Data Security is seen by some as being the core reason for having security – especially for organisations who consider their data assets and how they process them as being how they make their money. Many organisations also look for compliance to privacy regulations as the relevant legislation continues to proliferate throughout the globe. COVID-19 is highlighting weaknesses in data security strategies but time and money does not support big changes.
A simplistic view of the problem is that data security is trying to maintain CIA, which combined also make up Privacy. There are many tools and approaches out there, including data governance, access control, classification, encryption and DLP. With these are many other tools – remember, your whole security architecture is to some degree oriented to achieving data security.
Your data security strategy will be addressing many threats. But in this time of COVID-19 we are seeing massive (400%+ related to COVID-19) uplift in is social engineering attacks, whether through text, email, physical knock-on-the-door or something else. Phishing, and any of its derivatives, remains the leading initial stage of attack on a company.
You need to:
1) Stop data being leaked so that it can be used to fool people.
2) Stop people being fooled so that they can inadvertently allow data to be compromised
What can you do?
Defending your users by tools, education, and direct support is crucial. Phishers continue to become better, and the opportunity that COVID-19 gives them is huge and threatens to overcome your tools. Spend time with your anti-phishing toolset and processes to make sure they’re running well and keeping up with the threat.
Help your users. Now is the time to educate and support them, especially as they work from home and are facing unprecedented concerns. Keep communicating with them and reminding them about the threat against both their personal and professional lives.
Now is also the right time to revisit your existing data security controls, especially with work from home changes you’re undoubtedly seeing. Some basics that will help:
- Have all your line managers perform an emergency access review to all your critical and regulated data.
- Have your IAM teams double check employment status and get those unused accounts cleared out.
- In these times of furlough and (sadly) layoffs, get your HR team to communicate employment changes promptly to the IAM team.
- Make sure your AV systems are up to date, and especially focus on the user endpoint.
- Double check your endpoint encryption coverage.
- Double down on other existing data focused tools if you have them.
These will help protect your data from users inadvertent mistakes. It’s not a full list by any means. Gartner has published many documents on COVID-19 strategies. We also have much guidance on DLP, classification, encryption and all the other data security tools that are available.
First and foremost, however – stay safe. Nothing is more important than you, your family and colleagues. Our best wishes to you all in these troubling times.