IT security: Nine top tips to protect yourself from a data breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://realbusiness.co.uk/article/31849-it-security-nine-top-tips-to-protect-yourself-from-a-data-breach

The networking environment has changed radically in recent times. In
today’s world of increasing wireless use, widespread BYOD, more home
working, more remote access, more consumer devices and the huge popularity
of social media, the network is becoming ever more distributed.

In this situation, security breaches are inevitable, as is evidenced by the
regular reporting of breaches at major organisations.

These breaches are of course only the tip of a large cyber-insecurity
iceberg. As we have seen from post-mortems, and senior level sackings, many
of the problems relate to poor management and the oversight of relatively
junior individuals, rather than a fundamental failure of business security
across the organisation.

Security has often been seen as a business disabler, rather than enabler.
It is sometimes seen as a costly nuisance, to be avoided if it impacts
projects delivery or performance. The responsibility for all security is
often left to the security team. This attitude is now sharply changing in
many organisations, with a root and branch review of security taking place
at many of them.

We’re all (or should be) aware that security is the responsibility of
everyone in the organisation, but sometimes, in the heat of trying to
achieve tactical business objectives, that responsibility gets overlooked.

Although, it is now not possible to guarantee defence against data breach,
it is still possible to defend critical data against breach, if that data
is identified and defended.

1) Define goals

The first place to look is at what is actually important. “Everything” is
the wrong answer. Priority one is what is business critical or business
threatening. Then decide what risk profile, and associated costs, you are
prepared to accept in order to defend key data.

2) Protect the key data

Decide how to protect key data, rather than just defending all assets and
all of the perimeter. Breach defences need to be in place, alongside
consolidation and regular reporting, as breaches are now taking longer and
longer to detect.

It may also move some defences and focus from broadline perimeter defence
to specific areas. All key relevant stakeholders should be aware of the
risk analysis and risk acceptance involved. This not only gets buy-in and
increased security awareness, it also creates recognition that just having
a defence doesn’t guarantee security.

3) Risk analysis and risk acceptance

Before any mobile device, access, application, new technology or service is
added to the company network, it should be signed off as accepted by the
Board, and the proposing department or users, with a risk analysis as part
of the sign-off. Interestingly, building-in security, as part of deployment
rather than post-event, often provides better security at a lower overall
cost.

4) Planning and deployment

Planning for deployment should include security implementation and
acceptance of the risk. Security needs to be deployed with the solution,
not post event.

Deployment of security for mobile devices and remote access is a key
element in protecting networks today. Web applications (and indeed the
cloud) present some specific risk points. Understanding and securing data
in these areas needs particular focus, based on the risk and consequences
of failure.

5) Policies

Given that there is a shift from a belief in security to acceptance that
there will/could be a breach, policies need to change to encompass this.

Policies need to be clearly enunciated, not just contained in a policy
document.
Given the rapid shift in risks based around wireless, mobility and social
media, co-opting some younger staff members onto the team can provide
enlightening insights into what the risks really are.

6) Education and staff involvement

Security processes need to be clear, as do the consequences of not
following them. It’s not sufficient to have security policies, if it is
clear to staff that you aren’t managing them and that, actually, nothing
will happen if they don’t follow the correct security procedures. Education
and defence training are essential and should be ‘education’, not just a
list of things staff can’t do.

This is an easy thing to say, but much harder in practice. It needs
leadership from all staff. Given the jaded view, sometimes deservedly so,
of IT security in some organisations, it is a difficult culture change to
now embrace security as everyone’s responsibility. Training needs to
reflect that.

7) Monitoring and feedback

It is crucial to not only monitor, but also to be seen to be monitoring
mobile security measures. High visibility and regular feedback to all
staff, on both success and failure, are very important. Reinforcement
across all levels means that security awareness can infiltrate the DNA of
an organisation.

8) Analysis

All the relevant stakeholders, need to have regular reporting of the
security landscape, so they are aware of the level of threat, and the
levels of risk that they have accepted. Ideally, the Board should also have
a disaster plan to implement, in the case of failure.

9) Forensics

After a breach, particularly for mobile devices, organisations want to
understand what has happened, what the failure was and what action they can
take. Forensic tools are key to success here. A post mortem with findings
needs to be produced and delivered so that, assuming the breach wasn’t
terminal, lessons can be learned and implemented.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!