X-Industry

A Little Help

Posted by Bill Schenkelberg on March 3, 2023 at 10:00am

10973933464?profile=RESIZE_400xOrganizations are generating and storing an increasing amount of digital data. Protecting this information from unauthorized access, theft, or damage is critical.  The Chief Information Security Officer (CISO) is responsible for ensuring that an organization’s sensitive data is appropriately secured and protected from potential threats.  In the below analysis, we see the various types of data that CISOs and other business leaders need to protect while working together to do so, along with tangible steps to put safeguards in place.[1]

Seven (7) Critical Data Types: Data, in its many forms, is the lifeblood of business. Customers, employees, and products all exist as data points in business system.  It is incumbent on you, as the leader of a business, to ensure that data is properly cared for by the people whose job it is to do so.  Here’s a summary of the seven most critical types of data CISOs are responsible for protecting.  Knowing these will allow you to engage with your security team, ask the critical questions that must be answered, and ensured the overall data protection strategy is sound more effectively.

  1. Personal Identifiable Information (PII) - PII is any data that can identify an individual, such as their full name, address, social security number, or date of birth. Organizations often collect and store this information for various reasons, in forms such as employee records or customer databases.  PII is a valuable target for cybercriminals, who will use it for identity theft, financial fraud, or other malicious activities.
  2. Financial Information - Financial information, such as credit card numbers, bank account details, and transactions, is another type of data that cybersecurity pros must protect. This information is highly sensitive and is often targeted by cybercriminals, who use it for financial fraud and other malicious activities.
  3. Confidential Business information - Confidential business information includes trade secrets, strategic plans, and intellectual property. This information’s value to the organization means it must be kept safe from unauthorized access, theft, or damage.
  4. Protected Health Information (PHI) - PHI is any data that pertains to an individual’s health, such as their medical history, treatments, or diagnoses. This information is protected by various privacy laws and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States.
  5. Passwords, Usernames, and Authentication Credentials - Passwords, usernames, and authentication credentials are important for accessing sensitive data and systems within an organization. If these credentials are stolen or compromised, they can be used by cybercriminals to gain unauthorized access to the aforementioned data and systems.
  6. System and Network Configurations and Access Control Details - System and network configurations and access control details are important for the security and stability of an organization’s systems and networks. These configurations must be properly secured to prevent unauthorized access to systems and the data they store.
  7. Backup Data and Disaster Recovery Plans - Backup data and disaster recovery plans are crucial for ensuring the continuity of an organization’s operations in the event of a security breach or other disaster. If backup data and disaster recovery plans are not adequately secured, they are vulnerable to tampering or destruction, which compounds the fallout for any organization already trying to mitigate the effects of a breach or natural disaster.

To provide appropriate protections for all seven of these data types, the security team must ensure that appropriate security controls are in place and apply them continuously. These measures include encryption, access controls, regular monitoring of systems and networks, backups and disaster recovery, and compliance with laws and regulations.  Let’s review each of these measures in more detail.

  • Encryption - Encryption is the method by which information is converted into secret code that hides the information’s true meaning. Encryption can help prevent cybercriminals from accessing and stealing confidential business information. 
  • Access Control - Access control restricts access to sensitive data and systems to only those individuals who have a legitimate need for it, and it ensures their actions are properly authorized and monitored. Access control helps to validate that the right people have access to the data they need to perform their jobs; and nothing more.
  • Regular Monitoring - Regular monitoring of systems and networks is critical for detecting and responding to potential threats in a timely manner.  This includes monitoring for suspicious activity, such as unauthorized access attempts or data breaches, allowing the security team to respond quickly to potential threats.
  • Backups and Disaster Recovery - Regular backups and disaster recovery plans help to ensure that confidential business information is not lost or damaged in the event of a security breach. By regularly backing up data, organizations can quickly restore their systems and data in the event of a failure, reducing the risk of data loss and downtime.
  • Compliance - Organizations operate within a complex legal and regulatory environment and must comply with various privacy laws and industry standards to protect sensitive data. For example, the General Data Protection Regulation (GDPR) in Europe and HIPAA in the United States are two of the many regulations that organizations must comply with.  This includes regular audits and assessments of the organization’s security measures and procedures.

Closing Thoughts:  There are many types of data that exist in your organization. Knowing those data types and where they exist are the first steps in ensuring their security.

As a business leader, you may not be involved in the day-to-day practices of securing this data, but you should be able to ask the right questions and have baseline knowledge to make sure proper steps are being taken to protect your company’s most sensitive data information from theft, loss, or disaster.  Partner with your security team and let them know you understand the importance of data security and collaborate with them to put security into practice.  That will go a long way toward data protection and loss prevention.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com             

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989  

[1] https://accelerationeconomy.com/cybersecurity/how-cisos-can-ensure-security-teams-properly-safeguard-sensitive-data/

Views: 17
Tags: tr-23-058-003, ciso, advice, cautions, pii, phi, critical data
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!