In a data science business, everything puts customer data at the heart, the majority of which is provided to a company by its clients. Loss of confidentiality, integrity, or availability (CIA) of that data could have a significant impact on the ability to operate the business.
Failure to sell new business, loss of current customers or a refusal to be custodians of customer data are all realistic possibilities in such circumstances. The massive loss of reputation as a result of a major breach is also a significant loss.
The risk is compounded by a general increase in cyber-attacks across the industry. The Federal Bureau of Investigation (FBI) continues to warn of exponential rises in ransomware affecting company operations. Furthermore, the Information Security Forum (ISF) warns that cyber criminals are evolving their attacks to target ‘trust’ between organisations, using a combination of techniques including ‘poisoning’ a company’s data.
Any customer data science or customer data-centric organisation should have a systematic step-by-step approach to tackle the ever-growing IT security challenges.
Step 1: Assessment Of Current State & Target Security Maturity State
A good starting point would be to assess our security against a maturity model like NIST (National Institute of Standards and Technology). The following is an example of a Current vs. Target state at the end of an assessment:
This assessment, in conjunction with a progressive transformation programme, could help improve the overall maturity of the security system in order to better support the business.
Step 2: Understanding The Threats Landscape
There are six generic threat categories an organisation should be up against. These comprehensively cover the main areas that must be mitigated to reduce the risk of data and data-science-centric business.
Step 3: Current & Future Threat Profiling
Two levels of detailed threat profiling should be considered while preparing an organisation for a specific defence.
- A Current & Detailed Threat Profile: Current, detailed, threats consider threat actors (types of individuals or groups that might seek to do harm to business) that may be relevant to data business.
- Future Threat Profile: Threat profiling for the future is difficult to achieve with any certainty but the ISF does publish a 3-year threat horizon each year. This outlines key threats and themes, based on feedback from their membership base of over 10,000 global companies.
Step 4: Creating Defences Through A Layered Defence Model
Once we’ve identified threat profiles, we can consider implementing IT controls defined within a layered defence model against each high-level threat. The following is a prioritised control list for a typical data science organisation (where we should be concentrating our efforts first).
Step 5: Addressing IT Security Challenges
Implementing Access Filtering
Key risks addressed in this category to limit internet access are as follows:
- Data Security Compliance: Data Science firms that are responsible for sensitive data such as personal health information (PHI) or other forms will use internet-blocking tools to prevent employees from maliciously or negligently leaking data
- Network & Endpoint Security: Will prevent users from accessing malicious websites that are known to contain malware. This acts as an internet filter that provides critical security controls for protecting sensitive data
- Productivity Management: Content filters are used to block access to distracting websites and computer applications such as social media sites, computer games, and video streaming services
Implementing Email Security
Email is a primary weapon for spreading ransomware, an advanced threat that can affect multiple endpoints and steal sensitive data. Therefore, an email protection plan needs to include the following best practices to protect email traffic in real-time.
- Spam Filter: Detect spam and keep it away from either hitting your inbox or filing it as junk mail
- Email Encryption: Disguise corporate email by changing communications into a garbled arrangement of letters, numbers, and symbols that someone who intercepts cannot read
- Antivirus Protection: Screen emails and attachments for viruses, providing the user with warnings if anything suspicious is detected
- Secure Email Gateway (SEG): Filter out potentially dangerous emails according to the settings of an IT administrator
- Employee Education: Educating employees to recognise social engineering, phishing, and other types of attacks
Implementing Vulnerability Management
An external vulnerability scan ensures that your external firewalls are impenetrable while an internal scan searches the interior network to ensure that the computers within your network are secured properly.
- Regulatory Compliance: There are many requirements for businesses to keep their client data safe from external threats including GLBA, HIPPA and PCI, among others
- Update Software Or Change Network: Every time you change the configuration of your network, install new software or hardware, your network is exposed to external risks without your awareness
Implementing Data Governance
- Classify Sensitive Data: To effectively manage access to your most sensitive data, you need to know where that data is stored and classify them based on the sensitivity
- Assign Access Controls: Once you’ve completed your risk assessment, assign access controls to each user, based on their role within the company
- Analyse User Behaviour: It’s important to monitor user behaviour and ensure that your policies are being followed. What are your most privileged users doing with the data they access? Are they copying, modifying, or deleting files containing sensitive information?
- Review Access and Compliance Requirements: Review your data access governance plan regularly to ensure that your policies are logical and effective
Implementing Multi-Factor Authentication (MFA)
The goal of MFA is to create a layered defence that makes it more difficult for an unauthorised person to access a target, such as a physical location, computing device, network, or database. If one factor is compromised or broken, the attacker still faces at least one or more barriers to breach.
MFA works by combining two or more factors from these categories:
- Knowledge Factor: This requires the user to answer a personal security question
- Possession Factor: Users must have something specific in their possession to log in, such as a badge, token, key fob, or phone subscriber identity module (SIM) card
- Inherence Factor: Any biological traits, for example, biometric verification methods