Data security and privacy are hot topics among customers, partners, and individuals today, and for good reason.
We’ve seen headline-making breaches in the news, some of which may have affected our (or our clients’) personal data. Supply chain threats are always an uncomfortable mistake away, and data privacy laws continue to evolve and exact their demands – one minute, you’re accountable for securing XYZ, and the next, you may be on the hook for ABC, too.
It’s no wonder companies face confusion when it comes to knowing how best to tackle the issue. And what if you are fairly new to the data privacy and security game? Say you’re a pet store with a great app that’s fairly new to the cloud or a school district that’s building your cybersecurity team. At this point, all teams should have some basic idea of what data security entails, but with the industry itself changing so rapidly, it’s no surprise that very few might have a complete picture.
Here are some basics to understand about data security and privacy in 2024 and how to check the “big things” off your list.
First: How did we get here?
At the end of the day, protecting the security and privacy of your data looks a lot different than it did even a few years ago. Back then (let’s say, pre-2022), if you wanted to protect data in the cloud, you would rely solely on various endpoint and behavioral-based detection tools overseen by Cloud Security Posture Management (CSPM). Disclaimer: these are still incredibly useful and a vital part of any security stack today that’s big enough to warrant them.
Protecting the architecture
The thought was that if you could ensure that there were no misconfigurations, the right policies were in place, your architecture was security compliant, and you had solutions for both simple and complex (anomalous) threats, that was as good as anyone could do. And for the time, it was.
Needing to protect more than just the architecture
However, the complexity of the cloud started to spread and took on a lot of other variables. To name a few, you have hybrid, multi-cloud, remote work, personal devices (BYOD), IoT devices, social media platforms, personal accounts tied to work devices and vice versa, cloud storage repositories, long software supply chains, open source codebases underpinning everything (with 91% containing outdated OS components), and SaaS, SaaS, everywhere – and for everyone.
These tools couldn’t track sensitive (and now compliance-riddled) information as it was transferred via personal email addresses, downloaded onto employee iPhones, sent via WhatsApp, saved in a PPX on a personal computer, copy-and-pasted, or stored in image, video, or audio files. Yet all of that data – structured and unstructured, no matter how or where it was saved (or lost) - was all the responsibility of organizations that were at a loss for how to keep track of it all, much less protect it.
New problems, new solutions
Data got out of hand, and these tools that protected just the architecture alone in which data resided failed to catch data as it fell through the cracks. AI-driven tools like Data Security Posture Management (DSPM) can now find and protect data anywhere – even in the spaces between traditional data safe havens – and we’ll touch on tools like this in a bit.
This is why having a problem-aware, proactive plan to protect your data as you digitize is of utmost importance, as is having the right tools. Here are a few key steps – and the earlier you implement them, the less of a headache it will be.
Know where all your data resides.
Regardless of whether you’re fully aware of which security frameworks or data privacy laws apply to your organization, you must take full stock of all your data assets first. That way, when you do know, you can quickly put the right policies in place.
The trick is finding that data once it has left the nest. The trouble also becomes finding data you don’t even know is lost – shadow data. Tools like DSPM are equipped for the rugged terrain of complex, multi-cloud, unstructured-data-riddled environments. As stated by data security firm Cyberhaven, “A robust DSPM tool will be able to manage the unique challenges of cloud data security, like multi-tenant environments and shared responsibility models.” Tools like this can be invaluable for finding all that data you do (and do not) know about, no matter what kind of digital mess you’re in.
Know which data privacy laws apply to you.
What is going to be foundational to the kinds of security policies you put in place or the frameworks you follow will be the data privacy laws that apply to you. Currently, 137 out of 194 countries have data privacy laws in place, and in the United States, specific laws vary by state. Consider the ones to which you might be accountable by geography:
Then, there are the compliance regulations that vary by industry. They include:
- HIPAA (Healthcare)
- Sarbanes-Oxley Act (SOX) (Finance)
- PCI DSS (Payment card industry)
- FISMA (US Federal Government)
- NERC CIP (US Critical Infrastructure)
And more.
Put the right policies in place.
Next, you want to establish a cybersecurity strategy (a collection of security controls and policies) that aligns with your data compliance requirements and security needs. Your compliance requirements will largely dictate the types of measures you need to pass an audit, and increased security can be added from there.
Regardless of mandates, some industry-level frameworks that are widely applicable across the board include:
- The CIS Controls | These are good for establishing fundamental cyber hygiene and are a great place to start.
- NIST Cybersecurity Framework (CSF) | The “gold standard” for cybersecurity, NIST CSF was originally developed for use by the federal government and has now been adopted by top corporations globally.
- MITRE ATT&CK | This framework is less for implementation and more for mapping out the common techniques, tools, and capabilities of prominent adversarial tactics today.
It’s an uncomfortable truth: compliance doesn’t necessarily mean security, but by applying industry best practices as outlined in these frameworks, you have a very good shot at both.
The Sooner, the Better
Digital data is running away with organizations that rushed to digitize but were unprepared for the security challenges to come. Force-multiplying technologies (CSPM, DSPM, XDR) and simple strategies (vulnerability management, pen testing) can help you keep pace even as your digital attack surface grows. Or – even better – it can help you reduce that attack surface as you go, so it never gets unmanageable out of hand.
Data only grows, so get ahead of it now. You’ll thank yourself for putting these policies in place with the amount of data you have now (vast though it may seem). If you really want a hassle on your hands, let your digital data enterprise grow unchecked and see what a job you’re in for next year.
About the author:
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.