Written by Blaise Wabo, A-LIGN on October 11, 2016
Actionable Tips to Prevent Data Breaches
Feeling safe about your organization’s personal data because of encryption standards? Don’t fool yourself into a false sense of security. Managing cyber-risk is a multi-faceted, whole-organization effort that requires implementation at the top levels down. In IBM’s Security Services 2014 Cyber Security Intelligence Index, which analyzed cyber-attack and incident data, more than 95% of all incidents cited “human error” as a contributing factor to the attack.
The list of potential human error risk factors is longer than expected:
- Administrator system misconfiguration
- Not updating systems appropriately
- Not managing system patches
- Default password usage
- Default user ID usage
- Lost devices
- Misplaced devices
- Unlocked devices
- Incorrect disclosure procedures
Though this list is not exhaustive, it emphasizes the importance of cybersecurity education for management and employees, so that organizations are able to prevent data breaches caused by human error.
1. Education from the Top Down
This is number one for a reason. Individuals in management may think that because they have an incredible IT Security Director at the helm, their duties regarding risk mitigation are fully out of their hands. However, ensuring that management and employees fully understand the potential cybersecurity risks innate to your organization is important in preventing risks.
The development of policies and procedures on how to prevent data breaches is essential, and educating employees both new and old on these policies and procedures is critical. Because the cybersecurity landscape is constantly changing, regularly educating management and employees on updated cybersecurity policies and procedures is essential in mitigating risk. In addition, your organization should inform employees on new scams or potential new risks as they arise – for example, new phishing scams or websites with potential vulnerabilities.
2. Hire Well
Strong security starts with great personnel, which is why the hiring process is important. While individuals with experience can be beneficial to an organization, professionals who have a deep understanding of the current risk landscape can be invaluable to an organization, while trying to implement security controls. When recruiting individuals, management should be certain that employees understand the concepts behind both breach prevention and management in the event that a breach does occur.
In addition, management should be sure to maintain communication lines with their security and compliance team in order to ensure that all potential threats are being monitored carefully.
3. Develop an Exit Strategy
It is just as important that employees are educated in cybersecurity as having an exit strategy for employees that are leaving your organization. This includes changing passwords, ensuring that computers and personal devices no longer have sensitive information available on them, and developing contracts that include legal repercussion for sharing or utilizing sensitive data.
4. The Less Data, the Better
Since cyber criminals can only steal information that an employee or organization has access to, one of the major ways to minimize risk is to limit data availability:
- Reduce the number of employees that have access to at-risk information.
- Don’t collect information that isn’t relevant to your business.
- Reduce the number of places where data is physically stored.
- Only grant data access on an as-needed basis and revoke access as soon as information is no longer necessary.
- Purge data early and often!
You prevent data breaches by minimizing the amount of access that individuals have to data.
5. Purge Your Data Properly
It isn’t enough to simply purge your data. Getting rid of sensitive data in the appropriate fashion is the other half of the battle.
Too often, employees think that they are getting rid of all of their data when they remove files that are located on their desktop, without realizing that other clones of the files are present within the body of the computer. By teaching employees’ proper data disposal techniques, you’re able to minimize the risk of having that data get into the wrong hands.
6. Monitor Your BYOD Programs
BYOD or Bring Your Own Device is a program where employees bring their own technology (computers, tablets, cell phones, etc.) to work. Many organizations have moved to this type of program so that employees are able to use technology that they have a better understanding of. This reduces training time and increases productivity.
However, one of the major risks is that employees do not feel as though they need to be utilizing organizational policies when they are using their “personal” device. The risk here is that while the device may be used for both work and fun, sensitive data is still readily available.
In addition, these programs leave IT administrators frustrated, as they have to understand necessary updates and patches for a litany of different devices instead of just a few.
By implementing strong BYOD policies that force employees to fully understand the risks inherent with the utilization of their own devices, organizations are able to fully prevent data breaches from happening. These programs should emphasize or consider:
- Password and device-encryption requirements
- Update and patch requirements
- Lost or misplaced device notification for emergency response and remote data-wiping
- Utilization of tracking software
- Establishment of secure app workflows
- Anti-malware software
- Jailbreak prevention
- Device partitioning
The creation of appropriate BYOD management and policies allow for the program to work successfully, instead of becoming a pain point for organizations.
7. Secure Your Networks
Employees are constantly on mobile devices these days, and often times have their devices set to “Automatically Connect” to the closest Wi-Fi available. This leaves security professionals floundering, as there have been more than a few fake Wi-Fi capture spots that pull sensitive information from these “Hot Spots.”
Ensure the security of your network by investing in a personal or corporate VPN, that way all of the data that is being utilized is appropriately encrypted at the source.
8. Update Software with All Patches and Updates
Software companies are constantly updating their product in order to ensure that their devices are secure for use. Outside companies are constantly finding new vulnerabilities in their software, and patches and updates allow for organizations to ensure that these vulnerabilities do not affect their business functions.
9. Develop “Appropriate Usage” Guidelines for Company Technology
Educate employees on the appropriate usage of organizational technology. This includes when, where and how to login to accounts, how to check their connection to ensure it is reliable and secure, and when not to use devices.
10. Hold Outside Vendors to the Same Standards
By only working with organizations with the correct security and regulatory designations, you are able to prevent data breaches by ensuring all of the appropriate controls are in place. While it may be cheaper to hire organizations that hold no designations or function outside of governing bodies with strict regulation, it is not cheaper than the consumers that are lost due to a data breach. At the end of the day, if your vendor makes a mistake – it is your clients on the line, not just theirs.
11. Prepare for the Worst
Establishing a disaster management plan allows for your organization to feel prepared if the worst were to happen.
While all of your preparations can help you to prevent data breaches, your risk is never fully mitigated. Being prepared allows your team to have a full understanding of their job in order to prevent the breach from growing, or causing unnecessary customer backlash.
12. Test Out Your Disaster Management Plan
Put your breach protocol to the test with a mock disaster. See how well your team is prepared for a potential breach and troubleshoot problems with your protocol before it is a reality.
13. Audit Your Organization Regularly
By auditing your team on their practices, you are able to see where there are potential problems that could lead to future breaches. This allows your organization to modify policies and protocols prior to an issue.
14. Notify Early and Appropriately
If your team even vaguely believes that there was a potential data breach, communicate with your organization’s security management team and notify the appropriate authorities immediately.
The sooner that your team is able to response to an incident, the greater the chance that you have in being able to manage the potential damage to your organization and its clients. Reporting unusual or suspicious activity is the difference between a major breach and a minor one.