Data security is all about keeping your data safe no matter where it is or how it's stored
Data security is based on the CIA principals of Confidentiality (keep it secret), Integrity(make sure it's accurate) and Availability (it's there when you need it)
Data security covers the data as it's collected, processed, and saved, it also includes all backups of the data
Data security should also include processes to check in with the data to make sure it's as safe as you think it is
Data security is about how we make sure our data is protected from unauthorized access, people using or sharing our data
For example, data security might talk about encrypting our data as it's stored, or making sure our important data is as safe as possible from threats like black hat hackers
Data privacy is more about who can and should control who can see our data
For example, data privacy might talk about who should be able to see our data, delete our data, and the right to be "forgotten" online
This can be where we might talk about an individual's right to their own data and personal information
You can have data security (encryption of data) without Privacy (Data can be shared at the company's will, not yours)
You can't have data privacy without security, because the security is part of how we can keep information private
Why Data security is important
There are laws and regulations in a lot of places that require data security, so companies should want to follow those
Data can be stolen if it's not protected, even seemingly inconsequential data can be valuable to the right person in the right scenario
Some data can be extra valuable such as credit card numbers, social security numbers, or bank account info
Even things like email and social media accounts can be valuable
Most things are connected to the internet in some way, it's impossible to be a part of modern society without it, losing access to even something like email can topple your access
Why companies don't like Data Security
Companies don't enjoy spending money, stringent laws (such as GDPR) can carry heavy fines if they aren't followed, and they can be expensive to follow properly
Companies like to collect more data then needed "just in case" so they can use or sell it to the highest bidder, having to take care of that data is more expensive then storing it
Data security and data privacy laws can limit how data is used and sold which takes away income
Data privacy can be a more nebulous concept because what one person considers private or important to keep private might not be another's, data security is easier to agree on for standards
Some examples of Data Security gone wrong
Any data breach is data security gone wrong, it's impossible to be perfect, but some mistakes are so silly the company should be embarrassed
LogicMonitor a data security company had multiple customers breached because poor passwords were given and used without requiring the password to be changed, and also assigned as the admin so there were accounts with FULL access to systems with a username of "admin" and a password of "Welcome@123"
Cyber "hygiene" such as strong passwords, updates, using MFA, and being cautious of what links you click and websites you visit are common suggestions for people and companies
Data security is entwined with cybersecurity because data is digital now, and almost everyone and everything is connected to the internet
NIST is a framework for cyber security, run by the US government, but works a lot with educators and researchers to keep up to date, this particular example is about voting, but they do standards for all security best practices
Reputable sources for more info, and trendsetters in Data Security
Government sites are a good place to start, see who they reference and where they direct, sites can be identified by the .gov top level domain (NIST and CISA are good places to start)
Try non-profits first, they can be identified by .org as their top level domain, they are likely to be less biased or trying to sell you anything (EFF is a nice place to start)
Both have the downside that because they aren't trying to get a profit, they might not have the money to fund research or update as frequently as you want
Research papers written by researchers and published in reputable journals can be good too, but have the downside of being complex topics, and potentially out of touch with industry
Well known conferences such as RSA and Black Hat should have requirements for speakers so they can be good places to look for info that has been vetted by experts in the industry
Companies can have good resources, but look for "white papers", informational reports to help you understand ideas better, but be warned they might have an agenda
Big companies are more profitable targets with larger weak spots
Facebook or TikTok might have lots of places for data to be stolen, but it's unlikely their entire userbase will abandon them for it no matter how bad the issue is
Small companies might go under the radar, but a hit will do more damage
Local company might have worse practices such as storing plain text data because they don't have the resources to protect it, but if word gets out in a community that a business made poor choices it can sink faster
Big companies have the capacity to collect, store and process more data
Smaller companies likely have less resources to spend on protecting what they do have, or the ability to hire someone to help them (security professionals are both hard to find and expensive)
Top Threats to data security
User Apathy, it can be tough to convince someone why they shouldn't share their personal data, and systems are setup to get you to share as much as possible
How often are you asked for a phone number?
Did you know you don't have to share it and can use loyalty cards or membership access in other ways?
If you pay bills how often are you identified by your social?
Poor credential management, shared logins, weak passwords, poorly secured machines are all issues for keeping your data safe at companies of all sizes
Plus all the traditional security threats of hackers, poor cyber hygiene and social engineering
Keeping data safe is part of the battle, but making sure that you have access to the data you keep is another
Backups are how we can make sure our data won't be lost
Backups need to have the same protections as our original data
Backups need to be checked to ensure they are actually working the way we think they are
Backups need backups, you never know what's going to fail and should have contingency plans in place
Think of the value of the data, and the work that could be lost if you lose access to your data
How data erasure isn't what you think
How Windows "erases" files
They don't! Mostly what happens is the file is marked as "not used" space and the pointer to the location of the file is taken away from view, then it looks "gone" to the user, but is still there and easily accessible to common and free software
That's why it's so easy to "recover" files in windows, they weren't lost to begin with
A full data wipe of a Hard Drive (HD) can be anything from a factory reset, to magnets flipping bits, to data being overwritten. The type of wipe changes how easy it is to restore data or if it's even possible
To wipe data for realsies you need to not just erase things, you have to write over where the info was, there is an echo of the data because of how hard drives work and overwriting the data can mix up the echo
Most hardware has some kind of data on it, from printers, to routers, to photocopiers, each of these would need to be taken care of or your data goes out to the world
Your data should be yours to choose who you share it with and why
Some people have risks you don't, and their data can make them vulnerable (such as selling location of your phone, not everyone is safe and tracking can be a problem)
Your data can be used to manipulate you in big and small ways, think of scrolling online, or being talking into something you didn't think you needed/wanted, these dark patterns are common