Losing data can be tremendously devastating to a company. It could compromise security, information, and jobs. Today, I will look at twelve actions that a company can take to mitigate the risks of a data breach. These twelve steps, performing a risk analysis, asset identification and classification, attention to detail, encryption, social networking, compliance, management of personnel, least privilege, solution diversity, tracking mobile devices, data destruction and testing are essential to helping a companyÔÇÖs security program.
1) ┬áPerform a risk analysis
The first step in combating the dangers of data breaches is performing a risk analysis.
The risk analysis will determine the threats to organizational data and assets and the likelihood of those threats occurring.┬á With this information the organization can create a policy or policies that respond to the results of a risk analysis. These policies should outline the dangers that the IT department could be facing. ┬áIn addition, security policies often contain protocols and measures taken in order to prevent an attack and should be revised often. ┬áBusinesses are not static, technology is certainly not static, and neither are the risks associated with data breaches.
2) ┬áAsset identification and classification
A key part of protecting the data is having accurate and up-to-date information on data including its location, sensitivity and value.┬á┬á The security team should take all of the information available and categorize it. ┬áWhen you have a breach, how do you know what was exposed without asset information?
Imagine a user has a synchronization program that copies their laptop files to a directory on their home network. ┬á┬áCould their laptop contain sensitive files that might end up on their insecure network?┬á Even encrypted files would be unencrypted when transferred to another computer in this scenario. ┬á┬áThis example illustrates that without an understanding of your information, ┬áit becomes harder to safeguard it.
3)┬á Attention to detail
Taking the time to pay attention to the small details like an inexpensive flash drive may sound trivial, but it is not. ┬áFlash drives may be simple and cheap to replace, but the information stored upon them is invaluable to companies.┬á These devices could store data files containing company secrets or other information that could compromise a companyÔÇÖs well-being.
Leaving a device or individual pieces of unencrypted data is asking for a breach. ┬áBy encrypting a document or other form of data, the security team can ensure only people who have the proper clearance can access that file. ┬áHowever, software is not the only medium that should be encrypted. ┬áLaptops and other devices should have this level of protection and password-encryption as well. ┬áThis level of protection is required in order to guard the data stored on the device during transfer in the event of theft or loss.
5) ┬áSocial networking
Putting a section on social networking within the security policy may seem frivolous.┬á However, with the pervasiveness of websites like Facebook and Twitter, this segment of popular culture can no longer be ignored. ┬áPeople post on Facebook hundreds of times a day and tweet their followers an equal amount. ┬áThe reality is that this market is growing and companies should utilize it in full. ┬áCompanies should also educate employees about the potential pitfalls of sharing too much information on these networking sites and other places like blogs, webcasts, etc.
6) ┬áComply with regulations and standards
Regulations protect companies, data and individuals by specifying security controls. ┬áCompliance with standards and regulations will give a company a well thought out set of security controls.┬á However, this will most likely not be all the controls necessary to protect organizational data because each company is different and has differing needs.┬á┬á HIPAA for example, protects PHI (Personal Health Information) but it does not protect trade secrets so the organization will need to do more before they can call themselves secure.┬á PCI-DSS is focused on credit card equipment, surrounding systems, and those that store or transmit credit card information but it would not be concerned with other systems.┬á Nonetheless,┬á even with the caveat, regulations and standards can bring you part of the way.
In addition to compliance, a company should frequently audit systems and procedures and implement recommended updates to make sure that it remains compliant.┬á Therefore, certain checks and provisions need to be included in security policies that maintain and develop a process that keeps records up to date.
7) ┬áManage Personnel
Breaches are mainly thought of coming from outside intruders, whereas the truth of the matter is that the greater threat comes within the organization. ┬áSecurity departments often become so entrenched against outside attacks that they forget about what happens within. ┬áThis oversight should be addressed. ┬áEmployees should be treated with cordial skepticism and controls should be in place to restrict insider access and audit access.
8) ┬áLeast privilege
Minimizing data breaches means minimizing the number of people who have access to a particular piece of information. ┬áThis step goes hand in hand with management of personnel. ┬áAllowing everyone access to everything or permissions greater than what they need is not only impractical, it is dangerous. ┬áThis scenario allows not only for disclosure of data to those who should not see it but it also allows for malicious or unintentional modification, deletion, or distribution of data. ┬áTherefore, having a clearance system in place that filters access based on level of importance and need to know is necessary.
9) ┬áSolution Diversity
Utilizing different levels and types of technologies provides the maximum amount of protection against malignant attacks. ┬áStep away from just using one firewall and instead use multiple firewalls from different vendors.┬á For example, you could use a Cisco firewall with an additional checkpoint behind it. ┬áProtection should begin at the network and trickle down the line until it gets to the host. ┬áAnti-virus software, as well as, Network Access Control (NAC) should be utilized in the protection of data. ┬áNAC allows companies to track what devices access their server, and where the device is located and to apply policies based on the state of the device such as whether or not it has up-to-date antivirus definitions.
10) ┬áTrack mobile devices
The risk to companies grows greater with the adoption of smartphones, tablets, and other personal data devices. ┬áWhile these devices make checking Facebook a breeze they also can be hacked, stolen, or lost. ┬áThese potential pitfalls can wreak havoc on a company. ┬áTherefore, a policy should be put into place outlining expected actions and reasonable security controls needed to reduce the risk of mobile data loss.┬á ┬áSome companies opt to have employees carry a work device, in addition to a personal device in order to keep data separate and easier to track. ┬áOther options include a mandatory memory wipe or the installation of software that allows the company to remotely wipe the device if necessary.
11) ┬áDestroy old documents, data, and hardware
In order to limit the risk of a breach, limit the documents and data available. ┬áCompany data and other documents run their due course and after they have outlived their usefulness they should be discarded. ┬áHowever, the destruction of the material and the hardware on which these items are stored should be monitored and regulated within the data destruction policy so that a consistent and effective procedure for removing data is applied.
12) ┬áTest the system
One of the final steps, and one that should be repeated often, is the testing of the system. ┬áAn independent, third party auditor should be hired for the sole purpose of testing the system. ┬áThese tests should be geared towards sniffing out flaws in the system. ┬áThe flaws should then be addressed and the risk policies updated.
Practice performing a risk analysis, asset identification and classification, attention to detail, encryption, social networking, compliance, management of personnel, least privilege, solution diversity, tracking mobile devices, data destruction and testing. ┬áThese twelve tips and steps are the necessities when it comes to preventing data breaches. ┬áThere are, however, many other different methods and approaches a company can take. ┬áThese approaches are outlined in my further reading.