Nearly every company in the world has a need for data security and privacy, whether they store customer payment information in a profile for future use or develop groundbreaking ideas that could change the future of commerce. But due to the sensitive nature of this data, organizations must be sure that it is well-protected.
Security is an increasingly difficult challenge as more and more of the workforce transitions into digital and remote roles.
What was once a physical packet of paper carried from one cubicle to another is now digitally stored and transferred across states or even continents from one employee to another, presenting countless opportunities for hackers and other cyber criminals to infiltrate.
The higher volume of consumer, client, and employee data that organizations store and handle today places them at an increased risk for data breaches and other security concerns.
Companies are rapidly adopting complex computing environments to meet operational needs, which can include cloud infrastructure, data centers, and numerous devices and operating systems.
This complexity can hinder security, which means organizations must develop strong data governance strategies to better manage how data is stored, shared, and processed.
Many companies use the terms “data protection” and “data security” interchangeably, but they’re distinct components, and each plays a unique role in ensuring an organization’s data integrity.
Neither data security nor data protection is enough on its own; each company must have a comprehensive plan in place for both to ensure that data is neither lost nor accessed by the wrong people.
So, what exactly is the difference between data security and protection, and how can they work together to safeguard company data? Let’s take a closer look.
What is data protection?
Data protection is a method of keeping records safe from loss, corruption, or compromise using backup copies. Each company sets a recovery point objective (RPO), to determine how often backups are created. This can vary from a few hours to several days, depending on the amount of information a company needs to protect.
If information is compromised, the data can be retrieved from the most recent backup with minimal data loss and redundant work.
The timeframe within which a company must restore the most recent backup after compromise is the recovery time objective (RTO). This is a metric that identifies how long a computer system, application, or network can be down before it disrupts business operations.
For example, if a particular application has a one-hour RTO, the interruption will disrupt normal operations and contribute to revenue loss after an hour of downtime.
Mission-critical applications, such as transactional or financial services, will have the lowest RTO because they correlate directly to lost revenue.
Systems that are used infrequently or whose downtime will not disrupt day-to-day operations will have a longer RTO. For example, while an offline printer is inconvenient, it won’t incur the same level of financial loss as a financial service outage or disrupted email access.
What is data security?
Data security, on the other hand, focuses on confidentiality, availability, and integrity. The goal is to ensure that no unauthorized users gain access to or distribute confidential information. There are several data security methods a company can use to ensure that its information is safe.
One of the most common data security measures is encryption. Encryption essentially puts a company’s data into a coded format, allowing only authorized users to view the decoded information. A security algorithm, or key, is used to encrypt data, creating ciphertext.
In symmetrical encryption, the same key is then used by an approved party to decrypt the data into plaintext. In asymmetrical encryption, a different key is used to decrypt, creating an additional layer of security against would-be hackers.
Another example of data security is multi-factor authentication (MFA). Typically, this method requires a standard username and password setup, but with an additional layer of identity verification.
This might be in the form of sending a randomly generated code to a user’s personal cell phone or email address, which in theory should not be accessible to anyone but the intended user.
What are three common data security mistakes organizations make?
Poor access control, negligence, and other human error factors all contribute to data security risks. As varied as individual companies may be, they often make similar errors when it comes to data protection and security.
These errors can lead to hundreds of millions of dollars lost for a business along with heavy personal and financial consequences for the individuals affected. Let’s take a closer look at three of the most common data- security mistakes.
1. Not backing up data properly—or at all
Believe it or not, there are companies out there that do not duplicate their data for backup and have no data security policy at all. In 2018, a study found that 77% of business leaders surveyed did not have a consistent plan for cybersecurity.
Those companies that do have plans often find that they aren’t thorough or efficient enough, which allows threats to slip through the cracks. It is important to back up data often and completely to ensure easy recovery and minimal downtime for the business.
Some companies don’t consider all the factors when backing up their data. For example, simply having a server where data is stored is not enough. If that server is on the same property as the business, anyone with access to the grounds has some level of access to the data reserves, and if a fire or other site-wide disaster occurs, all the data can be lost.
Backing up data offsite or in the cloud is ideal, but that can require a large amount of bandwidth, especially for companies that deal with significant amounts of data. It is also important to vet the company entrusted with keeping your data safe.
In 2017, for example, voter information was compromised when a third-party security company accidentally stored names, addresses, political opinions, and more on a public server for nearly two weeks.
2. Not updating permissions as the company grows and changes
Data security management is key when keeping up with a fast-paced business. In the beginning, a smaller business might purchase or even build custom solutions for its data security needs.
The idea is to save money by building security features that are useful to the company in its current state, but this approach does not allow these measures to grow with the company.
Additionally, if a team member changes roles or leaves the company, it is important to restrict access to unnecessary server information immediately.
This cuts down on the potential for unauthorized access, either by that person or someone outside the corporation. The fewer people with access, the easier it is to track violations and risks.
According to ID Watchdog, 60% of data breaches are caused by insiders—people who either work directly for a company or are involved via contracting, partnerships, or client relationships.
Although not all these attacks were malicious at their onset (some were caused by well-meaning employees who were tricked), companies should try to monitor who has access to what information, and keep it updated based on the minimum level of access necessary for team members to perform their duties.
3. Using data security services that do not meet industry standards
While it may seem like a great, low-cost idea to have in-house developers design and implement a cyber security plan, such an important security feature should be thoroughly examined to ensure compliance with today’s data- security standards.
In 2002, the Federal Information Security Management Act was enacted, making it mandatory for federal agencies and their affiliates to have a data security plan that supports confidentiality, integrity, and availability of information.
In 2014, the act was updated and renamed the Federal Information Security Modernization Act (FISMA), streamlining the required security efforts.
In relation to FISMA, Federal Information Processing Standards (FIPS) were created. FIPS outline exactly what federal agencies must do to protect their data effectively. These regulations address cryptographic modules, hash algorithms, digital signatures, employee identification, and more.
There are specific regulations concerning access to healthcare information, outlined in Title II of the Health Insurance Portability and Accountability Act (HIPAA). These rules involve privacy, transactions and code sets, security, unique identifiers, and enforcement.
The US Department of Defense (DoD) also has its own set of regulations called the Defense Federal Acquisition Regulation Supplement (DFARS), and the National Institute of Standards and Technology (NIST) Cybersecurity Framework was created for critical infrastructure organizations, although it is adopted widely by noncritical entities.
While these rules and regulations were created for specific, high-level organizations, private businesses can benefit from following the same outline.
For example, one FIPS requirement states that companies must “identify, report, and correct … flaws within a timely manner.”
When Equifax failed to respond to a data concern in March of 2017, personal details of over 140 million people were leaked in an ongoing, months-long breach.
How WinZip Enterprise helps companies avoid common data security mistakes
WinZip has been a long-trusted name in personal data compression and transfer, but WinZip® Enterprise offers additional features, such as file-level encryption and protection of data at rest and in transit.
Encrypting at the file level provides an added layer of security, and the tried-and-true process WinZip Enterprise uses for zipping, sending, and unzipping data makes large transfers and frequent backups a breeze.
WinZip Enterprise also complies with all high-level security and encryption regulations, providing bank- and military-grade protection such as FIPS 140-2 validated encryption compliance (trusted for the DFARS) and FIPS 197.
The solution is fully customizable for IT administrators, so each business can select which features are applicable to its unique needs (e.g., which applications employees can use to send and share files), with custom billing plans to match.
Finally, WinZip Enterprise integrates with commonly used business applications, such as Google Drive, Microsoft 365, Microsoft Teams, and Dropbox, to make it easy for end users to collaborate safely and securely.
In today’s world of remote and mobile, distributed teams, it’s more important than ever to have a comprehensive security solution that secures your data regardless of where it’s stored or shared.