Even as the IT landscape becomes increasingly decentralized and complex, it’s important to understand that many security breaches are preventable. While individual security challenges and goals may differ from company to company, often organizations make the same widespread mistakes as they begin to tackle data security. What’s more, many enterprise leaders often accept these errors as normal business practice.
There are several internal and external factors that can lead to successful cyberattacks, including:
Let’s look at five of the most prevalent—and avoidable—data security missteps that make organizations vulnerable to potential attacks, and how you can avoid them.
Compliance doesn’t necessarily equal security. TeraPixels System and their team of IT service professionals in San Diego, focus their security resources to comply with an audit or certification can become complacent. Many large data breaches have happened in organizations that were fully compliant on paper. The following examples show how focusing solely on compliance can diminish effective security:
Enterprises often scramble to address database misconfigurations and outdated access polices prior to an annual audit. Vulnerability and risk assessments should be ongoing activities.
Many businesses adopt data security solutions just to fulfill legal or business partner requirements. This mindset of “let’s implement a minimum standard and get back to business” can work against good security practices. Effective data security is a marathon not a sprint.
Businesses can become complacent towards managing controls when regulations, such as the Sarbanes-Oxley Act (SOX) and the General Data Protection Regulation (GDPR), mature. While, over time, leaders can be less considerate about the privacy from IT service provider, security and protection of regulated data, the risks and costs associated with noncompliance remain.
Omission of unregulated data
Assets, such as intellectual property, can put your organization at risk if lost or shared with unauthorized personnel. Focusing solely on compliance can result in security organizations overlooking and under protecting valuable data.
Data security organizations must establish strategic programs that consistently protect their business’ critical data, as opposed to simply responding to compliance requirements
Data security and protection programs should include these core practices:
The final element can include legal liabilities related to regulatory compliance, possible losses a business can suffer and the potential costs of those losses beyond noncompliance fines.
Ultimately, you should think holistically about the risk and value of the data you seek to secure.
Without broader compliance mandates that cover data privacy and security, organization leaders can lose sight of the need for consistent, enterprise-wide data security.
For enterprises with hybrid multicloud environments, which constantly change and grow, new types of data sources can appear weekly or daily and greatly disperse sensitive data.
Leaders of companies that are growing and expanding their IT infrastructures can fail to recognize the risk that their changing attack surface poses. They can lack adequate visibility and control as their sensitive data moves around an increasingly complex and disparate IT environment. Failure to adopt end-to-end data privacy, security and protection controls—especially within complex environments—can prove to be a very costly oversight.
Operating security solutions in silos can cause additional problems. For example, organizations with a security operations center (SOC) and security information and event management (SIEM) solution can neglect to feed those systems with insights gleaned from their data security solution. Likewise, a lack of interoperability between security people, processes and tools can hinder the success of any security program.
Securing sensitive data should occur in conjunction with your broader security efforts. In addition to understanding where your sensitive data is stored, you need to know when and how it’s being accessed, as well—even as this information rapidly changes. Additionally, you should work to integrate data security and protection insights and policies with your overall security program to enable tightly aligned communication between technologies. A data security solution that operates across disparate environments and platforms can help in this process.
So, when is the right time to integrate data security with other security controls as part of a more holistic security practice? Here are a few signs that suggest your organization may be ready to take this next step:
Risk of losing valuable data
The value of your organization’s personal, sensitive and proprietary data is so significant that its loss would cause significant damage to the viability of your business.
Your organization collects and stores data with legal requirements, such as credit card numbers, other payment information or personal data.
Lack of security
oversight Your organization has grown to a point where it’s difficult to track and secure all the network endpoints, including cloud instances. For example, do you have a clear idea of where, when and how data is being stored, shared and accessed across your on-premises and cloud data stores?
Your organization has adopted a fragmented approach where no clear understanding exists of exactly what’s being spent across all your security activities. For example, do you have processes in place to measure accurately your return on investment (ROI) in terms of the resources being allocated to reduce data security risk?
If any of these situations apply to your organization, you should consider acquiring the security skills and solutions needed to integrate data security into your broader existing security practice.
Even when aware of the need for data security, many companies have no one specifically responsible for protecting sensitive data. This situation often becomes apparent during a data security or audit incident when the organization is under pressure to find out who is actually responsible.
Top executives may turn to the chief information officer (CIO), who might say, “Our job is to keep key systems running. Go talk to someone in my IT staff.” Those IT employees may be responsible for several databases in which sensitive data resides and yet lack a security budget.
Typically, members of the chief information security officer (CISO) organization aren’t directly responsible for the data that’s flowing through the overall business. They may give advice to the different line-of-business (LOB) managers within an enterprise, but, in many companies, nobody is explicitly responsible for the data itself. For an organization, data is one of its most valuable assets. Yet, without ownership responsibility, properly securing sensitive data becomes a challenge.
A chief data officer (CDO) or data protection officer (DPO) can handle these duties. In fact, companies based in Europe or doing business with European Union data subjects face GDPR mandates that require them to have a DPO. This prerequisite recognizes that sensitive data—in this case personal information—has value that extends beyond the LOB that uses that data. Additionally, the requirement emphasizes that enterprises have a role specifically designed to be responsible for data assets.Consider the following objectives and responsibilities for choosing a CDO or DPO:
Technical knowledge and business sense
Assess risk and make a practical business case that nontechnical business leaders can understand regarding appropriate security investments
Direct a plan at a technical level that applies detection, response and data security controls to provide protections.
Understand compliance requirements and know how to map those requirements to data security controls so that your business is compliant.
Monitoring and assessment
Monitor the threat landscape and measure the effectiveness of your data security program
Flexibility and scaling
Know when and how to adjust the data security strategy and IT embedded services, such as expanding data access and usage policies across new environments by integrating more advanced tools.
Division of labor
Set expectations with cloud service providers regarding service-level agreements (SLAs) and the responsibilities associated with data security risk and remediation.
Data breach response plan
Finally, be ready to play a key role to devise a strategic breach mitigation and response plan
Ultimately, the CDO or DPO should lead in fostering data security collaboration across teams and throughout your enterprise, as everyone needs to work together to effectively secure corporate data. This collaboration can help the CDO or DPO oversee the programs and protections your organization needs to help secure its sensitive data.
High-profile breaches in enterprises have often resulted from known vulnerabilities that went unpatched even after the release of patches. Failure to quickly patch known vulnerabilities puts your organization’s data at risk because cybercriminals actively seek these easy points of entry.
However, many businesses find it challenging to quickly implement patches because of the level of coordination needed between IT, security and operational groups. Furthermore, patches often require testing to see if they don’t break a process or introduce a new vulnerability.
In cloud environments, sometimes it’s difficult to know if a contracted service or application component should be patched. Even if a vulnerability is found in a service, its users often lack control over the service provider’s remediation process.
Vulnerability management typically involves some of the following levels of activity:
Even within a mature vulnerability management program, no system can be made perfect. Assuming intrusions can happen even in the best protected environments, your data requires another level of protection. The right set of data encryption techniques and capabilities can help protect your data against new and emerging threats.
Monitoring data access and use is an essential part of any data security strategy. An organization leader needs to know who, how and when people are accessing data. This monitoring should encompass whether these people should have access, if that access level is correct and if it represents an elevated risk for the enterprise.
Privileged user identifications are common culprits in insider threats.5 A data protection plan should include real-time monitoring to detect privileged user accounts being used for suspicious or unauthorized activities. To prevent possible malicious activity, a solution must perform the following tasks:
Accounting for data security and compliance-related information and knowing when and how to respond to potential threats can be difficult. With authorized users accessing multiple data sources, including databases, file systems, mainframe environments and cloud environments, monitoring and saving data from all these interactions can seem overwhelming. The challenge lies in effectively monitoring, capturing, filtering, processing and responding to a huge volume of data activity. Without a proper plan in place, your organization can have more activity information than it can reasonably process and, in turn, diminish the value of data activity monitoring.
TeraPixels Systems and our security and IT services professionals in Orange County are typically tasked to secure a variety of businesses. To that end, when starting on a data security journey, you need to size and scope your monitoring efforts to properly address the requirements and risks. This activity often involves adopting a phased approach that enables development and scaling best practices across your enterprise. Moreover, it’s critical to have conversations with key business and IT stakeholders early in the process to understand short-term and long-term business objectives.
These conversations should also capture the technology that will be required to support their key initiatives. For instance, if the business is planning to set up offices in a new geography using a mix of on-premises and cloud-hosted data repositories, your data security strategy should assess how that plan will impact the organization’s data security and compliance posture. If, for example, the company-owned data will now be subject to new data security and compliance requirements, such as the GDPR, California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados (LGPD) and so on.
You should also prioritize and focus on one or two sources that likely have the most sensitive data. Make sure your data security policies are clear and detailed for these sources before extending these practices to the rest of your infrastructure.
You should look for an automated data or file activity monitoring solution with rich analytics that can focus on key risks and unusual behaviors by privileged users. Although it’s essential to receive automated alerts when a data or file activity monitoring solution detects abnormal behavior, you must also be able to take fast action when anomalies or deviations from your data access policies are discovered. Protection actions should include dynamic data masking or blocking.