Cybersecurity, hacking and data breaches remained a major concern in 2016 — from the halls of government agencies, to the evening news, to front page headlines.
Now in the wake of intelligence reports claiming Russian hacks on the Democratic National Committee (DNC) were designed to influence the US presidential election, data protection has never been a hotter topic.
Data breaches don't only affect our government, however. 2016 saw high profile hacks and data breaches impact businesses ranging from Yahoo to Wendy’s. For individuals, identity theft has become such a persistent threat that a billion dollar (and growing) insurance industry has emerged around it.
Security By All, For All
When I thought about what advice I'd give clients, I came up with the following best practice that can apply to companies and individuals alike: Security must be everyone’s job.
What does this mean practically and operationally?
If you treat security as an afterthought or leave it to IT alone, you've already failed. No matter how talented your security team is, hackers will outnumber and outmaneuver them.
Security practitioners need to get their defenses right every time. Hackers only need you to be wrong once. However, by making security a job of all employees, you create an army to protect your data.
Clearly, not everyone in your company is a data protection or security expert — and that's not necessary. But every employee should understand that their data privacy concerns them more than anyone else, and no one should work harder to protect it than them.
This applies not only to their personal information, but also to the data they use every day as part of their job — whether customer data or internal company information. Like any other company policy, security should be a fundamental a part of your employment agreement.
How to Create (or Update) a Security Program
So how do you create or update your organization's security program? The four points below will help you get started:
1. Start with continuous and ongoing employee education
This education cannot be a once-per-year training course, but rather it must be pervasive throughout the culture of your company. Social engineering and insider threats are on the rise because attackers usually don’t get in by cracking some impenetrable control – they look for weak points like trusting and untrained employees.
2. In general, give employees the least amount of access/privilege needed to do their job
Unfortunately, overburdened IT administrators tend to give users excessive access to alleviate their heavy workloads. The best practice is to ensure that employees have the least amount of access necessary to do their job.
Review and reduce or proactively confirm access requirements on a regular basis so that privileged access is given when needed, not as the default. This helps limit your security risk.
3. Don’t make your company a target
Strong data lifecycle management policies will help you understand and limit the data you protect.
As bank robber Willie Sutton reputedly said when asked why he robbed banks, “Because that’s where the money is.” The more valuable the data your company holds, the higher the risk. By understanding the data you hold, you can protect it according to its value (and your risk).
Unfortunately, that often results in reactive rather than proactive activity. Get to know how data, people and locations weave together to create patterns within your organization.
Monitoring websites and web applications for potential hacks and exploits is now as common as virus scanning, but leads some organizations to rely solely on their scanning technologies, forgetting that most costly breaches come from simple failures, not from attacker ingenuity.
4. Breaches often stem from false assumptions about data protection
Too many people fall prey to the false belief that someone else is responsible for protecting data. Security and data protection isn't just the job of your Chief Information Security Officer and Chief Privacy Officer — it's everyone’s responsibility, every day.
With a strong sense of the business's activities and an understanding of how employees interact with data in their day to day work, security and privacy practitioners can better determine policies, procedures and appropriate technical controls.
While building better systems is possible, it’s also possible to compromise those same systems. Just as there is no such thing as perfect security, there is no such thing as a perfect policy, procedure or technical control.
The closest thing we have today is the individual, his or her data and the context of that data combined with good education, tools, training, common sense, discipline and monitoring.