Ashley Madison is just the latest in a long line of high profile organisations to suffer a high profile breach at the hands of hackers. While today’s data breach may differ in terms of attack type and origin, they all produce the same result – significant data loss. Data is the lifeblood of most modern companies and the long-term negative impact on those who suffer breaches demonstrates just how serious the issue of data loss has become today. But as hackers continue to get smarter and more persistent, what can companies do to protect their information? Below are five recommendations that will help your company keep its sensitive data out of the wrong hands.
- Identify Where Sensitive Data is at Risk
Your customers, business partners, and investors will ask what your security posture looks like, so it makes sense to perform a thorough review of your environment to identify gaps where confidential data, including information contained on mobile devices, could be at risk. You don’t have to conduct this risk assessment yourself. Proven services on the market can quickly help you understand all locations where sensitive data lives within your company and how it’s being used.
- Don’t Rely on the Traditional Network Security Focus
Almost 100 percent of large companies have security programs that start and end “on the network.” Why? Because it’s easier. Racking a security device on the network causes very little organisational friction. Yet the IT teams in these companies then spend almost every day purposely punching holes in the network. VPNs are a common example; their widespread use makes them popular targets for attackers due to the high number of potential entry points and often lax attitude towards security from users.
These inevitable holes mean the network will always be vulnerable to attackers. Add to this the fact that many employees operate in a mobile environment and demand access to sensitive information on their phones and tablets, devices that traditional network security measures don’t protect. A layered approach to security is becoming increasingly important for companies, with device-focused technologies such as mobile device management (MDM) playing a pivotal role.
- Focus on Data Protection Solutions
According to Forrester’s The Future of Data Security: A Zero Trust Approach report, “In this new reality, traditional perimeter-based approaches to security are insufficient. Security and Risk (S&R) professionals must take a data-centric approach that ensures security travels with the data regardless of user population, location, or even hosting model.”
Several proven data protection solutions on the market ensure security travels with the data. Called data loss prevention (DLP), these types of solution help classify data, put a usage policy against it and strictly enforce it. But DLP is no longer optional for any company wanting to protect sensitive customer data. This is the reality of the environment in which we now live and work.
If you make it fractionally harder to steal sensitive information, or render data useless once outside the network, attackers will move to another company that presents an easier target. Several leading analyst companies, including the above mentioned Forrester, are changing the conversation when it comes to data protection. As data remains the target and its attack surface continues to grow larger than ever before, protecting that data must be at the core of any company’s security approach.
- Consider Outsourcing your Data Protection
A way around challenges associated with implementing advanced data protection strategies is to outsource to a managed security provider. Many of these companies have deep DLP expertise and proven infrastructure, meaning you can concentrate on your business while they keep your data secure. They can also improve your security posture much faster than if you implement data protection solutions yourself. If your IT team is already stretched, a managed security approach gives you the comfort of knowing that customers data is being protected without taking valuable staff time. They can also provide the assurances demanded by customers, banks, and other security-sensitive organisations.
- Go Beyond Traditional Security Training with Positive Social Engineering
Employee security awareness is a critical step to protect customer data. The key to effective employee security training is to go beyond slideware and annual refreshers. Innovative companies are using the prompting functionality in technologies to help employees self-correct data use issues. For example, a customer recently reported an 85 percent decrease in data use policy violations after six months of using real-time, pop-up dialogue box prompts. Sometimes all employees need is a simple, real-time reminder of what corporate policy is, and how they can adhere to it.
Customers and business partners will increasingly demand that companies show proof of ongoing security and monitoring to protect sensitive data. The security of the information supply chain is gaining traction within IT security circles and companies are realising that the weakest link in their security posture may not be within their perimeter walls but rather inside the walls of those they choose to do business with. If you follow these steps, not only will you be able to demonstrate how you’re protecting their data, you’ll also be in a position to use your advanced security posture as a differentiator with new customers.[su_box title=”Mark Stevens, Senior Vice President, at Digital Guardian” style=”noise” box_color=”#336588″]
Mark Stevens is a senior vice president, global services at Digital Guardian. Mark is an accomplished, results-driven senior information technology leader with extensive experience managing diverse technology organizations.At Digital Guardian, he is responsible for driving customer success across professional services, managed services, and support and training.
Mark is known for his high-energy emphasis on customer success, leadership and teamwork, and his tireless work ethic. Throughout his career in software development and consulting, he has succeeded and established higher standards by focusing on results and driving excellence through his efforts and his teams’ performance. With a distinguished academic record — and worldwide work experience in developed and developing nations throughout Europe, Asia, and the Americas — he delivers results as a true, technology-savvy business leader in the software industry.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.