After a data breach, your company will feel the implications for years to come. Attacks often come from unexpected directions, but CIOs and CISOs can prioritize steps to protect sensitive data, according to Kevin Andrews, CTO of employee benefits service company Hodges-Mace. “The biggest misconception is that it’s going to happen to someone else,” he says. To better protect your own organization, he recommends these steps:
1. Prepare for attacks from seemingly authenticated sources
“There is a misconception where people think since they have a firewall, that will protect their information and it’s encrypted and secure externally,” Andrews says. “The reality is most attacks are orchestrated through a compromised valid user within the network. This means that data is accessed with credentials obtained through spear phishing or a socially engineered hack, getting through the firewalls by impersonating an authenticated user.”
[ How secure are your containers? See our related article, What Clarence Birdseye can teach us about container security. ]
You can lessen the chances of these and other attacks by observing data security best practices at every level of the organization, he adds. “It’s important to make sure you have proper audits and controls, such as patch management, penetration testing, and vulnerability scans on a regular basis.”
2. Treat all data as sensitive
Should you take special steps to secure particularly sensitive data, such as personally identifiable information? No, Andrews says. “You are better off securing the entire data set. Segmented secure/non-secure data is risky due to the potential lack of communication within the organization,” he explains.
“The breadth of organizations makes it difficult to communicate the determined segmentation throughout because there are many touch points inside most organizations including vendors, partners, customers, etc.," he says. "This leaves a high degree of vulnerability and the potential of someone distributing insecure data.”
3. Educate users on data security
Your organization’s users can make or break data security, Andrews says. “It is important to build awareness around security vulnerabilities, and it is important to outline the role that each individual plays in securing company or personal data.”
It’s never too early to deliver the data-security message, he adds. “The process starts at point-of-hire through educational programs and best practices and should be continued through the exit process. It is very important to reinforce best practices and provide real-life scenarios or role-play for employees so they can become better prepared for potential threats.”
4. Budget enough to do data security well
It’s important to have the right resources and budget to maintain and secure all your data, Andrews says. “Make sure you are leveraging third-party experts to help in the audit and testing of security protocols. CIOs should not skimp on security budgets. They should also ensure executive leadership is on board with the potential liabilities and risk.”
Comments
Missed an important control that should be at the top of the list - controlling dwell time, the period of time between first execution of malware and its' discovery. There is research that shows discovery of malware within 30 days reduces business impact by up to 23% and that same research shows discovery in 7 days reduces it by up to 78% and 1 day reduced it by up to 96%.
There are several good malware hunt platforms in the market - two of note being from Infocyte and BSK Consulting. One uses a forensic state analysis approach designed for use by normal IT admins and security professionals, while the other uses a methodology focused on indications of compromise. Both can provide enterprises
What enterprises shouldn't/can't do is fall into the trap/hype/marketing of repurposing modern defensive technologies as post-breach detection tools: it doesn't make a lot of sense to rely on the very defensive tools that let malware breach to find malware that has in fact already breached those very tools undetected.