First Principles of Data Security: The 4 Key Questions You Need to Be Asking
Looking at the volume of recent data breaches, it appears that malicious hackers are becoming increasingly savvy. Maybe. But the more likely cause is that miscreants are walking through doors left open by a legacy of bad security practices – or they are working with people already inside with access to sensitive data.
Dangerous Days for the Unprotected
From unpatched software vulnerabilities to outright negligence, attackers get plenty of help when targeting corporate and government systems. The problem is so bad that US-CERT estimates that 85 percent of all cyber-attacks could be prevented just by patching outdated applications.
On the “insider threat” front, researchers at the law firm Baker & Hostetler LLP studied 139 high-profile breaches from 2014 and found employee negligence to be the cause in a whopping 36 percent of the cases.
So long as attackers find it profitable to infiltrate corporate and government systems, they'll continue to do so. Smart encryption can help protect you in those cases, but only if you know where to start.
Getting Started: Four Key Questions You’ll Need to Answer Too many CEOs and IT leaders address data security in broad strokes, as if everything inside the company ─ every email, every document, every system ─ must be protected with the same level of tenacity. While that is a noble effort, the defend-everything-at-all-costs approach can be as costly as it is ineffective. That’s because what's made to defend an email inbox may not be suited to defend firmware, and what's made to defend a file server may be inappropriate for guarding attached storage.
What to do, then? Take inventory and assess where your company is most vulnerable, and then design a data security strategy to bolster the break points. Asking (and answering) these four questions will get you started:
What data would cost the most if it leaked? Think about the business you're in. Where do you generate revenue? What ensures growth? The systems to guard are those that house crucial data you'll need to keep earning. In the case of TalkTalk, allowing attackers to get access to sensitive personal information may cost the company customers and prospects while drawing the attention of lawyers. Encrypting customer information should have been a top priority for TalkTalk's security team.
Where is it located? You can't protect what you can't find. Once you know what data you have and what needs protecting, you need to go further and identify every system that houses or has access to the most sensitive information. Every one of these touchpoints is a potential problem. Patch them up as needed and be sure that only encrypted data finds its way into these systems.
Who has access to it? Low-level administrators should never gain entry to systems that contain critical, "eyes only" information. And yet so few businesses actually take the step of providing separation of duties for access to information according to the roles and needs of each employee. Find out who could compromise your business by virtue of their proximity to sensitive data and cull the list to only those who need regular access. By relentlessly monitoring those who remain, you'll be more likely to spot unusual patterns in the network as a result.
What protects it? Finally, take stock of what products and protocols you're using to protect sensitive data. Are you taking the best approach? Are you only protecting devices and networks? How easily could a hacker exploit what you have? Adjusting spending accordingly can ensure that at-risk information gets the best possible defense, including the highest levels of encryption.
Sharpen Your Strategy
When it comes to data security, the uncomfortable truth is that you'll never prevent every breach. Nor will you be able to protect every byte of data. The good news is that you don't have to. Get informed about what you have and what needs protecting, and then guard it at every level ─ from the source on up ─ while everything else gets the minimum security you can still be in compliance with the laws of the land.
Sharpening your strategy in this way won’t prevent attacks, either from outside attackers or bad actors already inside. They will, and they may even succeed from time to time. However, they won't be able to exfiltrate information that truly matters to your company or your customers. In an unsure world filled with threats, that's about as assuring as it gets.
Top 30 Targeted High Risk Vulnerabilities
Employee Negligence Biggest Cause of Data Breaches
T-Mobile, Experian Sued Over Data Hack Affecting 15 Million
TalkTalk breach: CEO dismisses encryption, 15-year-old arrested
Cybercrime Is Now More Profitable Than The Drug Trade
List of data breaches and cyber attacks in 2015 – over 480 million leaked records