Photo by Dayne Topkin on Unsplash
Data security relies on defense-in-depth, so there are many parts to a best-in-class data security program. But what is sufficient in one industry may be criminally negligent in another.
Best practices should be adopted to achieve the industry’s minimal expected data security level.
1. Data Governance
Data governance is data management 101. Information is grouped into different buckets based on its sensitivity and legal requirements. To limit the risk of data exposure from leaked credentials, users should only have access to the least amount of data they need to do their job.
2. Secure Privileged Access Management
Secure Privileged Access Management (PAM) is integral to a data security strategy. PAM empowers organizations to control the permissions of all users so that sensitive data and intellectual property documentation are only accessible by those that absolutely require it. With a secure PAM strategy, cybercriminals will have difficulty accessing all sensitive data types if they breach an IT boundary. This is especially an important security control for highly regulated industries like healthcare.
3. Encryption
Encryption can protect against man-in-the-middle attacks and make it harder for potential attackers to gain unauthorized access to stored or in transit information. Never store sensitive data in plain text and avoid providing login credentials to websites that lack SSL certificates.
4. Education
Teach staff how to recognize common cyber threats to transform them into human firewalls Some of the most popular cyber threats staff should be aware of include: Phishing attacks, Email spoofing, Domain hijacking, Ransomware attacks, and Different forms of malware attacks, Social engineering attacks.
Besides cyberattacks, staff should also be trained in best cybersecurity practices such as avoiding public Wi-Fi networks and the basics of OPSEC and network security. The complexity of cyberattacks is rapidly rising, so it’s no longer acceptable to solely rely on antivirus programs to prevent malicious code injection. Cybersecurity train needs to become a standard inclusion in staff onboarding programs.
5. Data Security Testing
Test your organization’s data security by sending fake spearphishing campaigns and dropping USB traps around the office. Understand that it is easier to prevent data breaches than rely on digital forensics and IP attribution to understand what happened once a data breach has occurred. Once exposed, data can easily end up for sale on the dark web; many of the biggest data breaches end up there.
6. Incident Response Plan
When your security is compromised, the last thing your organization and your customers need is panic. An incident response plan can limit the amount of data exposed and outline clear next steps to recover lost data or close the attack vector.
7. Regular Data Backups
Ransomware attacks targeting data centers on-premises or accidental deletion devastated business continuity, but this can be avoided with regular backups and a Data Loss Prevention (DLP) program.
8. Secure Deletion
Avoid hoarding data no longer in use, including physical data like folders or paper documents. That said, comply with industry guidelines or regulations that dictate how long you must store data.
9. Third-Party and Fourth-Party Vendor Monitoring
Data breaches are often caused by poor security practices at third-party vendors; you need to monitor and rate your vendors’ security performance. An ideal solution should include a real-time automation component to security posture lapses to ensure that attack surface disturbances are rapidly addressed. According to the latest data breach report by IBM and the Ponemon Institute, automation controls could reduce data breach costs by up to 80%.
10. Accidental Data Exposures and Leaked Credentials Monitoring
Data isn’t always exposed on purpose; this is why it pays to continuously monitor your business for accidental data exposures and leaked credentials.
