Trace Id is missing
Skip to main content
Microsoft Security

What is data security?

Data security involves knowing what data you have and where it’s located, and identifying risks around your data. Learn how to safeguard your data.

Data security defined

Data security helps you to protect sensitive data throughout its lifecycle, understand the context of user activity and data, and prevent unauthorized use or loss of data.

The importance of data security can’t be understated in this age of increasing cybersecurity threats and insider risks. It’s necessary for having visibility into the types of data you have, preventing the unauthorized use of data, and identifying and mitigating risks around the data. In conjunction with data security, data security management guides your organization in planning, organizing, and controlling data security activities using well-written policies and procedures.

Types of data security

For data security to be effective, it must account for the sensitivity of datasets and your organization’s regulatory compliance requirements. Types of data security that help you protect against a data breach, meet regulatory requirements, and prevent damage to your reputation include:

  • Access control that governs access to on-premises and cloud-based data.
  • Authentication of users by way of passwords, access cards, or biometrics.
  • Backups and recovery to enable access to data after a system failure, data corruption, or disaster.
  • Data resiliency as a proactive approach to disaster recovery and business continuity.
  • Data erasure to properly dispose of data and make it unrecoverable.
  • Data masking software that uses proxy characters to hide letters and numbers from unauthorized users.
  • Data loss prevention solutions to guard against unauthorized use of sensitive data.
  • Encryption to make files unreadable for unauthorized users.
  • Information protection to help classify sensitive data found in files and documents.
  • Insider risk management to mitigate risky user activity.

Data types that need to be secured

Anyone who’s had a credit card compromised or their identity stolen discovers a deeper appreciation for effective data protection. Malicious hackers continually devise ways to steal personal information and ransom it, sell it, or commit further deception. In addition, current and former employees are often a cause of data loss, making insider risk management a necessity for organizations.

Every industry has its own requirements for what to protect and how to protect it, but common types of data that need to be secured include:

  • Personal information about your employees and customers.
  • Financial data like credit card numbers, banking information, and corporate financial statements.
  • Health information like services received, diagnoses, and test results.
  • Intellectual property like trade secrets and patents.
  • Business operations data like supply chain information and production processes.

Threats to data security

At work and at home, the internet gives you access to accounts, methods of communication, and ways to share and use information. Many types of cyberattacks and insider risks can put the information that you share at risk.

  • Hacking

    Hacking refers to any attempt via computer to steal data, corrupt networks or files, overtake an organization’s digital environment, or disrupt their data and activities. Methods of hacking include phishing, malware, code breaks, and distributed denial-of-service attacks.

  • Malware

    Malware is a term for worms, viruses, and spyware that enable unauthorized users to access your environment. Once inside, these users have the potential to disrupt your IT network and endpoint devices, or steal credentials that may have been left in files.

  • Ransomware

    Ransomware is malware that prevents access to your network and files until you pay a ransom. Opening an email attachment and clicking on an advertisement are a few ways that ransomware can be downloaded to your computer. It’s usually discovered when you can’t access files or you see a message that demands payment.

  • Phishing

    Phishing is the act of tricking individuals or organizations into giving up information like credit card numbers and passwords. The intent is to steal or damage sensitive data by pretending to be a reputable company that the victim is familiar with.

  • Data leakage

    Data leakage is the intentional or accidental transfer of data from inside an organization to an external recipient. This can be accomplished using email, the internet, and devices like laptops and portable storage devices. Files and documents that are taken off premises are also a form of data leakage. 

  • Negligence

    Negligence is when an employee knowingly breaks a security policy but isn’t trying to cause the company harm. For example, they might share sensitive data with a coworker who doesn’t have access, or sign into company resources over an unsecured wireless connection. Another example is allowing someone to enter a building without showing a badge.

  • Fraud

    Fraud is committed by sophisticated users who want to take advantage of online anonymity and real-time accessibility. They might create transactions using compromised accounts and stolen credit card numbers. Organizations might become victims of warranty fraud, refund fraud, or reseller fraud.

  • Theft

    Theft is an insider threat that results in stolen data, money, or intellectual property. It’s done for personal gain and to harm the organization. For instance, a trusted vendor could sell customer social security numbers on the dark web or use insider information about customers to start their own business.

Data security technologies

Data security technologies are key components to a more complete data security strategy. Various data loss prevention solutions are available to help you detect internal and external activity, flag suspicious or risky data-sharing behavior, and control access to sensitive data. Implement data security technologies like these to help prevent sensitive data from being exfiltrated.

Data encryption. Use encryption—converting data into code—on data that is at rest or in motion to prevent unauthorized users from viewing file content even if they gain access to its location.

User authentication and authorization. Verify user credentials and confirm that access privileges are assigned and applied correctly. Role-based access control helps your organization to grant access only to those who need it.

Insider risk detection. Identify activities that may indicate insider risks or threats. Understand the context of data usage and know when certain downloads, emails outside of your organization, and renamed files point to suspicious behavior.

Data loss prevention policies. Create and enforce policies that define how data is managed and shared. Specify authorized users, applications, and environments for various activities to help prevent data from being leaked or stolen.

Data backup. Back up an exact copy of your organization’s data so that your authorized administrators have a way to restore it in the event of a storage failure, data breach, or disaster of any kind.

Real-time alerts. Automate notifications for potential data misuse and receive alerts to possible security issues before they cause damage to your data, reputation, or employee and customer privacy.

Risk assessment. Understand that employees, vendors, contractors, and partners have information about your data and security practices. To help prevent it from being misused, know what data you have and how it’s used throughout your organization.

Data auditing. Address major concerns like data protection, accuracy, and accessibility with regularly scheduled data audits. They let you know who is using your data and how it’s being used.

Data security management strategies

Data security management strategies include the policies, procedures, and governance that help you keep your data safer and more secure.

  • Implement best practices for password management

    Implement an easy-to-use password management solution. It will eliminate the need for sticky notes and spreadsheets, and relieve employees of having to memorize unique passwords.
    Use passphrases instead of passwords. A passphrase may be easier for the employee to remember and harder for a cybercriminal to guess.
    Enable two-factor authentication (2FA). With 2FA, even if a passphrase or password was compromised, login security is maintained because the unauthorized user could not gain access without the additional code delivered to the second device. 
    Change your passwords after a breach. Changing them more often is thought to lead to weaker passwords over time.
    Avoid reusing passphrases or passwords. Once they are compromised, they are often used to break into other accounts.

  • Create a defense plan

    Protect sensitive data. Discover and classify data at scale to know the volume, type, and location of information wherever it lives throughout its lifecycle.
    Manage insider risks. Understand user activity and the intended use of the data to identify potentially risky activities that may lead to data security incidents.
    Establish proper access controls and policies. Help prevent actions like improperly saving, storing, or printing sensitive data.

  • Use encryption to secure data

    Data encryption prevents unauthorized users from reading sensitive data. Even if they get access to your data environment or see data while it’s in transit, the data is useless because it cannot be easily read or understood.

  • Install software and security updates

    Software and security updates address known vulnerabilities that cybercriminals often exploit to steal sensitive information. Keeping up with regular updates helps to address those vulnerabilities and prevent your systems from being compromised.

  • Train employees on data security

    Helping to protect your organization’s data isn’t relegated to your IT department; you must also train your employees to be aware of data disclosure, theft, and corruption. Data security best practices are relevant to data that is online and printed as hard copies. Formal training should occur on a regular basis, whether quarterly, biannually, or annually.

  • Implement security protocols for remote work

    To implement security protocols for your remote workforce, start by clarifying your policies and procedures. This typically entails mandatory security training and specifying what software applications are acceptable to use and how to use them. Protocols should also include a process for securing all devices used by your employees.

Regulations and compliance

Organizations must comply with relevant data protection standards, laws, and regulations. They include, but are not limited to, collecting only the information you need from customers or employees, working to keep it safe, and disposing of it properly. Examples of privacy laws are the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and California Consumer Privacy Act (CCPA).

GDPR is the strictest data privacy and security law. It was drafted and passed by the European Union (EU), but organizations worldwide are obligated to comply if they target or collect personal data from EU citizens or residents or if they offer goods and services to them.

HIPAA helps to protect patient health information from being disclosed without the patient’s knowledge or consent. The HIPAA Privacy Rule safeguards personal health information and was issued to implement HIPAA requirements. The HIPAA Security Rule helps to protect identifiable health information that a healthcare provider creates, receives, maintains, or transmits electronically.

CCPA helps to secure privacy rights for California consumers, including the right to know about the personal information that’s collected and how it’s used and shared, the right to delete personal information collected from them, and the right to opt out of the sale of their personal information.

Data protection officer (DPO) is a leadership role that tracks compliance and helps to ensure that your organization processes personal data in compliance with data protection laws. For example, they inform and advise compliance teams how to be compliant, provide training within the organization, and report failure to comply with the rule and regulations.

When failure to comply leads to a data breach, it often costs organizations millions of dollars. Consequences include identity theft, lost productivity, and a customer exodus.

Conclusion

Data security and data security management help you to identify and assess threats to your data, comply with regulatory requirements, and maintain the integrity of your data.

Make the commitment to back up your data frequently, store a copy of your backup in an off-site location, establish your data security management strategies, and enforce strong passwords or passphrases and 2FA.

Taking steps to protect data during its lifecycle, understanding how data is used, preventing data leakage, and creating data loss prevention policies are the pillars for building a strong defense in your organization.

Learn how to safeguard your data across clouds, apps and endpoints with data security procedures and tools.

Learn more about Microsoft Security

Microsoft Purview

Explore governance, protection, and compliance solutions for your organization’s data.

Learn more

Help prevent data loss

Identify inappropriate sharing or use of sensitive data on endpoints, apps, and services.

Learn more

Manage insider risks

Learn how to identify potential risks in the activities of your employees and vendors.

Learn more

Information protection

Discover, classify, and protect your most sensitive data across your digital estate.

Learn more

Frequently asked questions

  • Data security helps to protect sensitive data throughout its lifecycle, understand the context of user activity and data, and prevent unauthorized use of data. It involves knowing what data you have and where it’s located, and identifying threats to that data.

  • Types of data security include:

    • Access controls that require login credentials for on-premises and cloud-based data.
    • Authentication of users via passwords, access cards, or biometrics.
    • Backups and recovery to enable access to data after a system failure, data corruption, or disaster.
    • Data resiliency as a proactive approach to disaster recovery and business continuity.
    • Data erasure for the proper disposal of data and making it unrecoverable.
    • Data masking software that uses proxy characters to hide letters and numbers from unauthorized users.
    • Data loss prevention solutions to guard against unauthorized use of sensitive data.
    • Encryption to make files unreadable for unauthorized users.
    • Information protection to help classify sensitive data found in files and documents.
    • Insider risk management to mitigate risky user activity.

  • An example of data security is using technology to see where sensitive data resides within your organization and knowing how that data is accessed and used.

  • Data security is important because it helps your organization guard against cyberattacks, insider threats, and human error, all of which can lead to data breaches.

  • The four key issues in data security are confidentiality, integrity, availability, and compliance.

Follow Microsoft 365