Is it time for security to go back to basics?
10 July 2019
Tim Bandos, Vice President of Cyber Security, Digital Guardian discusses how companies should and can go back to basics to ensure critical data is properly secured.
Let’s face it, there are still too many situations that prove data remains woefully insecure. Long gone are the days when all but the biggest data breaches would make the headlines of non-IT press.
That’s because we’ve become increasingly desensitised to security stories. Today, it takes something huge to turn heads. Whether it’s 300,000 files and directories stolen by a former Tesla employee or the 600 million Facebook passwords ‘hidden’ in plain text, only these most egregious lapses in data security seem to set alarm bells ringing.
But with new data privacy legislation regularly arriving on an international and regional level, we’re entering a new era of accountability – as least as far as governments and regulators are concerned. But this should also mark a point in time where businesses need to get back to basics to radically improve their security success rates.
‘Back to basics’ begins by understanding everything about your data – where it is, how it flows throughout the organisation, who can access it and who can share it. It’s a starting point understood by most, but then ignored by many.
But without that foundation of knowledge, organisations can’t properly classify data and know what files, documents, or intellectual property would be at the greatest risk if compromised. If you don’t know what you’ve got, how can you protect it? But, by implementing a data classification strategy and using tools to break down what sensitive and non-sensitive data exists, organisations can bring some much-needed structure to their data protection strategy.
But how does this work? Generally speaking, data can be classified in a number of key forms: restricted data (if released, it could have a long-lasting, damaging outcome to a company), confidential (it needs to be protected from unauthorised access and contains moderately sensitive information), or public (it’s okay to share publicly and largely non-sensitive in nature).
After data has been classified, companies should ensure the appropriate security controls are in place on a user level, to safeguard it against theft. Policy controls ensure that data can’t be altered, lost, or stolen by malicious, or in some scenarios, well-meaning employees. Trust is really important, but organisations aren’t doing their duty if they overlook the potential for carelessness on the part of employees, because negligent workers have, historically, been among the leading causes of corporate data loss.
But, one of the big challenges for businesses is that all this data rarely exists solely on the corporate network in one convenient space where it’s easy to analyse and manage. Data is free flowing, it lives on laptops, tablets, mobile phones, remote offices, and the cloud. So, not knowing where data resides can have other consequences, like increased third-party risk, employee data theft, or non-compliance.
We all have a role to play
At its most basic level, effective security requires organisations to take control of their data. By implementing data security policies built around role-based access controls, organisations can coach users on who has access to what data and for what purpose, so it becomes an instinctive part of their security strategy.
In addition to being able to track critical data, controls can prevent users from doing certain – potentially problematic things, such as moving, copying, or printing data. To mitigate risk, many organisations opt for controls that limit employee data access so they only have access to data relevant to their job. In these scenarios, admins can employ solutions to make it so users see notifications that explain why their action – be it accessing, moving, or emailing data – may be prohibited.
Some solutions feature policies that enable prompting, blocking, or automatic encryption if a user is handling sensitive data. Others can be configured to outright prevent unauthorised access to sensitive content, tampering, or syncing to cloud environments.
Data protection solutions can help prevent data loss, but maintaining a successful security program is largely dependent on employee awareness and their ability to comply. By teaching employees how to make decisions about the use and protection of data, they’re in a better position to make better judgments on their own around data in the future.
Applying policies to protect data throughout the processing lifecycle, whether it’s in transit, at rest, or in use, ensures the data remains locked down. When implemented effectively, this approach should give admins and organisations peace of mind that data, wherever it is, whatever it is, isn’t going anywhere it shouldn’t.
But, in the event of potential data loss in whatever form, solutions can give admins the ability to take remedial action, thanks to operational and security alerts that can be triggered if a user performs a certain activity. These alerts, which are traditionally built around policies applied to users in organisations, can provide immediate feedback on risks to the IT environment. To avoid cyber alert fatigue and weed out false positives, organisations should prioritise high-fidelity threat alerts.
Data protection is a basic building block of effective IT security. In an era of increasing regulation, if more organisations can become focused and proficient at understanding, managing and controlling their own data, stories about breaches will disappear from the headlines for all the right reasons.
Tim Bandos, CISSP, CISA is Vice President of Cyber Security at Digital Guardian and an expert in incident response and threat hunting. He has more than 15 years of experience in cyber security at a Fortune 100 company with a heavy focus on internal controls, incident response and threat intelligence.