In honor of this day, Stroz Friedberg offers our top five best practices to safeguard your organization’s data. This isn’t an idealized wish list. These tips don’t ignore the reality of limited resources—a constraint under which all companies function. Our list isn’t about multi-million dollar, bespoke security solutions or processes that hundreds of people need to monitor and manage. Our guidance presents a way to prioritize the handful of things that are most critical, and if implemented, can increase your organization’s resilience and protect it from serious harm.
- Prioritize your data. If you don’t know what data you have, you don’t know what needs the most protection. In practice, for most organizations, determining which data is most valuable to attackers is more than knowing where you have personally identifiable information (PII) and personal health information (PHI). Sensitive data also includes trade secrets and intellectual property—and IT may not be aware of every strategic initiative in the works. Prioritizing data often requires involvement of senior executives who look at the issue from a business, rather than just a technical perspective.It’s also important to consider sensitive derivatives of your organization’s own data. For example, imagine a participant in your supply chain that tracks the volume of your company’s purchases over time. This may not be seen as traditionally “sensitive” data, but criminals could use this intelligence to decide if they should short the company’s stock. Bottom line: All data must be assessed to determine its potential value to criminals.
- Identify your greatest threats. To safeguard your highest-risk data, you must know your threats—criminals’ motivations and recent activity against companies like yours. Threat intelligence helps you determine the level of investment required to protect the various types of sensitive data you possess. If you’re especially proactive, this information can also help you hunt for attackers already hiding in your environment. Most industries have information sharing communities, or ISACs that share highly relevant threat intel amongst members. Join these groups to both contribute and consume. Then, from a technology perspective, invest in a reliable threat feed that can be integrated with your internal monitoring and detection capabilities. Together these two information sources are the foundation of a solid threat awareness platform.
- Understand data sprawl. It’s critical to understand how data moves across your organization, and to third-parties, in the course of everyday operations. Workflows can cause data to be stored in the cloud, on mobile devices, internationally where data privacy laws differ, and to any number of outsourced third parties.For example, if your company has an internet-facing platform and collects PII, you need to know everywhere that PII goes. Is this information sent to marketing, to an analytics team, to sales for CRM purposes? In the medical field, for example, patient records typically begin in the hospital’s network, but may be sent to a university or a laboratory with a less stringent security posture. Business processes can involve any number of outsourced providers, each of which could make data vulnerable to a breach. It’s essential for companies to understand end-to-end workflows and their implications. When data sprawls, the opportunity for loss increases.
- Create tiers of access to company data. Intentionally and unintentionally, insiders cause more than half of all data breaches. Know who in your organization’s business system has access to your data, including third-parties, contractors, and employees, and limit their permissions by defining tiers of access according to role-based needs. This typically requires collaboration between IT, Security and Human Resources, among others.
- Ensure your data protection program includes these critical elements. Security companies and solutions abound, but before you decide where to spend your money, make sure the solution you’re purchasing covers the three most important elements of a data protection program that every company must adopt: Good data hygiene. Keep only the data you need to operate, or the data required by regulation. The less customer information you retain, the less you have that can be compromised in a breach. Although it’s tempting to keep all of your transaction records, the risk far outweighs the value. 2. Use encryption where possible. As data flows from one part of the organization to another, or to an outside party, encryption is an effective control to assure privacy across trust boundaries. 3. Invest in a Data Loss Prevention solution to track valuable data as it moves across your technology footprint. Utilize a DLP to discover the volume of sensitive data stored on the network and to uncover the extent to which data has sprawled to third parties, cloud providers, and mobile devices.
Of course, no technology or process can completely eliminate the risk of a cyber attack. The goal is to maximize your organization’s resilience in the face of evolving threats. Hackers and organizations are in a constant race for technological one-upmanship—hackers to get in, organizations to keep them out and hunt them down. Adopting our five best practices can help reduce the risk of a breach and limit damage in the event of an attack. They can also help an organization withstand scrutiny by regulators and others when a breach occurs, and give the business a better chance of recovering quickly from an assault.