.
=How to Close the Barn Door
There are two primary aspects to securing corporate digital assets: putting them in a logical vault and securing the perimeter.
Of the more than 9 billion records breached since 2013 only two percent were encrypted. This is like leaving the crown jewels on display 24×7 on the hope that no one will get past the perimeter protections, which will always have gaps. Companies need to encrypt all confidential and sensitive data (PII and corporate) – both at rest and in transit.
Executives should view encryption as the logical vault that locks away the data and cannot be accessed without a key. There are numerous hardware and software solutions on the market today that can be used to encrypt data and the costs are far less than the cost of restoring one’s reputation, data and systems after a breach.
Thus, this should be priority one. Additionally, companies should employ the various access control analytic and authentication tools as well as implement industry standards for authentication such as two-factor authentication, and biometrics.
Finally, small business owners and IT executives need to address the people and process issues. All employees need to be security conscious and act accordingly.
This has become a rote activity at many firms and therefore data security ends up being lacking. Companies should revisit their security practices, policies and rules of behavior on handling and protecting customer information and other vital data and on how to recognize damaging phishing emails or those with potential malware attached.
Passwords should be changed to conform to the new guidelines (see recent blog “Passwords – the New Simplified Rules”). Security is everyone’s job and people need to be constantly reminded of it.
HR, IT and Security need to work together to get departing employees’ access rights terminated as close to the point of departure as possible. They must also work to ensure that access rights change when jobs or roles change.
Too many companies let access right accumulate as individuals get new assignments and fail to remove the rights to data that the individuals no longer need to know.
People frequently make assumptions about what they expect from a cloud provider that does not map to the reality. Except for SaaS providers one should always assume security is a joint responsibility and then understand what dimensions belong to the enterprise.
Access rights, especially root access, need to be more tightly restricted. Companies need to carefully vet each cloud provider before contract signing.
Then they should ensure cloud data is safe and secure and all data access rights are fully understood – not only during the time of usage but also after the contract is terminated but while the data still is retained by the cloud provider.
Summary
Data is one of the enterprise’s most important assets. It needs to be proactively protected at all times – no matter where the data is stored.
IT must ensure that crown jewels are properly encrypted at all times and that a comprehensive set of intrusion detection and prevention system are in place. Cyber attacks will come but with the right offense and defense they can be warded off.
Every company must recognize the enormity of its data risk exposures and the ongoing requirement to continually raise the bar. The time to act is now – not after the horse has left the barn.
Small business and IT executives must determine and achieve an acceptable risk exposure level and then implement the set of proactive and reactive processes and tools that will enable them to reach their objectives.
Related articles:
Security and the Cloud: Perils and Protections for Small Business
Small Businesses Owners Beware, Cyber Security Is Under Attack
10 Critical IT Security Protections EVERY Business Must Implement