When it comes to data, every exchange with the outside world can raise concerns about confidentiality and integrity, as once this data passes from one place to another, it can be intercepted, modified or even destroyed. To better protect themselves against the various risks, IT security teams must employ a range of good practices. Read below for tips to help you regain confidence and communicate safely.
All companies and institutions are equally affected by the three main risks to data: confidentiality, integrity and availability. But how can you protect your company and help your employees communicate safely?
Data as a cyber risk
The notion of data protection is closely linked to confidentiality, integrity and availability. On this point, all the definitions agree: confidentiality ensures that information is accessible only to authorised persons; integrity ensures that a piece of data remains identical during its life cycle; and availability ensures that a piece of data is accessible at a defined time. Together with traceability, these elements are the fundamental building blocks of information security.
And to protect the confidentiality and integrity of this data, one solution is generally given: encryption. However, while this measure is necessary, it is not always properly implemented. Between terms like vital data, sensitive/critical data, and personal data, it’s easy to get lost. As a result, many companies believe they are not affected and don’t need to protect their files and communications. However, all companies need data protection. Customer files, accounting documents or other important materials are all items that allow the company to function on a daily basis. For an SME, for instance, losing a year’s worth of accounting information can be catastrophic. In order to make sense of it all, everyone needs to define what information is strategic to the company or institution concerned, bearing in mind that any data produced has value.
Between terms like vital data, sensitive/critical data, and personal data, it’s easy to get lost. As a result, many companies believe they are not affected and don’t need to protect their files and communications. However, all companies need data protection.
At the same time, they need to better understand when this data becomes accessible, and therefore vulnerable. To gain access to data, a cybercriminal might go through a company terminal or network—all of which should also be subject to cyber protection. In the specific case of a Trojan attack, for instance, a group of cybercriminals could gain access to everything that is displayed on the screens of the infected system, as well as keyboard inputs. “These attacks can be highly targeted and come from states, but not just states”, says Sébastien Viou, Cybersecurity Director and Cyber-Evangelist Consultant at Stormshield. “Trojans that are used to retrieve passwords and usernames, including people’s personal banking info, can also be introduced on a large scale by simply downloading a game, an extension or a password manager. And while we often think of computers first, smartphones are also a big entry point for this type of malware...” This highlights the need to protect workstations, but also to think about limiting work stations to professional use.
How to better protect your data
This is because data is of no value if it remains at the bottom of a drawer or a directory on your computer. Often, data is only valuable if it is shared. And it is during these exchanges that it is most vulnerable, as it is leaving the (in theory) protected enclave of its storage device.
The data can then be exchanged between employees and/or with an external service provider in several ways: by email, on the Cloud or on a USB key. The methods and technologies may differ, but they all need to use the same security method: end-to-end data encryption. This type of encryption allows the information to be read only by the sender and the recipient, with a robust means of authentication. It also keeps it out of the reach of intruders, onlookers and even publishers, preventing them from accessing the unencrypted data. But for this end-to-end encryption to be effective, it must be carried out under the sole supervision of the company looking to protect its data. The protection keys, which are used to encrypt the files, must therefore remain the exclusive property of the company; this is the only way to ensure that data protection is completely independent of storage.
For this end-to-end encryption to be effective, it must be carried out under the sole supervision of the company looking to protect its data. The protection keys, which are used to encrypt the files, must therefore remain the exclusive property of the company.
However, with the rise of mobile devices and the widespread use of collaborative tools, some data is not protected end-to-end by the company. When using certain online office suites in SaaS mode, an independent data encryption solution can help ensure that data remains confidential in transit. Given how easy these office suites are to use, the challenge for solution providers is to integrate them seamlessly for the end user, and thereby secure the data while keeping the user experience simple and efficient. With files and emails now protected, the data must be encrypted end-to-end directly in web browsers.
The importance of data backups and access rights
If data encryption can protect integrity and confidentiality, what about availability? After all, data that is accessible to anyone, even if encrypted, can always be... deleted. Therefore, an effective backup is the first step. As Sébastien Viou notes: “Backups should be tested regularly, encrypted, and disconnected or unalterable.” They should be approached by the IT and business teams with a sense of shared responsibility, taking into account all the necessary parameters, including how to manage the recovery of encrypted secrets. It is also best to have a Disaster Recovery Plan (DRP) or Business Continuity Plan (BCP) stored in a secure space, digital or otherwise.
At the same time, access rights will need to be managed. This is to ensure that only authorised persons can access sensitive data, both internally and externally. However, this is a complex issue, as Identity and Access Management (IAM) involves all the heads of each department or business line in a company. Each of them must be able to determine who on their team has access to what, and for what purpose. A simple prospect at first glance, but given the growing number of tools and company turnover, managing all of these privileges can quickly become a big task. However, it is a task that contributes to the company’s safety.