What are you going to do to protect you, your customers and your business against hackers and organized criminals attempting to breach your systems for profit? One thing’s for sure – if you haven’t assembled a clear, strong and actionable data security policy subsequent to 2014’s rash of high-profile attacks, then you’re a potential victim. Here’s some suggestions to help you protect yourself.
lock it down
More breaches hit the headlines in 2014 than ever before, and these attacks are becoming increasingly sophisticated: 40 million customer card details were made vulnerable when hackers exploited Target’s aircon system, for example. It wasn’t just the big attacks – a Ponemon Institute survey claims 43 percent of companies experienced data breach in 2014.
The majority of these attacks are made against data held within the enterprise. This includes transactional, historical and business data, and includes the types of data you are legally required to keep private and secure under data protection law. That’s a particular problem when it comes to cloud services.
keep it hidden
Things that can be seen can be hacked, so it makes sense to keep things hidden. That’s a concept that stretches from hidden and invite-only LANs to the way data is transmitted over the air or in any other form. Tokenization and tough encryption of data transmissions can be part of how to make a difference, in brief:
· Tokenization: Takes sensitive data and replaces it with a value called a token. The data is then restored to its original state. This means the data in transmission is of no use without the token code.
· Encryption: Algorithms that transform data the information can be resurrected using the right encryption key.
Services are reaching market that will also split the data up on its journey. Once split the data is compressed and encrypted, creating yet more barriers to criminal attack.
protect data in the cloud
Gartner recently published a report that highlighted increasing use of Cloud Access Security Brokers (CASB) to enforce company security policies as data goes to the cloud. By protecting data when uploaded or downloaded from the cloud, it can manage data that is transported across national boundaries. This can help meet data compliance legislation requirements.
Along with data protection, enterprises will also need to ensure their solutions have the appropriate third-party certification, such as HIPAA, CJIS or PCI DSS. It’s also important to ensure the solutions you do put in place are equal to or better than those recommended by organizations such as the National Institute of Standards Cybersecurity Framework. (The latter is a set of recommendations for use by critical infrastructure providers – so why not learn from it?). One final recommendation is to get used to implementing data encryption at the file level.
target human error
Experian has said that over 80 percent of the breaches it works to resolve begin with employee negligence. In other words, human error undermines security. Common errors to watch for include:
· shared passwords
· lost equipment
· poor premises security
· targeted phishing attacks
· use of non-enterprise file storage
Best practice in passwords and employee security education needs to be in place now rather than after a breach has happened.
Enterprise users also need to prepare for identified vulnerabilities at the heart of the Internet itself. 2014’s well publicized Heartbleed and Shellshock bugs exploited weaknesses in the code. These problems are deep-rooted and bound into the fabric of the Internet itself, meaning device and operating system manufacturers will be among the first to know and react to these threats as they transpire. You know what that means, of course:
· Watch for security bulletins
· Keep all your systems updated to the latest OS and security patches
· Maintain system software integrity with recent updates
· Take inventory of all devices and systems on your network.
Do you still have veteran PCs running systems that are no longer patched connected to your network? Those are potential attack vectors and need to be quarantined or replaced.
Every enterprise should put in place – and rehearse – the steps it would take in the event of a breach in multiple scenarios. This means everything from back-up to cloud servers to employees on the ground should be aware of what to do if something happens.
Experian tells us 27 percent of companies don’t yet have a data breach response plan in place. That kind of laissez faire approach to this challenge is asking for trouble, and if you aren’t taking steps to secure yourself, why would your employees take the time to educate themselves concerning security risks?
The final tip in this whistle-stop tour of good security: technology is driving fast and rapid change across the enterprise. BYOD, wearable devices, the evolution of cloud services, on the one hand; and OS transitions such as the end of XP, launch of Windows 10 and Apple’s annual iOS and OS X upgrades mean the pace of challenges is becoming much more rapid and change comes fast.
In that kind of environment it isn’t enough to solve each challenge as it transpires, instead you should regard data security as a constant evolution – a peer player in change, not a lagging junior partner attempting to play catch-up.
Jon Evans is highly experienced technology journalist and editor. He has been writing for a living since 1994. These days you might read his daily regular Computerworld AppleHolic and opinion columns. Jon is also technology editor for men’s interest magazine, Calibre Quarterly, and news editor for MacFormat magazine, which is the biggest UK Mac title. He's really interested in the impact of technology on the creative spark at the heart of the human experience. In 2010 he won an American Society of Business Publication Editors (Azbee) Award for his work at Computerworld.