As 2015 is just getting started, this is the time when many look back on the past year and reflect on the most impactful events. For 2014, one of the most prevalent and concerning themes was data breaches. Data breaches really became front and center in many minds with the huge malware problem with Target at the end of 2013. One of the big changes that happened in 2014 is that top executives started losing their jobs for data breaches. According to the Identity Theft Research Center, there was a significant increase in data breaches in 2014 compared to 2013. They compile a weekly report of data breaches and the report for the week ending November 18, 2014 shows there were 679 data breaches. This represents a 25% increase over the same time in 2013. As netlogx is committed to helping our customers reduce their risks, below is a practical guide to protecting your organization’s data.
Data security – and security, in general – is everyone’s responsibility. As with any topic that spans the entire organization, the key to change or improvements is to address the people, process and technology. This free document outlines the keys to successful organization change that include: Top management sponsorship; engagement from employees and open and timely communication. We couldn’t agree more. Here are some practical approaches to increasing your organization’s data security without completely changing the organization or bringing in new technology.
Improvement Starts at the Top
Starting with the “C-Suite”, the organization’s leaders must be engaged in ensuring that security is a priority. Clearly, these executives won’t be involved in the details of the implementation nor do they even need to know the exact details of what should be implemented. Leave that to the security professionals. Executives, however, must support these activities by ensuring they have a priority in addition to customer-focused initiatives. Additionally, executives play a key role in approving and supporting good policies such as adopting strong passwords that require changing passwords periodically or encrypting data at rest. The more good security practice can be baked into what executives expect, the less there are arguments at the lower levels about what to implement. So the key is that the organization’s leaders (people) set expectations of what should be happening throughout the organization (process) and enable security professionals to implement what’s needed (technology).
Another aspect of the people, process and technology triangle is truly engaging employees. Creating awareness with employees is a first, but crucial step. Periodic (more than once a year) training or refreshers can keep the expectation front and center in employees’ minds. Employees can be a great line of defense if there’s a mind-set of maintaining security and privacy. Employees can also be a huge source of risk if there’s a lax attitude or a mind-set of “that’s someone else’s job”. Periodic reminders of phishing scams is also recommended and a very cheap thing to do. No employee wants to be compromised and most of the time just paying close attention will avoid it. When there is a data breach, open and timely communication will reinforce the mindset by letting employees know that it’s taken seriously and – in cases where appropriate – there are real consequences for inappropriate actions.
Rather than recommending the latest tools, the technology recommendations are really very boring and straightforward. Fortunately, it is the simple things that are most effective. First let’s talk encryption: data should be encrypted in transit – period. Fortunately, this is simple to do and many organizations are going to this as their default (e.g., google and wordpress). Also, data should be encrypted at rest. In the unpleasant event that your server is compromised, the access to sensitive data can be minimized by ensuring that it is encrypted. Finally, a patch management program will ensure that security patches are applied in a timely manner. The exploits that are most often used are those that are widely known (and that there is a patch for), but slow or lazy organizations have not patched yet.
None of the recommendations above are unusual or difficult. They should be very familiar to any experienced IT manager. As responsible IT professionals we must resist the urge to cut corners or become complacent just because a data breach hasn’t happened yet.