Human error is the weakest link to data breaches. Since 2013, according to Data Breach Statistics, over 9 billion data records have been lost or stolen. According to recent data from Gartner, over 60 percent of privacy failures occur because of employee errors. Organizations need to educate their team on the best security practices.
“Understanding that people are often the weakest link, you have to assume there will be a security mishap,” said Tom Thomassen, senior staff engineer of security at enterprise database MarkLogic. “Whether a laptop is stolen, an employee has malicious intent, or a hacker gains access to a system, that shouldn’t mean data is left unprotected.” Even employees without malicious intent, but are careless in how they handle data, can open the door to data loss.
With other companies such as Yahoo and Equifax suffering from data breaches/accounts hacked, it is important to identify and implement secure practices into the company engineering process.
“The best way to improve the security mindset of a team is to make sure everyone goes through security training and understands the benefits as well as the impact on customers,” said Thomassen. “It’s important to develop a security framework that the engineering team can use to build security into the product from the ground up.”
Companies can learn from previous data breaches by following proper steps to keep their data information safe, such as advanced encryption, redaction, element-level security, and data governance, according to Thomassen. “This helps ensure that people only have access to the data they need, when they need it,” he said. “Ensure that you have good key management: frequent key rotation, separation of duties for the management of keys, and so on.”
Advanced encryption and redaction allow organizations to share information with confidence by limiting access to data by role or removing sensitive data inside a document. “With proper authentication, different users will see more or less data within a document depending on their permissions,” said Thomassen.
Element-level security allows a company to develop complex security rules on particular elements in a document. For example, parts of a document may not be available for certain users because they do not have the authority or permission to view the document. “This allows companies to protect sensitive information, like PII, from different users (based on access levels) for queries, updates, regulatory reports etc,” said Thomassen.
Data governance is the overall management of data used in an enterprise. With the proper management in place, it provides a set of procedures and plans to execute. “If you have a centralized data hub, this is much easier to track,” said Thomassen. “When dealing with hundreds of thousands of data points, exceptional data governance is critical, including metadata, data lineage and the ability for databases to examine data across different points in time.