365 days a year: solutions, knowledge and networking.
Find and offer innovative IT security solutions, take part in our diverse action program and make and maintain contacts.
Become part of the it-sa 365 community!
So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.
So that you can make an onsite appointment, the appointment request will open in a new tab.
2. Data protection and data security - two different things!
3. Data security breach: where does the danger lurk?
4. How to implement data security in the company
5. Industry 4.0: what role does data security play in networked production?
What is data security? This is a question that many industries, governments and private individuals are currently dealing with. Data security is a component of information security. The latter describes measures that are intended to protect all forms of data and information: digital as well as analogue.
Data security is about measures or strategies or software that specifically serve to protect digitally stored data. This can be personal information or sensitive company data such as intellectual property, company infrastructures, financial and payment data. For cybercriminals, these resources represent a valuable asset. Thus, one of the highest priorities is data security. Targets are: Protect governments, entrepreneurs and private individuals from economic damage as well as from loss of image and trust.
Hackers or cyber criminals cause damage in many ways with stolen data:
The consequences for victims are often devastating. They are forced to identify and re-secure compromised data and accounts. Unauthorised purchases must be reversed and credit cards exchanged.
Companies may also incur costs for lawyers, fines, demands for repayment from customers. The study "Cost of a Data Breach" by IMB Deutschland GmbH shows how high these costs can be. The damage to a company's image has long-term consequences: depending on how public and extensive the data loss is, future potential customers will think twice before passing on sensitive information to the company in question. Job losses of responsible employees and costly personnel restructuring are further possible scenarios.
Strategies, technologies and measures for data security in the company should therefore be an essential part of any business strategy. This applies to already established companies as well as to small start-ups or medium-sized companies. In many cases, smaller companies in particular cannot afford losses of this kind and must therefore prioritise data security.
Many people are not familiar with the difference between data protection and data security. Although there are overlaps in content, both terms should be differentiated from each other. Data protection and data security are both aspects of information security whose protection goals include confidentiality, integrity and availability. Data protection focuses only on protective measures for personal data. According to Art. 4 GDPR, this includes "...any information relating to an identified or identifiable natural person (hereinafter 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person". Data security, on the other hand, includes all types of data beyond personal data. Data protection is therefore a part of data security.
Data loss and data theft therefore have far-reaching consequences.
That is why the greatest caution is required even for the smallest details. Basically, there are two main weak points that lead to data leaks:
New technologies in particular have more and more connection points to the internet. This means that there are more opportunities for criminals to attack. This does not only mean computers, smartphones or tablets. Modern, often inadequately secured IoT devices in particular are an easy target for cybercriminals. Smart hackers can gain access to the entire network relatively easily. Even if all systems are sufficiently or even well secured on the technical level, humans remain an insecurity factor. Data leaks occur due to carelessness or because users of a computer system or network do not apply a sufficient security strategy. It occasionally happens that a work colleague or a visitor gets an unauthorised view of a monitor or access to important areas. Typically, in such a case, data is not disclosed to third parties. However, data security is still violated in the strict sense by such incidents. However, employees, former employees, business partners or other insiders with access to the system can also use these views for malicious purposes.
Stolen or lost end devices that are not sufficiently encrypted are also a source of danger.
Also read the white paper: Avoiding the 5 most common data security problems.
Cybercriminals use different attack strategies to obtain personal and non-personal data:
Data security should be a top priority in all businesses. It requires time, work and often financial investment. However, the effort is much cheaper and less labour-intensive than the damage mitigation that entrepreneurs have to do after a data leak. The following procedures on the technical, human and organisational level protect data against attacks from outside as well as inside.
Vague security measures do not help effectively against data theft or loss in the long run. Data security in the company must include clearly defined security strategies. These should be as detailed and comprehensive as possible so that every employee and manager knows what to do. Mitigation strategies are essential if a data leak occurs despite all security precautions. In addition, companies must always update their practices. Only then will they be able to ward off new threats.
Adequate protection against malware is one of the cornerstones of any data protection strategy. This includes high-quality malware scanners that regularly check the computers of a company network. They detect suspicious programmes and delete them if necessary. In addition, they block other malware from entering a system in the first place. A firewall additionally monitors the data exchange of a computer or a network.
In general, however, employees should always be careful, avoid suspicious websites and do not click on links in e-mails whose source they do not know. In addition, they should not download software from dubious manufacturers onto their computers.
The company's internal WLAN network should always be well encrypted. This means that the default passwords from the provider must be exchanged for a password that is not easy to guess.
And even a complex WLAN password needs an effective encryption method. Companies should opt for the sufficiently secure WPA2 method (sometimes found under WPA2-Personal or WPA2-PSK). With some providers, even the even more secure WPA3 encryption can be found.
Regular firmware updates also ensure that security gaps are closed. If unusual activities actually occur within a network, the router log can be checked. It records all network activities. It is also worth activating the firewall of a router. Modern devices are now equipped with this as standard.
Computer users are often too lax when it comes to password creation. However, with the amount of tools, accounts, networks and end devices that require strong encryption, this is no wonder.
Nevertheless, complex passwords are important before protecting against data theft. They should contain at least 8 characters, consisting of letters, special characters and numbers. Dates of birth (including the combination of several dates of birth), pet names or similar are strongly discouraged.
Password managers are useful for generating random character combinations and saving them. Users then do not have to re-enter them every time. There are numerous reputable providers that companies can trust if they do not have their own password manager on their computers.
Within a company, there should also be strict security regulations for personal end devices and data carriers such as laptops, tablets or smartphones. These policies include clear guidelines on topics such as data deletion, location tracking or internet monitoring.
Vulnerabilities in operating systems, software or apps cannot be avoided. However, tech companies usually react quickly to security gaps and offer updates with corresponding patches so that hackers cannot exploit them.
End users, however, have to install these updates immediately. This should be done automatically and in the background so that the update does not disrupt the normal workflow.
Employees or former employees can pose a threat to corporate data security. Industrial espionage happens everywhere and employees or supposed business partners occasionally have malicious intentions. Companies must therefore thoroughly check the backgrounds of their applicants. Suspicious behaviour among existing staff should be closely monitored by supervisors.
Old or broken devices are often disposed of without the former users giving much thought to the data they contain. Even when an operating system is reinstalled or hard drives are formatted, information is not gone forever.
Cybercriminals can recover sensitive data with easily accessible tools.
Entrepreneurs must use tools themselves or hire IT service providers who overwrite the relevant files several times so that they can no longer be reconstructed.
Corporate data can also be secured with cloud service providers. These providers must ensure an effective security concept, if only to remain competitive and able to do business. They can devote the time and manpower to data security that is often not available to a small and medium-sized enterprise.
But beware: the company that contracts the cloud service is still responsible for customer data and the like. It is at least partly to blame if there is a data leak at the cloud provider and customer data is stolen.
By the way, good old tape has been experiencing an unexpected revival as a mass storage medium since 2016. But can Air Gap in backup really only be achieved with tapes? Click here for the fact check!
Regular training on the topic of data security is helpful. Measures must become second nature to a company from the management to the lowest employee level. Only in this way will they be effective.
On the one hand, the staff must understand these strategies on an intellectual level and have the skills to implement them. In order to measure the extent to which employees are aware of the scope of their own security responsibilities and act accordingly, IT-Seal GmbH has developed the Employee Security Index. On the other hand, an awareness or a corporate culture should emerge that emphasises the importance of a data security concept: it is about the well-being of the customers, the company and ultimately each individual employee.
Two- or multi-factor authentication should establish itself as a standard in every company. Here, logging in, for example to a network, is not only done via the user name and password. Several additional authentication features are added.
These can be, for example, an ATM card or a code that the user receives via a smartphone app or via SMS. Biometric features in the form of a scan of the iris, the face or voice recognition for authentication can also be set up. This whitepaper explains what is important when selecting the second factor and how the interaction with Customer Identity & Access Management works.
A study by LastPass/IDG also shows interesting insights into identity and access strategies of IT decision-makers in the "new normal" of remote work.
To recover stolen, lost, destroyed data or data taken hostage by ransomware more quickly, regular backups are helpful. However, entrepreneurs should be aware that data thieves can still pass on or publish information.
Even within a company, data security is strict at best. This means that not every individual may have access to sensitive data. Companies can stipulate that, for example, two people need two different passwords to access a certain data set. This prevents a single employee from misusing important data.
Each user of a corporate network should only be given the permissions for the data resources that are needed for the respective work. With a time-limited authorisation, no one can access a system without authorisation after the work has been shared.
Shops or companies also often receive visitors, work with external employees and freelancers or enter into business partnerships.
For all these cases, there should be safeguards in place so that temporary employment or visits do not become a security risk.
Anyone who monitors, logs and regularly evaluates the data traffic of a network can detect suspicious activities more quickly.
Security technologies and data security measures should be reviewed regularly. For example, there are many solutions on the market worth comparing - including software from Safetica Technologies, Thales or Matrix42.With a solution tailored to the company's needs, gaps can be identified and closed before cybercriminals exploit them. For best practices on how companies can implement data loss prevention (DLP) tools, see this whitepaper.
Industry 4.0 is without question the next evolutionary step in production. It makes a decisive contribution to increased flexibility in logistics and efficiency in production. However, with progressive networking of machines, services and systems as well as the complete digitalisation of the value chain, new loopholes are emerging - gaps through which hackers can obtain or manipulate valuable data. Especially since the corresponding systems produce huge amounts of data from factories, suppliers, production designers, clients and customers. The implementation of firewalls, anti-malware software and monitoring systems is almost no longer sufficient at this point. The various challenges that come with these technological advances in the industry are great:
In the competitive industrial landscape, the incentive for industrial espionage among competitors is particularly high. And emerging groups of organised cybercriminals also see an ever greater incentive in attacking these types of systems.
The boundaries between the digital and physical worlds are becoming blurred, especially within Industry 4.0, where not only data but also machinery and personal damage can occur. This is why a forward-looking and not just reactive approach to data security is required, especially in this sector of the economy. As with other companies, malware and especially ransomware cause a wide variety of problems that are, above all, very far-reaching.
To prevent this and even more catastrophic scenarios, companies need to engage a competent cyber and data security workforce as part of their cybersecurity strategy. The measures already mentioned are effective starting points to prevent the worst. In addition to software that averts corresponding cyberattacks and data leaks, Industry 4.0 also requires physical systems to protect people and machines from harm. Read here how the cognitix Threat Defender with its AI and data analytics functions protects increasingly linked IT and OT networks of Industry 4.0 from cyber attacks.
The data security measures already mentioned are a good start to warding off and containing threats. However, this area in particular needs more research to develop further preventive strategies and keep up with technological advances.
The trend towards home office leads, among other things, to more flexibility when it comes to working hours. In addition, work can be combined more easily with family life. From the perspective of data security, however, this change brings new challenges. There are, for example, online meeting providers who are not very careful about data protection, and IoT devices such as voice assistants are often not sufficiently protected. For problems like these, however, there are solutions that employees can implement:
In addition to the home office-specific measures, it is important to extend the data security strategies of a company already discussed to the home office. This is the only way to secure data across the board and prevent digital intrusions with data theft.
Security strategies to protect data can also fail. In this case, an existing concept for damage limitation is essential. The following procedures can help.
If a data leak or theft is discovered, those affected must react quickly. They should fix the responsible vulnerabilities immediately to prevent further data breaches. Depending on the severity of the data loss, experts and possibly even law enforcement agencies should be on hand to advise on how to proceed. Independent investigators, for example, can determine the source and cause of the leak and identify the affected systems.
It is best to disconnect infected devices from the network as soon as possible. However, this should only be done after the expert investigation so that evidence is not destroyed unawares.
If it has not been done before, data transfer should be monitored in all directions to discover any other possible data loopholes. Updating all passwords and credentials also belongs high on the priority list. Access for non-essential personnel may need to be further restricted.
In addition, keep an eye on all account activity, credit card charges and payment services. If unauthorised debits occur, they can be reversed. Freezing accounts or creating new accounts are worth considering.
A communication plan that can reach all affected parties is helpful at this point. This should include employees, customers, investors, business partners, etc. The company must honestly inform all affected parties about the incident.
Withholding important information will only lead to further damage to the company's image. Comprehensive and sincere communication work, on the other hand, calms and reduces the frustrations of all those affected.
This includes anticipating questions and criticism. It is important to provide customers, employees and business partners with guidance on how to proceed if they have been affected by a data leak.
A legal advisor for data protection and data security can advise across federal and state borders. Thus, the company can also adequately prepare for possible legal consequences.
