Most of today’s companies would be perilously close to financial ruin if they were hit with a data breach and had to pay the total costs immediately. Comprehensive data security solutions can prevent that risk and keep you financially fit.
The average total cost of a data breach is roughly $4 million, and we’ve seen a 29 percent increase in data breaches from 2013 to 2016, according to IBM. Its look at global threats indicates breaches are growing, the material being targeted is becoming more diverse, and breaches are happening more often.
The longer it takes you to identify and resolve a breach, the more costly it will become. The best way to save yourself and your company a lot of grief is with a critical data protection plan that aims to prevent these losses. Let’s look at how to improve data security from both bad actors as well as what Mother Nature likes to throw at companies and data centers. Here are 10 smart methods.
1. Learn What You Have and Want to Protect
Effective data protection starts with knowing what you have and learning what you don’t. Take a look at your entire data snapshot from customer information storage locations, including where sensitive data lives across your entire network and who has access to these files.
Data protection solutions should also look at the different connection points that might be able to access your information but aren’t necessarily secure. We’ll dig into some of those concerns with offline devices and patch information soon, but you need to always start by creating a comprehensive look at what you’ve got and where it lives.
One method to improve data security is to identify your core, valuable information and assign as many controls and protections to it as possible. Identify the minimum level of protection you would want for that mission-critical information, and then apply it to as many other layers of data that make sense.
A culture of data protection is one of the first core steps in a valuable data security solution.
2. Patch, Patch and Patch Again
Your software might have a gaping hole that is easy to fix but has not actually been fixed. Addressing known vulnerabilities seems like an obvious move to address effective data protection, but companies large and small commonly overlook it. Patching your servers and software can keep you safe, and it is perhaps the most critical data protection step you can take.
Consider a 2015 report from Hewlett-Packard that found:
- Roughly 33 percent of new hacking tools discovered in 2014 were using a flaw in the Windows operating system that was first detected in 2010. A patch was available before 2014, but hackers still found plenty of targets.
- Seven of the top 10 most common exploits used by hackers in 2014 worked on vulnerabilities that were more than two years old, most of which could have been prevented through updates and patches readily available.
Your IT team needs a schedule to maintain patches and upgrades to your network. This should cover both regular application of patches as well as monthly meetings to review any new vulnerabilities and patches that have been covered in major outlets. News services like Google News allow you to create free alerts for different topics, and server patches are a top option for most IT teams.
Success in this realm goes right back to our first point — knowing what you have. Today’s companies build large, complex networks of systems and applications, so it can be difficult to always know what you have to patch. Plus, patching and testing in an environment that is full of different vendors can also consume a lot of time and expense.
Prioritize patches that address critical flaws, but always keep other patching efforts going because they’re worth it.
3. Restrict What’s Online and Check What Isn’t
How many devices per person are at work and connected to your network? From phones and tablets to servers and even the TV in the breakroom, you probably have a significant number that scale even faster as your company grows.
Each of these devices presents an access point for the more nefarious of hackers to get at your data, so they all need to be monitored. This means a strong, thorough review of any BYOD policies as well as reviewing all the equipment you have that has just the ability to connect.
One of the best methods to improve data security is to remove threat potentials whenever you can. So if there are devices that can connect to the network but don’t need to, turn those connections off. It’s cool that your coffee maker can connect to the network and be told to brew, but it’s also likely to be a very unsecure connection.
Don’t just think small — think of everything:
- Verizon’s 2015 Data Breach Investigations Report notes that roughly 25% of enterprise breaches happened via devices that didn’t need to be online but were. We all know insider threats are some of the biggest when it comes to data breaches, and those potential abusers are sitting closest to every unsecured device or connection you have.
- If it doesn’t need to go online, then don’t let it. Also, if it doesn’t need to be online anymore, take it offline.
We learned that lesson from the Healthcare.gov site. In 2014, it was breached, and malicious code was implanted in it when hackers accessed a server used to test its software. The goal of this code was to use the site in future DDoS attacks.
4. Update Your Sign-On Procedures
Head into your main IT offices and ask them about all the lovely trouble tickets they get with passwords. Your security team and your employees most likely hate your passwords. So who loves them? Hackers.
Passwords are easy to guess and easy to socially engineer. That’s why hackers target caches of passwords, and they target any and all of them that they can access. The reason is, people use the same passwords over and over. Your news or Facebook login just might be the same password you use to access the network at work.
There are a few options to help you avoid the password dilemma:
- First, employ two-factor authentication. These 2FA systems require both a password and some sort of token that delivers the second verification code. You’ve likely seen this with getting a mobile text with a code, email messages, in-app notifications or even small devices that provide a time-sensitive unlock key. Employing a 2FA system makes it that much harder for someone outside of your network to access it.
- Second, you could also ditch the password entirely and go straight to these tokens or dongles, which has been a tactic at large IT brands like Google and Facebook. They use keys that autogenerate codes or even small USB devices that are inserted into whichever machine you want to access.
- Third, there’s also a significant growth in biometric information that can be used, from fingerprints and retina scans to an audio check that listens both for the user’s voice and for background sounds to make sure they are who they say they are and are where they say they are.
5. Encrypt and Check Your Encryptions
Every lost or stolen piece of sensitive information, like a medical record or credit card number, costs an average $158, according to that IBM report. Data encryption could prevent not only loss of data through theft but also the ability for thieves to open and use this data if it is stolen.
If a credit card number is clearly visible, you could be on the hook for all of the purchases a thief makes with it. If they can’t access the number, you’ll be on a much smaller hook to help pay for ID protections for your customers.
Encryption will slow down the processing of information and make troubleshooting harder, but it also provides a significant benefit to limiting the damage done by a breach. Working to resolve incompatibilities within your systems or with your vendors is worth it — it all pays for itself when your first breach occurs.
There are options that can start encryption at the swipe of a card in your point-of-sale system or as soon as information in an online form is submitted. You may see some small slowdown in operations, but it’s hard to overstate the value and safety that encrypting as much sensitive data as possible brings.
After you’ve encrypted that data, make sure you review and check this information to ensure it’s working properly and there are no gaps. Gaps, unfortunately, tend to occur when other systems get involved. The first place to check is in your own applications’ hand-off points, then follow it up with a check on where your systems interact with a vendor-supplied application that uses any of this encrypted data.
6. Review Your Vendors
If you’ve been paying attention, you probably know the story we’re going to start with for this section. Back in 2014, Target was the victim of a major breach when email malware stole the security credentials of Fazio Mechanical, an HVAC vendor from Pennsylvania.
You’ll want to review your vendor’s policies for all kinds of breaches, from email malware to social engineering and even their ability to withstand DDoS attacks.
Target paid roughly $300 million to address the breach, replace equipment and make payouts to banks and credit card companies that filed class-action lawsuits. It is unclear how much it paid out for individual lawsuits and shareholder lawsuits, and it may still face some regulatory costs.
You may also want to review your vendor portal access. If you’re giving significant access to your vendors through this portal, such as allowing a portal sign-on to include Active Directory credentials, then you could put your entire server at risk.
If the vendor portal is a weak point, it’s best to ensure your architecture will look out for and aim to prevent SQL injections or XSS that are often the initial step in eventually escalating privileges to give access to all of your internal components and systems. Right now, it might be time to reset, reduce or even disable the privileges of your personnel and contractor accounts to implement a review and other changes, like the 2FA discussed earlier.
7. Buy Coverage for Your Company
And what did Target teach us? Buy insurance to cover your data, or you face losing the financial capabilities to afford your business and maintain data protections. Target is a massive retailer, and its insurance covered up to roughly one-third of its initial costs. While it still leaves a significant chunk in the remainder, that’s a lot it didn’t have to pay out.
There are many insurance partners that will work with you to understand policies and requirements — and some requirements may help you identify where you have existing gaps in your network. Work with different carriers to understand what’s available, from standard E&O policies to D&O and cyber-risk options, as well as any cyber elements of crime and fidelity or general liability coverage.
Key things to keep in mind are:
- The system and architecture requirements of policies. You might have to prove your current security or provide maintenance and upkeep logs, which will help your existing operations as well.
- It’s good to review these with counsel because of their implications for pay-out in the event of a breach, but they give you a good tool as well.
As you consider other protection options like moving to the cloud, make sure your insurance will cover those moves in its definition of your computer network. This network definition will also need to align with your existing telework and BYOD policies as well as travel policies.
You might need tighter control on devices to get better insurance rates, because carriers often want clearly defined ownership roles and rules for every network access point.
8. Back Up Your Data Regularly
No matter how robust your encryption and protection strategy is, sometimes infrastructure will fail or natural disasters will strike. In that event, you can lose data. Automatic, regular backups are the perfect way to avoid data losses and keep your systems running smoothly.
Your data backups can be onsite, done through the cloud or delivered through your network to a satellite office. Any option can help protect your mission-critical data and is a core component of any smart data security solutions.
One important thing is your data needs to be backed up in a way that’s usable and useful. Snapshots need to be robust, not a simple replication of your database. If you’re relying on that connection for snapshots and backups, commands that accidentally eradicate your data will be followed by RAID controllers to delete content from your mirrors.
Avoiding such issues is one reason many companies still use physical media, though cloud storage options are also becoming smarter and allowing you to skip out on that damage.
9. Migrate Your Data
A hosted cloud environment is most often the safest way for an enterprise to store data right now. When you use a partner who also invests in IT support and consulting, you’re getting an extra set of eyes on your data and your company’s overall security.
Not only does migrating to the cloud give you access to multiple options with specific requirements, but it makes the cloud vendor responsible for a wide range of necessary updates — like some of those patches mentioned earlier.
This makes your vendor more likely to follow through on updates and patches, giving your data the most protection it can ask for, while you focus on business continuity and accessing the information in an on-demand setting.
10. Create Physical Infrastructure Backups
Natural disasters provide a major threat to your data and your operations, as well as your people and overall business. When something hits, you’re going to want to care for people first, so it’s best to make sure data protection is taken care of already.
Your data protection solutions should combine a cloud or offsite backup plus additional infrastructure that can prevent losses or damage. Think of the additional equipment a server would need, such as backup generators, redundancies in temperature controls and multiple fire suppression systems.
Onsite generators, battery backups, universal power supplies, offsite monitoring support and other tools need to be installed and checked regularly. It’s a terrible situation to find yourself in when the backups fail during a natural disaster. Not only is your business at risk right away and your services down, but there’s no telling when support will arrive to fix things.
Create a response solution and test it, continuously. If possible, install alarms on your UPSes and other backups so that you’re never caught unaware.
These are just 10 of the top data security solutions and elements of effective data protection planning that come to mind, but there are plenty more you should consider. MDSi, Inc, can offer assistance. To get help with these and delve into other areas, visit our networking support tools and equipment page to learn about your options for keeping data, and your business, safe.