To paraphrase an old saying, 43 percent of companies admit to having had a data breach, and the other 57 percent are lying about it.
In my last post, I wrote about how businesses need to make security a strategic part of their business, and not just one department to be managed as a cost center.
The first pillar of any security strategy: Understanding that perfect security is impossible, but there are important steps you can take to mitigate the impact and scope of breaches.
That’s a tough pill to swallow, particularly if you’re trying to explain the tradeoffs to less technical peers in your organization. But if it’s any consolation, imperfect security is something every organization has to live with.
Even a top official at the National Security Agency conceded the point, telling a forum that "There's no such thing as 'secure' any more.”
"We have to build our systems on the assumption that adversaries will get in," Deborak Plunkett said. And that was in 2010, well before the Snowden leaks showed just how insecure NSA secrets could be.
So what can enterprises do to mitigate risks?
- Review what you have: Surprisingly often, companies don’t even realize what data they have. Understand what data protection laws and regulations your company must operate under (Such as HIPAA, FERPA, and various state laws), and bring in stakeholders from across departments, including IT and legal, to understand what information your company might have and who might have it.
Regularly update this list, and ensure that all departments are clear about your data management policies. Also make sure you have a complete inventory of what services your company uses, and how to manage the user accounts and data for them.
- Encrypt everything, everywhere you can: Many of the most serious breaches of consumer information over the past year haven’t been high tech hacks or dreaded zero days, but instead the result of poor physical security that was compounded by lack of device safeguards. Modern operating systems now support full-disk encryption, which should be used on all laptops and mobile devices.
Also look at the physical security of your databases, and ensure that sensitive data, or data that could be used to guess or access sensitive data, is encrypted. Train staff on the basics of security, and make clear that storing passwords in Excel files, sticky notes, or by other unapproved can have dire consequences.
- It’s better to ask for permission than forgiveness. If you’ve heard otherwise, you don’t work in security. The massive JPMorgan data breach was due to many factors, but neglected permissions settings on one server were a big part of the problem, according to the New York Times. Play out scenarios where different user accounts have been compromised, and see how compartmentalized you can make your access. When somebody gets access to a user’s account, they shouldn’t have access to anymore than than is absolutely necessary for that user to do their job.
A corollary is to make sure that you’re regularly retiring old users. Particularly for legacy systems, it’s easy to save some time and not clean out old user accounts and permissions. Make sure that every time an employee leaves — or even changes roles — their permissions are adjusted accordingly.
Underwritten by HP and Microsoft