US data breaches have hit an all-time high – How to protect your business

Published February 28, 2018   |   

2017 was one of the worst years for data breaches yet, and it’s only downhill from here. Here’s what you need to do to prepare yourself.

These days, it seems like it’s no longer a question of if your personal information will wind up in the hands of hackers, but when. You can’t even tune into the news anymore without hearing a security failure or data breach. Fancy Bear’s attack on US Defense Contractors and attempted disruption of the Olympic games are the latest stories to make the rounds, and you can bet money that once the news cycle fades on those two, new breaches will appear to fill the void.

Sensitive data – enterprise, public sector, or otherwise – has never been targeted with quite so much frequency, and the threat surface facing modern organizations has never been greater. You need to start accounting for that. Because if you don’t, your organization might be next on the long list of breach victims.

But where exactly can you start? What can you do to protect your business and its data? How can you ensure that in this era of massive cyber attacks and digital espionage, you come out unscathed?

First, know what you need to protect

The most important tool in your battle against the digital threat landscape is knowledge. You need to know what data your business needs to protect, where that data is stored, who uses that data, how they access it, and why. The most important thing is to understand the flows of data across your network.

For instance, a document containing marketing information on a product launch will likely be shared with both internal staff and external stakeholders. Both parties might open that document on a myriad selection of devices, from smartphones and tablets to laptops and desktops. Understand where that access takes place, and do your best to identify any potential vulnerabilities (an unsecured wireless network, for example).

Second, know your threat profile

What sort of criminals would want to target your organization, and why?

Are you a healthcare provider that works with data which is vulnerable to ransomware or can be sold for a mint on the black market? Are you a defense contractor that works with classified information a foreign power might want to get their hands on? Are you a consumer device manufacturer whose proprietary blueprints could destroy your competitive advantage if they’re leaked?

That’s your most valuable data, but it’s not the only information that might be compromised. Client lists, employee information, and financial data are all vulnerable as well, regardless of industry or vertical. By acknowledging this – and understanding the intent of the criminals targeting your organization – you can better prepare yourself against them.

Third, talk to your employees

No matter what sort of security measures you put in place and no matter how ironclad your infrastructure, your employees will always be the weakest link. Hackers know that – it’s why phishing scams are still one of the most popular avenues of attack. It’s a lot easier to fool a tired but well-meaning staffer into clicking on a link than it is targeting an expensive, complex security system, after all.

You need mandatory security training to mitigate at least some of the risk here. Coach employees on the importance of cybersecurity, and help them understand what they’re protecting and why. It won’t prevent human-based cyberattacks altogether – everyone makes mistakes, even you – but it will allow you to mitigate the risk.

And solutions do exist to address this problem further, as well. We’ll talk more about those in a moment.

Fourth, look at your partners

I recall a story I heard once about a business with a large competitive advantage over its overseas rivals, tied to a proprietary set of technologies present in all their products. This enterprise took cyber security very seriously. Its security perimeter was nigh impenetrable, and its workers all regularly had to undergo rigorous security training.

It still ended up getting breached.

See, a black hat group hired by one of the company’s rivals saw its formidable security posture, and concluded that it wouldn’t be possible to hack the company directly. Instead, it started examining the organization’s business partners. Eventually, the group noticed that one of the manufacturers the organization worked with had incredibly lax security – and that was when they struck.

Next thing the business knew, its designs were in the hands of its competitors, and its advantage in the market was gone.

The lesson in this story is simple. Even if your own security is some of the best in your industry, you cannot trust that your business partners will have the same posture as you. While working only with organizations that have proven cybersecurity can certainly help in that regard, you need to do more.

Finally, put your defenses in place

With all the necessary knowledge in place – the threats facing your business, where your sensitive data is stored, how it’s accessed and used, and your network map – you can now finally lay out your security plans. For this stage, it’s easiest to break what you need to secure down into four categories. These are people, apps, systems, and data.

For apps, consider the following

  • What sort of sandboxing is present on corporate apps to keep them protected against malware and data leakage?
  • Are your corporate apps intuitive and easy to use? Are employees satisfied with their functionality, and satisfied that they do everything they require?
  • How do your applications manage trust and authentication?
  • What sort of controls is in place to keep IT in command of your apps?
  • Who needs what apps, and why?

For people, consider the following

  • How often do you carry out security training sessions?
  • Do you frequently perform security tests such as false phishing campaigns or social engineering attacks?
  • How prevalent is the use of personal devices in your workplace, and what are you doing to secure those devices?
  • What sort of password policies have you put in place?
  • If a breach occurs, what processes do you have in place to deal with it?

For systems, consider the following

  • How is access to your physical systems controlled?
  • What monitoring tools do you have in place to log and inspect network traffic?
  • What sort of backups do you maintain? Are those backups able to be quickly air-gapped in the event of an attack?
  • Are there any IoT devices on your network which could present a vulnerability? How are these devices segmented?

For data, consider the following

  • Where is data stored, and how is it organized and accessed?
  • Do you have a means of monitoring and controlling data after it leaves your security perimeter?

Cyber attacks and data breaches have reached an all-time high. Unfortunately, it’s going to get worse before it gets better. Only with a comprehensive approach to an understanding of cybersecurity can you protect yourself, and keep your data out of the hands of the people who would misuse it.