News about data breaches seem to be the new normal—not just for corporations, but for governments, as well. We’re hearing more about state-sponsored hackers equipped with the resources to influence national elections.
Most organizations are unlikely to find themselves in state-sponsored crosshairs, but you can still learn from the vulnerabilities such hackers exploit. As a security professional, you can protect your business from data breaches by establishing and maintaining a two-pronged approach:
- Be a tougher target
- Prepare for the worst
Cut off the paths of least resistance
State-sponsored or not, most hackers will look for the path of least resistance. For example, many companies require badge access for their campuses and authentication on every provisioned networked device. Their security teams have monitoring tools tracking activity on their networks. They’ve locked the doors, but they may have inadvertently left some windows open by neglecting these key steps:
- Make security everyone’s responsibility. Companies should actively work with employees to raise awareness of social engineering scams—such as phone calls requesting users to reset passwords—and promote security best practices. As a security professional, you should let your teammates know that everyone needs to be in the game.
- Compartmentalize your information. Segment your data as much as you can. That way, if someone gets in, they can only go so far.
- Lock everything down, within reason. Have sound security policies for everything that touches your network. Lock down devices to the tightest level possible that still allows you to conduct business. And don’t forget the Internet of Things devices that connect to your network, such as smart vending machines. Leaving the manufacturer-issued password in place puts your company at risk.
There’s a balance between privacy and security that organizations and the governments under which they operate need to strike. The degree to which you lock down your systems may be tempered by agreements your business has with the powers that be.
Sometimes, that balance is based on your customers, as well. Biometrics technology, for example, has been around for years, but few solutions incorporate it because most customers haven’t warmed up to it yet.
Get with the times
Updating your security methods can also lower your risk of a data breach. The security industry still has a long way to go to mature; for example, the basic US social security number system has been breached so many times that there’s not a social security number out there that is safe today. In the same vein, you can’t continue to use technology that’s 10 or more years old and feel safe with it. You’ve got to be looking for where to go next and what to do to continue to shake up the status quo.
Security communities have not invested in that enough—vendors included. We don’t have central dashboards yet where you can get a picture of everything that’s going on. Right now, organizations cobble together different security solutions while wishing they had one view that could do it all. Businesses can also mature in that respect by realizing they can drive this initiative and push for better.
Many cybersecurity teams are stretched thin due to budget constraints. Businesses need to invest more so they can put resources in place to effectively enact security policies and address potential vulnerabilities. Raising the profiles of CISOs—by having them report to the board of directors, for instance—can boost awareness of security issues and make funding solutions a higher priority.
Plan ahead for when the inevitable happens
Despite taking every precaution, sooner or later your organization will be the victim of a successful cyber attack. In light of that, you need to take a holistic approach to security: detect and protect, but also make sure you can recover. You’ve got to plan for your company to be breached. Ask yourself, “What are we going to do if we have a data breach? How do we react? How do we minimize the damage and get back up and running?” Having a plan in place before a hacker gains access can mitigate the effects and restore normal operations faster.
Every company hopes to avoid making headlines because of a cyber attack. As a security leader, it’s important you make your company the smallest possible target by implementing a multifaceted security strategy. But it’s equally important you prepare for the worst and have a thorough recovery plan.
Looking for more tips and tricks to protect your business? Check out this video: