We are hearing a lot about cyber security these days, and for good reason. Major data breaches and security incidents are in the news on a regular basis. It seems that no organization or electronic device is safe from hackers and fraudsters. In response, companies and government agencies are ramping up security efforts. Cyber security is a broad category that involves many different processes and tools. Within cyber security is the practice of data security, the protection of the data that sits behind the firewall. While all elements of security are important, data security is (or should be) a high priority. After all, in most cases, it is data the hackers are after when they attack.

What is Data Security?

There is no single element that defines data security. Rather, it’s invariably a combination of practices, processes, policies and tools. The goal is always the same, though, and that is to protect data from theft, disruption or unauthorized access.

Some data security measures are directly tied to data. For example, encryption protects data by making it unreadable to anyone who doesn’t have the means to decrypt it. Other measures are indirect. Access controls, for instance, limit the number and type of users who have access to data. However, access controls protect more than just data.

The different kinds of data that must be protected

What kinds of data need to be protected? That depends on what the data your company stores. Not all of it deserves a high level of protection. Private personal data, though, and health care information, are high-risk types of data. Having such data breached results in legal liability and regulatory penalties.

General corporate data, like financial records, is also important to protect. After all, with ransomware, an attacker can paralyze an organization by locking up its essential operating data—even if that data is not super-secret or legally protected. Then, there is unstructured data, which exists in documents like PDFs. Unstructured data can be tricky to protect, partly because many companies have absolutely no idea what they actually have in their files. It’s also difficult to establish rules around data access for things like shared file drives and so forth.

Data security vs. cybersecurity

Data security is a subset of cybersecurity. A good cybersecurity program will include some data security countermeasures like encryption and access controls. Like any cyber security process, however, it’s necessary to weigh potential business impact against the costs of implementing data security countermeasures. It may turn out that you have to enforce data security policies selectively in order to get the best protection for the most sensitive data assets.

Data security countermeasures

There are a variety of countermeasures that achieve the objective of data security. In addition to encryption, one approach that’s gaining traction is known as the “Zero Trust” model of data security. As its name implies, zero trust means that no user is trusted for any reason at the outset of his or her access to a network. The user must request access to a particular data asset, which can then be granted or refused. Then, the system prevents the user from accessing any other data asset.

Though potentially cumbersome to administer, the advantage of the zero trust model is that it greatly reduces the risk that an attacker can get inside a network and then steal whatever data he or she comes across. Automation and Artificial Intelligence are making zero trust a practical tool for data security.

Automation is also being put to work securing unstructured data. Some vendors offer solutions that automatically scan thousands (even millions) of documents and use algorithms and rules to determine which of them contain sensitive information like home addresses and social security numbers. The solution then automatically restricts access to these documents.