3. “How do I keep data available but confidential?”

            Going beyond  robust access control,  businesses  must introduce layers  of administrative  and technical
            protections  to ensure  that data  remains  available  to those  that  should  have access,  but  confidentially
            protected from those that should not.

            Among these protections, data encryption is an absolute requirement, for data at rest and data in transit.
            Implement  end-to-end  encryption  with  strong  encryption  protocols,  and  protect  every  device  able  to
            access your data with system- and user-level encryption to prevent both internal and external network-
            based threats. With effective encryption, even if an attacker does access data, they won’t be able to read
            it.

            Have robust backup and disaster recovery capabilities to make sure data remains available and that you
            maintain  business continuity  throughout  and after an incident.  This functionality  should include  regular
            data backups, off-site storage so that data remains secure even if attackers  target backup data (which
            they often do), and regular testing to ensure you can execute an optimal recovery if and when the need
            arises.


            A detailed  incident response plan is another critical measure  for achieving  the best outcome in a high-
            risk scenario.  Make a plan  that includes  a step-by-step  procedure  to follow  when  you need  to detect,
            swiftly respond, contain, and recover from a data breach. At the end of the day, having a strong plan will
            meaningfully improve a business’s circumstances and standing with regulators following an attack.

            Finally,  employee  training  is  a  key  aspect  of  data  confidentiality,  because  unsecure  behavior  by
            businesses’  own  workers  is  still  the  chief  cause  of  data  beaches.  Continuously  training  and  testing
            employees  in  the  latest  threats,  from  phishing  schemes  to  credential  management  to  safe  internet
            browsing, pays dividends when it comes to maintaining security and compliance.



            Ask the right questions, get the right answers

            With the consequences of insufficient cybersecurity and regulatory non-compliance growing more severe,
            businesses  must take decisive steps to protect their customers from harm, and themselves from steep
            fines and damaged  reputations. By asking the right questions about where sensitive data resides, who
            has access and how to keep data confidential  and available,  businesses can arrive at the right answer
            and implement comprehensive  and compliant layered security protections.
















            Cyber Defense eMagazine – August 2024 Edition                                                                                                                                                                                                          123
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.