Data is an incredibly powerful asset and triggers growth and development in any business. This is why effort must be focused on its protection, to prevent unauthorized access, non-compliance, leakage, data disclosure or even its destruction through malware or viruses.
Modern business methods often put data security at huge risk: the usage of portable devices, remote working, and connection via Wi-Fi multiplies the chances of a data breach, and the consequences can be devastating for your business. An established company can be destroyed in seconds because of weak data protection. Security equals availability.
The reputations of globally-recognized companies such as Facebook, Google, Marriott, Binance, and many others have suffered because of careless data records handling. For example, Facebook experienced the exposure of 50 million users’ data records, resulting in $1.6 B in fines. Google+ had to shut down its service after the disclosure of 53 million users’ data. Large companies have the brand behind them and can recover quickly, but for smaller enterprises security breaches can be devastating.
7 Levels of Data Security Pyramid to Protect Your Business
To mitigate against all types of potential security threats and unify preventive methods, we have elaborated a Data Security Pyramid. This detailed method includes seven levels that address various cybersecurity threats and risks. Let’s look at each level in detail:
Level 0: Ground
The very first step any enterprise must take is to protect all of its assets. Nowadays, these assets are not in just one location, so the first step is to carry out an audit and a careful inventory of all assets across all locations. The list must include all physical hardware, such as personal computers, mobile devices, laptops, routers, and other physical machines. It must also account for cloud resources such as virtual drives, microservices containers, API gateways, and even storage which holds any confidential data, like passwords.
At this basic level, the most effective way to keep data protected is to arrange a regular inventory of physical and virtual assets to prevent both internal and external attacks. You can’t protect a digital asset that you’re not aware of!
Level 1: Essential
The next security level entails switching from default settings and passwords to a more complex approach. Using only standard password combinations or default system configurations gives a green light to fraudsters to access your data and steal it, without any serious impediments.
At this point, it is highly recommended to change all default passwords, settings, configurations, ports, firewall rules, and other policies to minimize the risk of breaches.
Level 2: Basic
After changing all of the default IT policies, perimeter protection must be built to restrict access to your network of physical and virtual assets.
To do this, create custom firewall configurations, use intrusion detection software solutions and antivirus programs, implement RFID-based authentication, and carry out regular data security testing and audits.
Level 3: Elevated
This level is represented through three key approaches: segregation of duties, separation of roles, and the IAAA principle.
Segregation of duties means that you have to separate hardware and software for different purposes. For example, using the same computer for web deployment and a database can be a serious security risk for the entire network. There must be no colocation. While this is not a cost-effective use of resources, it has the power to eliminate numerous risks.
The separation of roles approach means granting access to a system or device only to those users who are rightfully authorized to deal with those files, systems or devices. In other words, you have to limit access only to those who need it.
The IAAA principle stands for identification, authentication, authorization, and audit. Keep to this rule to ensure data is thoroughly protected at all time.
Looking to strengthen Security?
Level 4: Advanced
The advanced level of the Security Pyramid is achieved only when internal documents are categorized (security labeled) and permission-based access is attached to them. This is a higher level of segregation, absolutely necessary to medium and large enterprises spread over many locations.
These labels mean that documents must be classified as Public, Private, or Protected. Access permissions can be set for opening, reading, editing, and downloading. For example, a financial statement can be opened, read, edited, and downloaded by a CEO, whereas a head of department may only have reading access.
Also, this level includes recommendations to use password management tools like multi-factor authentication, and key management tools like AWS KMS, Azure Key Vault or HashiCorp Vault. This ensures passwords are strong, securely stored and properly managed.
Level 5: Endurance
While we can make an effort to minimize the risk of cyberattacks, we have no chance but to foresee and prevent natural disasters that can physically destroy hardware and data. Normally, these are the type of events that trigger the force majeure clause in contracts.
The above preventive methods will not work in these cases. However, each enterprise can devise a plan that will reduce the impact of natural disasters and mitigate any damages, as well as ensure a speedy recovery afterwards.
Thus, at the endurance level, you have to generate a Disaster Recovery Plan and a Cyber Security Emergency Response Plan. It is also recommended to schedule regular data backups, perform drills, and routinely analyze system vulnerabilities.
Level 6: Trust
This upper level is mainly dedicated to improving the security of the human factor. It consists of several minutious background checks.
Firstly, when hiring new personnel in key positions, perform thorough HR screening. This is needed to make sure new employees will treat confidential information in a responsible way.
Secondly, perform background checks on your suppliers and vendors. If you notice any security gaps, request them to level up their security policies to align with yours.
In addition, the use of Dark Web scanning is crucial in establishing whether any of your business data is in the possession of hackers. As additional protection, you can simulate attacks to see how the system will behave, and identify and correct weak points.
Level 7: Paranoia
This level is an extra option for companies to add even more protection to their valuable information. These methods are not mandatory, but they will certainly add an extra level of assurance above competitors.
One great proactive step is to build a Security Operation Center that handles all security requests and prevents incidents. Specific threat detection software can be integrated with your systems to spot potential malware, phishing, spamming and other subversive attacks. Biometric access systems with voice recognition or fingerprint authentication can tighten access to premises, hardware and endpoints.
There are many other methods to enhance control of your internal systems, but the approaches presented in levels 0 to 6 should suffice for keeping everything well secured, for most enterprises.
DataArt Expertise in Cybersecurity
DataArt focuses on using cutting edge industry solutions and applying effective methods to make sure our clients stay safe and can focus on what matters most to them: their business. Our InfoSec team performs security penetration testing and social engineering testing, source code review and cloud audit. We have experience in assisting businesses with PCI, GDPR and HIPAA compliance, security assurance and general security consulting.