In this post, we will discuss Control Three, Data Protection and while our focus is on Electric Membership Cooperatives (EMCs), this control applies to every organization of every size and discipline. The Importance of Data Protection — this is a big one. Traditionally, organizations have stored data on their own servers in-house, out of convenience, necessity, or because that is how their managed IT partner designed the network. In addition, employees use the convenience of external memory devices to be able to take work with them to their homes, to coffee shops, to clients’ offices, etc. These habits mean that data lives locally, somewhat controlled, and in some cases, in cloud-based environments for productivity and business operations. What we described, seems normal, right?
Under this scenario, if you think about data management, it seems that a couple policies would be enough to care for and maintain the data. However, in the last couple years, cyber-criminal activity has grown exponentially and is now a multi-billion-dollar enterprise, annually. Combine the increased threat activity with a global pandemic, and what seemed to be normal policies and procedures no longer suffice. The pandemic alone did something organizations could never have expected or prepared for. Our data began to live everywhere. Nearly ninety percent of our workforce suddenly was working from home. Cross contamination of workplace information with personal information was, and in some cases still is rampant. Rather than using a Virtual Private Network to securely access network environments, data flowed from work email to personal email and back again to do business. As a cybersecurity organization, it is extremely difficult to track data, when it cannot be determined where all of it is living and there are minimal policies and procedures being followed. Not everyone has returned to the office, some organizations have decided working remote is “the future workplace environment and it is here to stay.”
Let us assume this is the case for the foreseeable future. Control Three becomes perhaps one of the most important practices for EMCs and organizations of all sizes to implement and follow as a standard operating procedure going forward. Portions of our workforce are remote, our business solutions have also moved into a variety of workspaces such as cloud-based productivity and storage solutions like Microsoft, Google, Amazon, and more. We have productivity software and environments used solely for data storage, on and off premise, all designed to save money and make our workforce and business operations more efficient. The result is that data now intentionally lives everywhere. How do we control it, how do we protect it, and manage it, then dispose of it when necessary? We will cover these questions with the following steps as they outline how EMCs and other organizations can implement this control and put processes and procedures in place to protect their data.
The following bullet point safeguards are recommended for Data Protection:
- Establish and Maintain a Data Management Process
- Establish and Maintain a Data Inventory
- Configure Data Access Control Limits
- Enforce Data Retention
- Securely Dispose of Data
- Encrypt Data on End-User Devices
- Establish and Maintain a Data Classification Scheme
- Document Data Flows
- Encrypt Data on Removable Media
- Encrypt Sensitive Data in Transit
- Encrypt Sensitive Data at Rest
- Segment Data Processing and Storage Based on Sensitivity
- Deploy a Data Loss Prevention Solution
- Log Sensitive Data Access
Putting these safeguards in place is the industry’s best practice for keeping data safe, tracking it, and maintaining it, until end of life. It is an excellent practice for organizations to have third party vendors assist with Information Technology and Cybersecurity expertise. These services should always be provided by separate resources, where they can partner together and provide the best solutions for the overall benefit of the host organization. From a cyber security perspective, a managed security platform and detection and response solution that can monitor network traffic going in and out and across your environment as well as your cloud-based productivity solutions, would provide the assurance you have done everything you can to keep your data safe. It is the best that can be done to protect the data and all the assets that make up the infrastructure, including the two most important assets: your revenue and most importantly, your people.
For more information on these best practices, please contact us by email at: sales@criticalpathsecurity.com or use our "Contact Us" form.