Originally published Mar 13, 2016, by Plante Moran.
It’s tempting to imagine your computer systems as airtight vaults, impenetrable and immune to cyberattacks. But this would be a risky move. In reality, IT infrastructure is more like a sponge.
All organizations absorb and retain digital data. Like a sponge, IT infrastructure is porous, often with gaping holes. Data can leak out of these holes when things don’t go according to plan: a staff member might lose a laptop, a system might experience a configuration error, or sensitive information might accidentally be published online. But in today’s world, a more prevalent scenario is what happens when the sponge is squeezed — when a hacker causes a breach that results in a damaging data leak.
Here are five ways to contain your organization’s data.
1. Always encrypt sensitive information.
When a federal computer system was hacked in December 2014, the personal data of nearly 4 million current and former federal employees was compromised. Regardless of whether the hack itself could have been prevented, encrypting this sensitive information from the get-go could have limited the breach.
Due to the high cost of encrypting stored data, you may decide to be selective when it comes to what data to encrypt. You’ll want to consider the data’s sensitivity, as well as the level of security controls that limit access to it. But when data moves outside your control, encryption is a must for confidential information. A company relinquishes control of its data every time a staff member sends an email or takes a laptop, iPad, or other device out of the office. Encrypting these channels and devices protects the information they carry, so that the only consequence of a stolen laptop is a mere loss of hardware.
2. Take passwords with a grain of salt.
A major online retailer was the victim of a large data breach in 2014, when hackers gained access to 145 million user passwords. The company had encrypted the passwords on its network but still instructed customers to immediately change their passwords to further reduce the risk of unauthorized activity.
User-managed passwords are the most common form of authentication and also the biggest security weakness. Not only can passwords be cracked by hackers, but they also place an inordinate level of responsibility on users, both to create sufficiently strong passwords and to not reuse them across multiple systems or online sites. As the future moves toward multi-factor biometric verification — including fingerprint scanning — we’ll approach a stronger, enhanced form of authentication that reduces our reliance on user-managed passwords.
3. Monitor data diligently.
When a major retailer’s credit card terminals were breached in 2013, card data was transmitted to hackers each time a customer swiped his or her card. As a result, approximately 40 million credit and debit card records were stolen. If network monitoring had been focused on the right factors (including traffic volume and source/destination IP addresses), the unusual activity might have been discovered earlier, allowing for a faster response to the breach.
Many companies implement security controls to protect their information systems but forget to monitor them. This is a big mistake, as the porous nature of network infrastructure makes data monitoring a critical step. Fortunately, there are numerous network monitoring tools available that can help you effectively detect breaches on critical servers and databases. Alternatively, companies can also engage third-party vendors to monitor their networks 24/7.
4. Manage user access.
The 2014 breach at a global financial institution — which compromised more than 80 million accounts — was rooted in the improper management of administrative access. If a hacker gains access to high-level privileges, he or she will have the ability to bypass implemented controls, making it easy to enter and manipulate the system.
Regularly ask yourself who has access to your networks and to what degree. For instance, what level of access is given to third-party vendors? Has access been terminated for staff who have left the company? As a rule of thumb, about 10 percent of user access is not managed properly — an unsafe percentage when it comes to cybersecurity.
5. Re-evaluate your independent testing.
In December 2015, a digital toymaker experienced a breach that exposed the data of 6.4 million children and 4.9 million adults. Even more unsettling is that by linking the accounts of children to their parents, the data ultimately revealed children’s full names and addresses. They were alerted to the breach by a journalist from the technology news site Motherboard, who had been notified by an anonymous hacker.
This example is a testament to the importance of independent testing; you’ll never know how effective your security really is if you don’t have an outside party test it on a regular basis. Companies should schedule an independent test at least once a year, but infrastructure changes or regulatory compliance standards may require more frequent testing. Supplementing an annual test with smaller-scale monthly or quarterly tests of specific areas also reduces delay when it comes to finding and resolving issues. By continually making improvements throughout the year, you’ll have greater confidence that your multi-tiered cybersecurity strategy is protecting your customers, your staff, and — of course — your reputation.