an automatic data collection tool (scraping technique).

Although LinkedIn denied the hack, the release of a data sample unfortunately confirmed the veracity of the attack. Therefore, the threat of fraudulent use of this data hangs over the owners.

Data security solutions to protect sensitive data

Governments are implementing increasingly stringent data protection laws in response to the growing number of data breaches around the world.

For their part, companies should protect themselves from security breaches by investing in appropriate security solutions to avoid being caught in an illegal situation, having to pay fines, being sued or having to compensate for losses.

To do so, they must have a global vision of their IT security. Then they must take appropriate action.

Data Security Solutions

Data encryption

Data encryption can be done at different levels of an information system: one can encrypt an individual file, a partition or an entire disk. And there are many encryption methods that we will not detail in this article.

To access the data in clear text, it is necessary to have the decryption key; the best known method is the password.

Far from being satisfactory in terms of security, passwords should always be chosen strong and stored in a password manager. Password vaults store usernames, passwords, and sensitive information in an encrypted form accessible only with the correct credentials.

Far superior to passwords, certificates are digital documents that verify a user’s identity. No “serious” information system should rely on passwords today.

In addition, there are also methods that rely on physical costing.

Whatever encryption solution you choose, make sure it is secure enough for your needs.

In France, the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) is in charge of reinforcing the security of information systems. It certifies security methods you can follow to reduce your risk.

Data masking

Data masking creates a realistic but false version of the data to protect sensitive information. This technique is used when real data is not needed, such as in training, sales demonstrations or software testing. Data masking involves changing the data values while preserving the format, resulting in a version that cannot be decrypted or reverse engineered.

Two very useful techniques are anonymization and pseudonymization of data. Pseudonymous data allows for some form of re-identification, while anonymous data prevents any chance that the information can be linked to a specific person.

The disadvantage of the GDPR is that it forces companies to delete personal data that is no longer used after a regulatory deadline, and this data can be very valuable. Anonymization allows for compliance with GDPR requirements while limiting the loss of value due to erasure.

Data leak prevention

Data Leak Prevention (DLP) aims to prevent the exfiltration of sensitive company data. It is an application that applies rules to detect and block potentially dangerous outbound traffic, such as emails sent outside the company. If such an incident occurs, it sends an alert to the administrator, who then assesses its severity.

In the cloud, we talk about CASB (Cloud Access Security Broker). It is a security solution designed to protect enterprise data stored in the cloud by monitoring access to cloud applications and enforcing security policies to ensure data confidentiality, integrity and availability (Triad CIA). CASBs can provide capabilities such as identity and access management, data encryption, threat detection, data loss prevention and regulatory compliance.

Types of data security technologies
Types of data security technologies

Identity and access management

Identity and Access Management (IAM) is a set of processes, policies and technologies for managing electronic identities. Implementing an IAM framework allows IT managers to regulate user access to sensitive information within their organizations.

IAM systems use a variety of technologies such as single sign-on, two-factor authentication, multi-factor authentication and privileged access management.

In addition, these systems securely store identity and profile data and provide data governance features to ensure that only relevant and necessary data is shared.

Why do companies need a good data security strategy?

Companies need a good data security strategy to protect their information from online threats such as hacking, data theft, malware, etc. An effective security strategy ensures the confidentiality, integrity and availability of data. It also helps to comply with data protection regulations and avoid costly financial and legal consequences in the event of a data breach. In short, a strong data security strategy is essential to protect a company’s reputation, intellectual property and assets.

Cost of data breaches by country
Cost of data breaches by country

How Data Éclosion helps companies master their data

At Data Éclosion, we understand the importance of data governance in helping businesses succeed now and in the future. We help organizations inventory, control and secure their most valuable data.

With our digital strategy expertise, we’ve helped companies of all sizes transition to data-driven organizations. Data security is a critical component of any digital strategy, which is why we recommend robust solutions such as end-to-end encryption, multi-factor authentication and regular security audits. Our team of professionals is committed to helping you improve your control over information with customized solutions designed for your business. Contact us today for an assessment of your data management needs.