IBM Security’s ‘Cost of a Data Breach Report 2019’ points out that the risk for organisations to experience a data breach is reaching up to 29.6% in 2019/2020. Combine this with data published by Risk Based Security, stating that the number of reported breaches in 2019 was 54% higher compared to the same period in 2018, and you’ll realize that the question is not so much if your organisation will experience a data breach, but rather when.
The bad news is that it’s impossible to protect your organisation for 100% against data breaches. Whenever you use computer systems to store valuable data, you are vulnerable. However, there are some measures you can implement to reduce the risk significantly...
Software updates & Encryption
A rather basic – but nevertheless effective – measure consists of updating all of the software that is used in your organisation on a regular base. Make sure you stay informed about all notifications regarding software updates and do not postpone the installation. Keep in mind that software updates often involve patches to fix vulnerabilities. This means your system is vulnerable as long as you do not perform the updates. You should also stop using software that is no longer supported by the manufacturer, as this involves significant risks.
It is also highly recommended to encrypt sensitive data. Even though this will not prevent the actual data breach, it will lower the possible damage resulting from it significantly. At least, if you avoid using outdated password encryption tools like SHA1.
“There are only two types of companies: Those that have been hacked, and those that will be hacked”
Robert S. Mueller III, Director FBI
Best practices for passwords
In general, it’s a smart attitude to keep things simple and straight (‘KISS’). However, when making passwords, you have to do the opposite, as simple passwords can easily be hacked.
However, complex passwords also have a disadvantage: they are difficult to remember. A password manager – an application that automatically generates complex passwords and also retrieve and store them for you – could be the solution. Some of the more sophisticated password managers offer Multi-Factor Authentication (MFA) – more about this in a minute – and biometric access functions for extra safety. Password managers will also make sure your staff does not reuse the same passwords for different applications. It’s indeed very important to avoid using the same passwords across different programs and sites, as cybercriminals often try to use your stolen login from one application to hack into another.
Whether your organisation uses a password manager or not, Multi-Factor Authentication (MFA) – a method where the user has to successfully complete at least two steps before getting access – definitely is a must-have. Oh, and don’t forget to regularly – at least once a year – change all your passwords.
What about third-party vendors & BYOD?
Nowadays, many companies use the services of third-party vendors. This entails additional risks, as the security policy of these vendors might be less extensive than yours. In any case, it’s strongly advisable to limit their access to your systems to the strict minimum. Check if they are compliant with privacy laws and ask them to sign a contract stating they need to take the necessary responsibilities with regard to the protection of your data. Also include in the contract that the third-party vendors may be obliged to pay compensation, in the event that a data breach should occur due to their actions.
Many companies have a BYOD – Bring Your Own Device – policy in which staff is encouraged to bring and use private devices like smartphones and laptops to work. While BYOD surely has its advantages, it surely is an extra challenge when looking at it from a safety perspective. In any case, it is necessary to set-up specific safety rules for those devices and scan them automatically for malware whenever they connect to the organisation’s network.
Less is more
In a not so distant past, it was customary to grant just about every employee full access to all systems and files. However, the more staff members have access, the greater the risk the data falls into the wrong hands. It is therefore strongly recommended to limit staff members’ access strictly to the data and systems on an ‘as needed’ basis. After all, why should an HR employee be enabled to view a customer’s financial information anyway? Furthermore, don’t forget to revoke access rights if a user is inactive for a certain period of time.
However, to get this working properly, you’ll need a dedicated tool which shows you the responsibilities of each individual, as well as a detailed and up-to-date overview of all systems and applications he/she has access to. Elimity’s ‘Insights’ SaaS tool allows you to do this in a matter seconds. It works as a standalone, but can as well get integrated in all major IAM platforms, such as Okta, GSuite, Office 365, Workday, AWS and many more.
Furthermore, it’s recommended to also apply the least privilege approach to the company as a whole. Don’t keep data that you’re no longer going to use anyway and reduce the number of places and devices where you keep the data.
Educate your staff
It is often said that employees are a weak link in the data security chain. Social engineering is one of the main reasons for this. In the context of information security, social engineering stands for a number of methods that attackers use to persuade users to breach security protocol voluntarily one way or another. A commonly used social engineering technique is phishing. A phishing attack often starts with a fake email that appears to be sent by a client or a supplier or trusted co-worker. This is what happened to Sony Pictures Entertainment in 2014. Several Sony staff members received fake Apple ID verification mails, which redirected them to a phishing website. Next, hoping/guessing that some of the staff members used the username and password from their Apple ID also to get access for Sony’s network, hackers were able to steal more than 100 terabytes of data from the Sony servers.
Fact is, it’s vital to educate and train your employees on best security practices. Real world experience shows that a single cybersecurity training is not enough. This is because people need to hear the same message several times – at least seven times, marketing knowledge dictates – before they begin to change their behavior. This means that it’s wise to schedule regular, for instance each quarter, training sessions.
Bring on the experts
If you want to know how well your organization is protected against data breaches, it’s wise to hire an external company for a security audit. An evaluation performed by a neutral third party brings you a clear and complete picture of the current situation, ruling out company politics and preventing staff worrying about their budgets and/or careers.
A security audit will check many data safety aspects of your organization, including network security mechanisms (are they effective and up to date?), orphaned accounts, software (is the software up to date and still supported by the vendors?), data back-up procedures, safety policy for third-party access, encryption & password policies, and so on.
IMT & IRP
It is recommended to put an Incident Management Team (IMT) together and have them develop an Incident Response Plan (IRP) for data breaches. This IRP must be used as a playbook in the event of a data breach and should include – amongst other things – a disaster recovery strategy as well as a business continuity plan.
Hit by a data breach after all?
As we said in the beginning of this article, it’s unfortunately not possible to protect your organisation for 100% against data breaches. However, if you have the misfortune to be affected by a data breach, it is important to react quickly and correctly. In this article, we show a step-by-step approach that helps you to mitigate the damage as much as possible.
PS: Take a look at Elimity Insights, as this SaaS tool significantly reduces the risk of a data breach and helps you find weak spots in your defence system swiftly and easily.