Key security strategies for data breach prevention

If we have learned anything over the last few years about data breaches, it is that they are likely to happen.  However, data breach frequency can be reduced and its impact minimized with some key strategies.

Both response and prevention efforts are greatly impacted by organizational culture.  Organizational culture is formed over years as certain values and behaviors are reinforced or discouraged through a series of successes and failures.  Security is seen as important and vital to organizational success in positive security cultures while it is ignored or even discouraged in negative security cultures.

You can reinforce an existing security culture or bolster a lagging one with some of the same strategies.  The first strategy is to make the topic of security a common one.  Discuss risks in meetings and common decision-making situations.  Ensure that managers and knowledge workers are on the same page with risk, knowing how much risk is acceptable and how their decisions affect risk.  Employees also need to understand what it is they are trying to protect, such as customer information, trade secrets, or strategic business information.

Security awareness training can provide the skills and knowledge necessary to prevent data breaches and respond to those that happen.  It is also a crucial component of a security culture.  Security awareness training should be consistent and enacted for employees at all levels of the organization so that they can accurately recognize threats and understand their role in the response effort.  Since a large percentage of attacks target the human element in organizations, this training can equip employees with the skills to avoid such attacks.  Awareness training prepares employees for their role in incident response by teaching them about incident indicators and how to properly report an incident.

Incident response planning is also necessary to ensure that the response is performed correctly and in a timely manner.  An effective response can greatly minimize damages to both the organization and its customers.  Incident response plans should be regularly reviewed and updated, and those involved should participate in drills and exercises so that the response activities come naturally to them.

Leading all these efforts is a Chief Security Officer (CSO) or Chief Information Security Officer (CISO).  This individual should have the authority to interface at the highest levels of the organization to ensure that preparation and protections are placed appropriately throughout the organization.  Responsibility for security lies not only in IT but in the entire organization, from senior management to the factory floor; remote office workers to branch office managers; and from interns to HR.  They will also need a budget to perform these activities.

Choose your CSO or CISO wisely because they will be a driving force behind security initiatives.  They will need to be an effective communicator and leader with good vision and planning skills.  In a recent Modern Workplace webinar on cyber intelligence and data breaches, Vanessa Pegueros, DocuSign CISO, said that the CISO should have breach experience.  Breach situations are often high-stress, but the lessons learned are invaluable for a security leader.

Put the right strategies in place to bring about cultural change, increase awareness, refine and communicate incident response plans.  Then, equip a CSO or CISO with the authority, responsibility, and budget to make it all happen.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Future ready cloud security

In 5 to 10 years, the cloud will be as ubiquitous as the Internet is today. It is predicted that 2015 will see a dramatic change in labor and business models as operations shift to the cloud. It will be part of our normal lives, with cloud-based apps running on stereos, watches, mirrors, glasses and many other devices that we interact with or carry with us daily. Software and data will not be hardware dependent because they will be running in the cloud but you will be able to interact with your data and systems whenever and wherever you are at.

The lines between work and home or business and pleasure are already blurred, but they will become increasingly transparent in the years to come. The floodgates of organizational data will be released into a variety of cloud-based systems. Organizations that develop a security-minded cloud culture now will better transition into the cloud in years to come as it continues to grow. Such cultures will have the framework such as policies, procedures, workflows and shared cloud successes will foster effective cloud security behaviors and habits.

So what does a security-minded cloud culture look like? Provided here are three steps that you can take to start developing it.

The first step is to foster ongoing communication about the cloud, its benefits, and challenges. Create a cloud committee made up of people from different departments and backgrounds within the company and discuss what is working for you and how that can be standardized as an organizational best practice. As part of it, subject ideas to peer review and test assumptions and risks.

Next, create and maintain a data map that details where types of data are stored and which vendors or third parties maintain the data. This is important in case there is a data breach, eDiscovery request, merger, or many other situations. Empower employees to help maintain the data map through discussions on how and where the data is located by members of the cloud committee.

Lastly, be discerning in your choice of products or services. The choice of a cloud provider is not one to be taken lightly without an appropriate level of consideration. Cloud vendors should go through a vendor risk management process that ensures they have sufficient security controls in place to mitigate risks to the type of data they will be hosting. Each vendor can be assigned a risk rating for data classifications to make it easy to determine if data can be used on the vendor’s platform. Risk management should also take into account any compliance requirements and whether the vendor’s systems adhere to those requirements. Also, ensure that service level agreements are appropriate for your data availability requirements. If this concept sounds foreign, consider classifying your organizational data based on the required confidentiality level and availability need.

You are most likely planning for growth in cloud utilization, so make sure that the solutions you choose can scale with your business. Choose a vendor that can handle several times the volume you initially would contract for and one that has a track record of success and innovation.

This is an exciting time for we stand at the cusp of great technological change. People and organizations are being given the freedom to utilize technology how, when and where they see fit without having to worry about the underlying architectural complexities or capital expenditures. #BeFutureReady, and know this is your chance to seize the cloud, to harness it or even mold it to accomplish great things. Create a culture that supports secure cloud utilization and make a difference – now and in the future!

Continue reading

Is your culture interfering with data security?

With the ease and prevalence of global expansion, security leaders must understand how to implement security across a global organization to avoid weaknesses, targets for attackers or sources of data breaches. Our natural inclination is to plan based on the culture we know and the experiences we have had, but global security leadership requires a bit more thought in order to be effective.

Business is global. This isn’t new, nor is it surprising that cultural differences, international laws, and workplace practices differ around the world. Businesses have long sought to harness the strengths of particular cultures and, in other situations, to transplant the culture and values of the company’s mother country onto a global labor force. For example, a company with sites in Japan or Italy may have trouble being notified of security issues due to Italy’s “bella figura” or Japan’s “mentsu” concept of keeping face. Employees in those countries may not share the information out of concern for potentially shaming their global counterparts. In such cases, the parent organization may try to impress the value of open communication upon employees from those countries. On the other hand, a company might open research and development offices in Switzerland, Finland, or Singapore due to their high degree of intellectual property rights protection.

Enterprise-wide security programs should consider how security will be effective in different cultures, the differences in legal and regulatory requirements, how company property is viewed, encryption limitations, and language barriers in order to manage security effectively around the world.

Security programs can be more or less effective in different cultures so it is important to not only gather support and feedback from top management but also from leaders in regional centers with differing cultures. For example, separating the office into different security zones, each requiring authentication, may be well received in Western countries such as the United States but Eastern countries like Japan may think this rude and untrustworthy. Similarly, perceptions and priorities of security may differ between countries as shown in this global security survey.

Another important global difference is legal and regulatory requirements. The European Union differs greatly from the United States in their privacy laws, so a security program will need to ensure that the requirements of each country’s laws are met while still maintaining at least the organizational defined minimum standard of security. Employees from multiple regions working on a single project or the same data will need to follow appropriate procedures to ensure they are complying.

An organization’s response and transparency in handling incidents is related to the legal and regulatory requirements, but also impacts a company’s brand image. Differing cultures may not have the same definition of what constitutes an incident or communication channels could differ in such a way that incidents are not reported in a timely manner. Global organizations need to ensure that consistent training is provided to ensure that incidents are properly categorized as incidents and that reporting is done through the established channels.

Global organizations house data in locations around the world but not all countries have the same definition of company property. If sensitive data is housed in a facility that is seized or breached by the government in which that site resides, private customer data or sensitive organizational data may be lost or disclosed. For this reason, organizations should take special care to house data in countries that have protections for business property and information.

The global organization transmits data between sites in different countries on a regular basis, but some countries may have limitations on the maximum level of encryption that can be used on international transmissions. In some cases, these limitations may present an unacceptable level of risk of data disclosure. In such cases, data may need to stay local to a specific region or some data may be unavailable in certain areas.

The last consideration is probably the most obvious. Language barriers can present difficulties if security procedures and policies are misunderstood in another country. Furthermore, incident response coordination may be more difficult when communication is slowed due to language barriers. Incident response plans should specify how communication will be handled between countries with different languages so that information is shared effectively and policies and procedures should undergo review following their translation to ensure that their meaning does not change.

The key to an effective enterprise-wide security program lies in establishing and enforcing a minimum standard for security that is implemented at each site regardless of its location globally. Global business is more complex but with a little more thought, you can save yourself and your organization many security headaches down the road. Make sure that you security is expanding with your business.

Continue reading