Ashley Madison. The Office of Personnel Management. Premera. Anthem. It seems nowadays that cyberattacks and resulting data breaches are happening left and right while showing no signs of slowing. While these data breaches may differ in terms of attack type, origin, and how much/what type of data was lost, all produced the same result.
These examples demonstrate just how serious the issue of data loss has become today. Below are five recommendations that will help your company keep its sensitive data stays out of the wrong hands.
1. Identify Where Sensitive Data is at Risk
Your customers, business partners, and investors will ask what your security posture looks like, so it makes sense to perform a thorough review of your environment to identify gaps where confidential data, including information contained on mobile devices, could be at risk. You don’t have to conduct this risk assessment yourself. Proven services on the market can quickly help you understand all locations where sensitive data lives within your company and how it’s being used.
2. Don't Rely on the Traditional Network Security Focus
Almost 100 percent of large companies have security programs that start and end “on the network.” Why? Because it’s easier. Racking a security device on the network causes very little organizational friction. Yet the IT teams in these companies then spend almost every day purposely punching holes in the network. VPNs are a common example; their widespread use makes them popular targets for attackers due to the high number of potential entry points and often lax attitude towards security from users.
These inevitable holes mean the network will always be vulnerable to attackers. Add to this the fact that many employees operate in a mobile environment and demand access to sensitive information on their phones and tablets, devices that traditional network security measures don’t protect. A layered approach to security is becoming increasingly important for companies, with device-focused technologies such as mobile device management (MDM) playing a pivotal role.
3. Focus on Data Protection Solutions
According to Forrester’s The Future of Data Security: A Zero Trust Approach report, “In this new reality, traditional perimeter-based approaches to security are insufficient. Security and Risk (S&R) professionals must take a data-centric approach that ensures security travels with the data regardless of user population, location, or even hosting model.”
Several proven data protection solutions on the market ensure security travels with the data. Called data loss prevention (DLP), these types of solution help classify data, put a usage policy against it and strictly enforce it. But DLP is no longer optional for any company wanting to protect sensitive customer data. This is the reality of the environment in which we now live and work.
If you make it fractionally harder to steal sensitive information, or render data useless once outside the network, attackers will move to another company that presents an easier target. Several leading analyst companies, including the above mentioned Forrester, are changing the conversation when it comes to data protection. As data remains the target and its attack surface continues to grow larger than ever before, protecting that data must be at the core of any company’s security approach.
4. Consider Using a Managed Security Provider for Data Protection
A way around challenges associated with implementing advanced data protection strategies is to outsource to a managed security provider. These companies have deep DLP expertise and proven infrastructure, meaning you can concentrate on your business while they keep your data secure. They can also improve your security posture much faster than if you implement data protection solutions yourself. Especially for already stretched IT teams, managed security providers give you the comfort of knowing that your customers’ data is being protected without taking valuable staff time. They can also provide the assurances demanded by customers, banks, and other security-sensitive organizations.
5. Go Beyond Traditional Security Training with Positive Social Engineering
Employee security awareness is a critical step to protect customer data. The key to effective employee security training is to go beyond slideware and annual refreshers. Innovative companies are using the prompting functionality in technologies to help employees self-correct data use issues. For example, a customer recently reported an 85 percent decrease in data use policy violations after six months of using real-time, pop-up dialogue box prompts. Sometimes employees need a simple reminder of what corporate policy is, and how they can adhere to it.
Customers and business partners will increasingly demand that companies show proof of ongoing security and monitoring to protect sensitive data. The security of the information supply chain is gaining traction within IT security circles and companies are realizing that the weakest link in their security posture may not be within their perimeter walls but rather inside the walls of those they choose to do business with. If you follow these steps, not only will you be able to demonstrate how you’re protecting their data, you’ll also be in a position to use your advanced security posture as a differentiator with new customers.
