La seguridad del dato como eje estratégico e integral de la ciberseguridad corporativa

Data security as a strategic and integral axis of corporate cybersecurity

November 15, 2023 Iñigo Ladrón Morales

The data security, business continuity and the resilience, are fundamental aspects that must be considered transversal and vertebral axes of the corporate cybersecurity strategy of the companies.

Guaranteeing the security of information in (and of) companies is critical. The increasingly large amount of data being handled and the dependence on it on information technologies mean that data protection must be a priority.

To achieve effective security, it is essential to understand and apply the five pillars of information security:

confidentiality.
Integrity.
Availability.
Authenticity.
Legality.

These pillars are essential to ensure that data is protected against failures and cyber threats, both internal and external.

Let's look in detail at each of the pillars of information security.

The confidentiality guarantees that data or information (of any type, but especially that which is sensitive and private) is kept protected and safe from those who should not have access to it.

On the other hand, said information, in addition to not being accessible to users without permissions, must be hidden from them, thus protecting the confidentiality, preventing information leaks and/or violations of privacy.

There are many mechanisms to guarantee the confidentiality of data and its protection, but let's look at some of them in order to be able to take measures in this regard:

Establishment of Access controls in several layers that, through a robust system of authentication of users and authorization segmented at certain levels of information, allow determining and applying the permissions that authorized users have on the available information and at the same time denying access to those who should not have them.

Encrypting O encrypting the information, so that it is not readable or understandable by those who should not and can intercept it in any of its stages (at rest or in transit), thus guaranteeing that, even if a user could “to access” to her, it is impossible for her to understand or decipher it.

Applying privacy policies that all company employees must understand and apply scrupulously, thus guaranteeing the confidentiality of the information.

By implementing mechanisms like these (and others), we will increase the level of protection of sensitive information in our organization, avoiding or minimizing its use as much as possible. degree of exposure to risks and threats.

This, in turn, will result in better image corporate, reputation of the company, improving its objectives business, favoring the normative compliance, avoiding sanctions and increasing the trust between clients, partners, collaborators, partners, suppliers, etc.

The integrity The information refers to the fact that the data has not been modified or altered in an unauthorized manner (intentionally or not) by a user or system, thus guaranteeing that it is accurate and reliable.

Among many others, some actions or mechanisms to protect the integrity of the data may be the following:

Using digital signatures through which it can be corroborated that the signed information is the original, has not been altered and, therefore, has not changed or any type of modification since its creation and/or storage and signature.

Establishing a version control system that allows for close monitoring of each and every one of the changes that the information undergoes in its life cycle, being able to analyze each of the versions that have taken place and the changes associated with each of them (made at that time) , and even (as in the case of software), being able to return to previous versions of the information (stages prior to the current one) and their corresponding changes.

Realizing data audits to consolidate existing information, detect possible unauthorized changes to the data and maintain a record of the modifications made.

By applying this type of mechanisms, we will achieve a high level of reliability in information (reliable and reliable data), which will provide precision and reliability when analyzing and making decisions.

On the other hand, this will provide an acceptable level of protection for the information, preventing attacks, or even preventing successful attacks from taking advantage of the accessed or stolen information (modifying or altering it to achieve other objectives).

The availability It consists of ensuring that data is always available and accessible, when necessary.

There are many mechanisms to ensure that information is available. Let's look at some of them:

Counting on backups O Backups that keep the information safe, in versioned secure copies, with the aim of recovering them in that state when necessary (system crash, damage or corruption of information, improper modifications of information, robo and erased data, encryption of information by a ransomware, etc.).

Maintaining a model of data redundancy that allows having the information duplicated in two (or several) repositories in order to avoid losing it and guarantee the business continuity in case of interruptions and/or failures.

Making a continuous monitoring to check the status of the data, and alert in case of possible problems with them.

As we have mentioned, these initiatives will result in a guarantee of business continuity, which will keep the business running even in cases of accident, cyber incident or complicated situations.

The authenticity of the information guarantees us that it comes from a reliable source, from whom they claim to be or come from and have not been falsified along the way, thus avoiding the identity fraud.

Let's look at some of the possible mechanisms to strengthen the authenticity of the information:

Implementing and applying robust authentication methods that allow us to identify users, as well as their privileges, through secure passwords, profiling, configurations, roles, authentication systems doble factor (2FA), authentication systems multiple factor (MFA), biometrics, SMS, etc.

Using electronic signatures which corroborate the authenticity of documents, the data and information they contain, and the transactions carried out with said information.

Maintain a event log that stores and contemplates all the activity related to each and every one of the different data sets and their “movements”, being able to know at all times who has accessed them and what changes they have made.

In this way, we will protect ourselves from ciberfraude, avoiding attackers where data is falsified or through which cybercriminals can perform identity fraud with which they pose as legitimate users to achieve their objectives. On the other hand, this will also help us protect ourselves against identity theft. image, identity and brand of our company.

The legality refers to the fulfillment of laws, normative and regulations existing ones that apply to data management and its entire life cycle. These, in most cases, are mandatory and carry legal and economic sanctions in case of non-compliance.

Some possible mechanisms for compliance with the law regarding privacy and Data Protection, could be the following:

Preparation and certification regarding compliance and seal of compliance with laws and regulations about it, like the GDPR / RGPD (General Data Protection Regulation), the LOPD (Organic Data Protection Law), the LOPDGDD (Organic Law on Data Protection and Guarantee of Digital Rights), the HIPAA (Health Insurance Portability and Accountability Act of the United States) etc., depending on which one applies to us as a priority.

Realization of audits frequent, both internal and external, that guarantee the accordance and the compliance with the laws and regulations regarding Data Protection and privacy that apply to us.

Documentation management that demonstrates compliance of laws, rules and regulations in this regard.

With this we will avoid, first of all, protecting the information by applying normalized and standardized measures, but also avoid sanctions and fines by nonconformities It is breaches. Likewise, this will have an impact on a good image of the company and trust in it.

As we see, guaranteeing the security of the information, of data, is not something that is especially trivial, but rather carries its complexity, especially when it is linked to the concept of business continuity.

Both are closely related elements and we could say that they are even indivisible. A cybersecurity strategy solid must include both pieces to ensure that the company can withstand and recover from cyber incidents (what we know as resilience O cyber resilience).

For this reason, they must work together, seeking, as a tandem, the same capabilities, as well as activities to achieve common final objectives:

The threat protection, avoiding cyber incidents and cyber attacks that interrupt operations.

He Legal compliance of the normative and regulations required of companies for data protection and the application of business continuity plans.

He maintenance of operation that ensures that the company can continue operating even after a cyber incident.

The immediate recovery that minimizes downtime and data loss in the event of a cyber incident.

The creation and application of business continuity plans that allow the company to continue operating in crisis situations.

The incident/cyber incident response that starts from a definition and establishment of procedures clear to apply in case of cyber incident with which the data integrity and minimize the operational impact.

With all this, it will be possible to face the challenges to guarantee a business operational resilience acceptable (data security + business continuity) and a minimum gap of interruption of business operations in adverse situations.

To this panorama and challenges of information protection companies face, all companies, whether they are micro, small, medium, large or enormous corporations, although it applies to each one in a different way and the solutions and regulations to be applied may vary between them.

Small companies can opt for simpler security solutions, have perhaps somewhat more lax approaches in some points with respect to regulations in this area and outsource certain functions for which they do not have the capacity or resources.

Large companies will require more complex infrastructures and solutions, stricter regulatory compliance and qualified, specialized and professional teams, both internal and external.

Does your company need help with information protection and regulatory compliance services, like the ones we offer in Zerolynx: Cybersecurity Services.

If you prefer, contact us and we talked.

return to blog