Key security strategies for data breach prevention

If we have learned anything over the last few years about data breaches, it is that they are likely to happen.  However, data breach frequency can be reduced and its impact minimized with some key strategies.

Both response and prevention efforts are greatly impacted by organizational culture.  Organizational culture is formed over years as certain values and behaviors are reinforced or discouraged through a series of successes and failures.  Security is seen as important and vital to organizational success in positive security cultures while it is ignored or even discouraged in negative security cultures.

You can reinforce an existing security culture or bolster a lagging one with some of the same strategies.  The first strategy is to make the topic of security a common one.  Discuss risks in meetings and common decision-making situations.  Ensure that managers and knowledge workers are on the same page with risk, knowing how much risk is acceptable and how their decisions affect risk.  Employees also need to understand what it is they are trying to protect, such as customer information, trade secrets, or strategic business information.

Security awareness training can provide the skills and knowledge necessary to prevent data breaches and respond to those that happen.  It is also a crucial component of a security culture.  Security awareness training should be consistent and enacted for employees at all levels of the organization so that they can accurately recognize threats and understand their role in the response effort.  Since a large percentage of attacks target the human element in organizations, this training can equip employees with the skills to avoid such attacks.  Awareness training prepares employees for their role in incident response by teaching them about incident indicators and how to properly report an incident.

Incident response planning is also necessary to ensure that the response is performed correctly and in a timely manner.  An effective response can greatly minimize damages to both the organization and its customers.  Incident response plans should be regularly reviewed and updated, and those involved should participate in drills and exercises so that the response activities come naturally to them.

Leading all these efforts is a Chief Security Officer (CSO) or Chief Information Security Officer (CISO).  This individual should have the authority to interface at the highest levels of the organization to ensure that preparation and protections are placed appropriately throughout the organization.  Responsibility for security lies not only in IT but in the entire organization, from senior management to the factory floor; remote office workers to branch office managers; and from interns to HR.  They will also need a budget to perform these activities.

Choose your CSO or CISO wisely because they will be a driving force behind security initiatives.  They will need to be an effective communicator and leader with good vision and planning skills.  In a recent Modern Workplace webinar on cyber intelligence and data breaches, Vanessa Pegueros, DocuSign CISO, said that the CISO should have breach experience.  Breach situations are often high-stress, but the lessons learned are invaluable for a security leader.

Put the right strategies in place to bring about cultural change, increase awareness, refine and communicate incident response plans.  Then, equip a CSO or CISO with the authority, responsibility, and budget to make it all happen.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

The case for consistency in security

Security spending could be compared to the stock market. It increases and decreases depending on intangibles such as how “at-risk” the organization feels rather than on objective measures such as the number of cyberattacks, vulnerabilities or data breaches.

An organization may put technical controls in place, educate employees and establish new policies immediately following a breach, but over time the technology becomes outdated and no longer protects the organization as it should. Memory of the breach fades, causing exceptions to be made to the firm’s policies and leading to forgetfulness in employee adherence to best-practice procedures. Eventually, another incident causes the organization to spend money again, and the cycle starts all over.

This situation is detrimental to companies in two ways. First, it results in periods when the organization is quite vulnerable. Also, in the end, more money is spent on security than would have been required if security spending were consistent from quarter to quarter. In fact, effective IT security solutions contribute to business success and profitability. Let’s explore this by looking at major areas where security dollars go; technology, governance, and training.

Technology

Technology such as firewalls, Intrusion Detection Systems (IDS), antivirus software, authentication systems or auditing and alerting systems, is essential to protecting organizational information assets but technology is quickly outdated. More sophisticated attacks or better equipment on the part of the attackers necessitates increased investment by organizations to protect themselves.

Consistent spending keeps technology up to date so that it continues to address current risks. It is also much easier to make incremental improvements to address new risks rather than design a completely new solution. Those who maintain security systems have a better understanding of how the product protects against threats and how it can be modified if necessary.

Governance

Governance includes the policies that spell out the organization’s approach to information security such as how users will be authenticated, how data is classified, roles and responsibilities and sanctions for those who do not follow policies. Procedures document how specific tasks are performed to accomplish what is set forth in the policies. When security spending is consistent, policies are updated so that they are in line with business objectives. When inconsistent, policies may conflict with business objectives and the policies are either ignored or business objectives are not met.

Similarly, consistent security spending allows for procedures to be updated as technology and forms of attack change. When spending is irregular, procedures may be followed but won’t adequately protect the organization or informal undocumented procedures may occur — which affects operational effectiveness. Lastly, policies are enforced when security spending is systematic, leading to regular patterns of behavior and a culture that sustains security rather than obstructing it.

Training

Training is also more effective with consistent security spending because it keeps security awareness top of mind. Otherwise, employees will need to be completely retrained on information security because much of the information is forgotten.

So how is security spending addressed in your organization? Is it consistent and proactive or inconsistent and reactive?

Continue reading

Is staying safe online possible?

I was asked a question on Twitter today. The question was, “Is staying safe online possible?” This is a great question because I increasingly see a sense of apathy in users due to the frequent threats to online safety that are reported. They ask questions such as “If big companies can’t protect themselves, what chance do I have?” or “If identify theft is inevitable, what is the point of protecting oneself?” Let’s look at the question in an Aristotelian manner. We first must establish what staying safe is. Let’s start with this definition:

Being safe online is having the knowledge, ability, and opportunity to utilize the Internet and Internet-based resources without subjecting oneself to harm*

Having the knowledge, ability and opportunity to utilize the Internet and Internet-based resources without subjecting oneself or others to harm*

 *harm is being described as the following:

  • Unauthorized disclosure of personal or sensitive information
  • Identify theft
  • Misuse of computing resources due to unauthorized access or presence of malicious code
  • Persuasion or coercion to perform actions due to misrepresentation or incorrect facts presented in phishing emails

With this definition in hand, I can now consider whether this is possible. First, this definition means that no harm, as described above, would come to the individual despite the frequency of use as long as they utilized sufficient knowledge, ability, and opportunity. I believe this is false. Even those equipped with sufficient knowledge, ability and opportunity will eventually come to some harm in utilizing the Internet and Internet-based resources. So, what if I revise my definition to this?

Being safe online is having the knowledge, ability, and opportunity to minimize the harm* and frequency of harm caused due to the use of the Internet and Internet-based resources.

This definition allows for someone to be safe online but still have harm occasionally occur. However, in such occurrences, the damage done would be minimized. For example, if personal information were disclosed, the individual would be able to recognize that disclosure quickly and work with persons and companies to restrict the value the ability of a malicious user to employ the information disclosed and to reduce the amount of damage incurred through use. More specifically, if a person entered a username and password in a fake web site, they would realize their mistake and change their password on the legitimate site before an attacker would have the ability to utilize their credentials. They would also utilize different credentials for other sites so the information gained would have no value if employed for other Internet services.

Using this definition, I believe I could say that it is possible to stay safe online. However, the possibility is not probability. Those that would be safe under this definition must have the knowledge, ability, and opportunity. If the majority of people utilizing the Internet do not have this, then the majority of users are not safe. Our logical step, therefore, is to educate users to give them the knowledge and ability and to make the technology and environment that will provide them with the opportunity something that is available to the majority of users.

Continue reading