Open-access content 5th April 2016
Mark Stevens explains how to avoid the theft of sensitive company data
7 April 2016 | By Mark Stevens
VTech and Snapchat are just the latest in a long line of high-profile organisations to suffer data breaches at the hands of hackers.
Today's cyber attacks may differ in type and origin, but they typically produce the same result - significant data loss.
Data is the lifeblood of most companies and the long-term negative impact on those who suffer breaches demonstrates just how serious the issue of data loss has become today.
But as hackers continue to get smarter and more persistent, what can companies do to protect their most precious information?
Here are five recommendations to help your company keep sensitive data out of the wrong hands:
1. Identify where sensitive data is at risk
Your customers, business partners, and investors will ask what your security posture looks like, so it makes sense to perform a thorough review of your environment to identify gaps where confidential data, including information contained on mobile devices, could be at risk. You don't have to conduct this risk assessment yourself. There are a number of services available that can quickly help you understand where sensitive data lives and how it is being used.
2. Don't rely on traditional security
Almost 100 per cent of large companies have security programs that start and end 'on the network'. Why? Because it's easier. Racking a security device on the network causes very little organisational friction. Yet the IT teams in these companies then spend almost every day purposely punching holes in the network.
Virtual private network (VPNs) are a common example; their widespread use makes them targets for attackers owing to the high number of potential entry points and often lax attitude towards security from users.
These inevitable holes mean the network will always be vulnerable to attackers. Add to this the fact that many employees operate in a mobile environment and demand access to business information on their phones and tablets - devices that traditional network security measures can't protect.
A layered approach to security is becoming increasingly important for companies, with device-focused technologies such as mobile device management (MDM) playing a big role.
3. Focus on data protection solutions
According to the Forrester report The Future Of Data Security: A Zero Trust Approach, traditional perimeter-based approaches to security are insufficient. It says: "Security and Risk (S&R) professionals must take a data-centric approach that ensures security travels with the data regardless of user population, location, or even hosting model."
Several proven data protection solutions on the market ensure security travels with the data.
Called data loss prevention (DLP), these solutions help classify data, put a use policy against it, and strictly enforce it. DLP is a must-have for any company wanting to protect sensitive customer and business data.
If it is made it fractionally harder to steal sensitive information, or data is rendered useless once outside the network, attackers will move to another company that presents an easier target. As data remains the target and its attack surface continues to grow, protecting that data must be at the core of every company's security approach.
4. Outsourcing data protection
A way around the challenges associated with implementing advanced data protection strategies is to outsource to a managed security provider.
Many of these companies have deep DLP expertise and proven infrastructure, meaning that you can concentrate on your business while they keep your data secure. If your IT team is already stretched, this approach gives you the comfort of knowing that customer data is being protected without taking valuable staff time. This will also help you meet the various standards demanded by customers, banks, and other security-sensitive organisations.
5. Step up security training
Employee security awareness is a critical step to protect customer data. Go beyond the annual refresher that no one takes notice of.
Innovative companies are using technologies to help employees self-correct any risky data habits. For example, a customer recently reported an 85 per cent decrease in data use policy violations after six months of using real-time, pop-up prompts.
Sometimes, all an employee needs is a simple reminder of what the corporate policy is, and how to adhere to it.
Customers and business partners will increasingly demand that companies show proof of security and monitoring to protect sensitive data.
The security of the information supply chain is gaining traction within IT security circles and companies are realising that the weakest link in their security posture may not be within their own walls, but rather inside the walls of those with whom they do business.
If you follow the above steps, not only will you be able to demonstrate that you're protecting the data you possess, you'll also be in a position to use your strong security posture as a differentiator.
Mark Stevens is senior vice-president of Global Services