security
Andrey Kozichev
Don’t Lose Trust: 10 Practical Ways to Protect Financial Data
A study by the British Chambers of Commerce found that 93% of businesses experiencing data loss for more than 10 days file for bankruptcy within a year, with 50% doing so immediately.
One of the worst things that can happen to a company handling financial data is a data breach. Whether it's a ransomware attack, a bug that wipes the production database, or an old-fashioned hard drive failure, the impact can be devastating. But what’s worse than losing your own data? Losing your customers' data. Beyond the immediate challenges, you could also face fines and lawsuits.
Building a centralised DataHub to consolidate data from platforms like Stripe, Xero, QuickBooks, Netsuite, ServiceNow etc. is the right approach to unlocking value from your data. However, everything comes at a cost. How do you ensure your data remains secure?
Previously, it was safely locked away in a database or with your SaaS provider, not being exported, replicated, copied, or displayed on the office screens.
Protecting your data and your customers' data throughout its lifecycle is a critical task that cannot be taken lightly.
Companies can face lawsuits, fines, significant reputational damage, and even go out of business when data is lost, exposed, or stolen.
Here are some top 10 practical ways to protect your Data:
Securing Authentication
Token-based authentication is the standard in modern SaaS. You can generate application passwords, tokens, or authorise connections using refresh tokens.
For systems lacking token-based authentication, like many databases, ensure passwords are generated on-the-fly and stored securely in vaults (e.g., Azure Key Vault, HashiCorp Vault).
Remember, you don't need to view the password - just ensure your application or pipeline knows where to retrieve it securely.
Strengthening the Human Element
Humans are the weakest link in security. Limit privileges and permissions using RBAC (Role-Based Access Control) and enable multi-factor authentication (MFA).
All user accounts should be protected with MFA - how many times does this need to be said? If you still haven’t set up MFA, you're living under a rock.
Additionally, protect end-user devices with up-to-date antivirus software and apply security best practices for managing them.
Secure Data in transit
Always use SSL for connections. The entire internet runs on HTTPS, and all SaaS providers support it. Hosted databases must also use SSL for connections. SSL serves two key purposes:
It establishes trust by ensuring the service you're connecting to is legitimate and not a fake.
It encrypts data in transit, so even if your traffic is routed through a compromised network, it would take centuries to break the encryption.
Encrypt Data at rest
This may be an old one, but it's still highly relevant. Make sure all the necessary checkboxes are ticked to ensure your data is securely encrypted.
Keep the Data only as long as you have to
Storing data without a clear purpose is an unnecessary liability. It increases the risk of leaks and potential fines. Retain data only as long as needed to save on infrastructure costs, stay compliant, and reduce your attack surface.
Backup Your Data
Ensure that you regularly back up your data. Test your backups to verify their reliability, and make sure they are securely stored and actively monitored.
Conduct Regular Assessments
Engage a penetration testing company to conduct a thorough security assessment. Cloud providers often provide free or low-cost wizards and advisors for initial security checks. However, consider an external health check if needed. Unlike penetration tests, health checks focus not only on perimeter security but also on best practices, configuration integrity, and overall security posture.
Protect PII Data
Consider GDPR regulations when handling Personally Identifiable Information (PII). Implement data masking techniques to protect sensitive information. If specific names or details are not necessary, avoid copying or storing them in their original form. Use anonymisation and obfuscation techniques to further secure the data.
Adopt Compliance Frameworks
Follow established compliance frameworks to ensure your practices meet regulatory standards. Examples include GDPR for data protection, HIPAA for healthcare information, PCI-DSS for payment card data, and ISO/IEC 27001 for information security management. Adhering to these frameworks helps you maintain robust security and regulatory compliance.
Data Governance
Enforce strong data governance practices. Implement a data catalog to gain valuable insights into your data - understand where it’s going, how it’s being used, and what it’s being consumed for.
Related Posts
security
Jan 17, 2024
Any workload in the Cloud can be compromised through access to raw memory via the supervisor