By Ryan St. Hilaire, Absolute Software
Following data security "best practice" and adhering to industry standards may not be good for your business. Look at the facts: In 2014, we witnessed devastating data breaches at some of the nation’s largest organizations – organizations with big IT budgets and, presumably, best practice security measures in place.
Research by the Enterprise Strategy Group (ESG) found that 49 percent of organizations have experienced data breaches within the last 24 months and 75 percent have been breached more than twice in that same time frame. These numbers reflect the state of cyber security and the need for CISOs to make 2015 the year to employ Data Defense in Depth strategies.
Cybercriminals are agile and, as long as organizations predictably follow best practice in their security strategies, cybercriminals will remain a step ahead. A telling fact about the recent attacks is the varied methods by which hackers have successfully penetrated corporate networks. Data breaches have spawned from point-of-sale (PoS) systems, third-party vendors, unencrypted data – and some of the largest attacks have been tracked to a single device or point of entry, resulting in the exposure of millions of personal records.
If we don’t adopt a different approach – one that addresses the multitude of options available to cybercriminals and that can adapt as quickly as attackers adapt – data breaches will continue to occur. No best practice technologies are sufficient on their own. Instead, organizations must apply a Defense in Depth strategy across three stages: threat prevention, incident detection and efficient response.
Organizations often spend most of their information security resources implementing risk management and incident prevention such as the SANS top 20 and anti-virus solutions. These traditional activities are still required, but they only form a single layer within a more complex strategy. To decrease the attack surface across endpoints and networks and to make a successful attack as difficult as possible, organizations must:
Build a foundation of tight controls and processes, unique to your organization. Only you will understand the idiosyncrasies of your organization and your users. Build processes unique to you and ensure user roles are clearly defined. Some users will need the flexibility to download applications and files to get their jobs done. Avoid making changes to individual profiles on an ad-hoc basis. Instead, map user roles to designated formal configuration options to maintain control.
Educate employees to be your first line of defense. According to Forrester, 49 percent of North American and European information workers are not aware of or do not understand the policies in place that are specific to data use inside their company. This is not the fault of the employees. It has been argued that many organizations have overly complex data classifications or ineffective data use policies. By educating employees, you can greatly reduce the risk of vulnerabilities caused by human error. Ensure all staff members have access to proper training, even on subjects that seem rudimentary to you, such as remembering to log off workstations when they leave their desks or keep their passwords secret.
Employees can be viewed as potential points of failure or potential security checkpoints. With proper training and clear communication of data and device use policies, employees can become the first line of defense against cybercrime.
Learn about industry-specific data breach scenarios. Study threat intelligence to understand the specific types of attacks and patterns. For example, financial services firms are frequently targeted with Web application attacks, retail outlets are frequently targeted with PoS attacks, and media companies are frequently targeted with denial-of-service attacks. Collaborate with industry peers and subcontractors and familiarize yourself with common data breach patterns.
Take a layered approach to security technology. A variety of security solutions will reduce the threat landscape and prevent advanced attacks on your network.
Data encryption is a must. Encrypt all data stored on portable devices, including laptops, tablets and smartphones. Bolster encryption with persistent endpoint security technology to maintain a connection with a device regardless of user or location. Persistence technology ensures that security software reinstalls if it is removed or damaged and will allow you to run encryption and anti-virus status reports to prove these solutions were in place and operational at the time of theft – an important checkbox for data security compliance.
Supplement endpoint security with network-based controls. Network segmentation, granular access controls and tools for continuous monitoring offer real-time intelligence about the devices on the network and the security status of these systems. Finally, automate security remediation activities such as setting new firewall rules or locking down a suspicious device in the case of suspicious activities.
Reduce the attack surface by monitoring your environment regularly so you can easily detect anomalies. Cyber threats evolve constantly, so ensure you conduct regular security audits to identify the vulnerabilities with your network, your endpoints and your employee policies. If you don’t know your weak spots, you can’t properly predict where hackers can gain entry.
Know where your sensitive data resides. Do employees save data to their desktop that should be saved to the network? Is an administrative assistant downloading hundreds of files from the corporate network? A data loss prevention (DLP) tool will help alert you to the presence and movement of sensitive data so you can set alerts for suspicious activity.
Appropriate incident detection depends not only on efficient software, but also upon skilled IT personnel who can make sense of a variety of security anomalies and connect the dots (such as user name change, unauthorized physical changes to the device or the device location, software vulnerabilities, registry changes or unusual system processes) in order to identify a breach.
Efficient Incident Response
While it is common for organizations to invest in new tools for incident detection, many continue to miss the connection between incident detection and response. For example, during the infamous Target breach, security tools detected malware and generated alarms, but the Target security team didn’t fully grasp the reason behind the alarms and ultimately chose to ignore them.
In the case of a stolen device or rogue employee, ensure your endpoint security software allows you to perform remote actions such as data delete, data retrieval, device freeze and, when necessary, launch forensic investigations.
We are all just one mistake away from a crisis. Be prepared by creating a formal, comprehensive process for incident response, including remediation actions and crisis management planning. Build a data breach playbook filled with scenarios and response actions. Put escalation levels in place to understand which departments, regulatory bodies and customer groups need to be notified.
To sum up, your data is the very essence of your organization and it requires time, resources, analytics and constant reinvention of security strategies to protect it. With data regulations tightening across all industries, now is the time to act.
Don’t completely write off your existing security strategy and start again. Set your own best practice in data security by taking a holistic approach and adapt your approach regularly to ensure you stay one step ahead. The more layers you put in place, the more likely it is that a hacker will move on to an organization that merely follows traditional best practice in data security.
Ryan St. Hilaire is vice president of Product Management at Absolute Software.