Data Protection Day: Five steps to securing data

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerweekly.com/news/2240238992/Data-Protection-Day-Five-steps-to-securing-data

Research has revealed that data loss is a top concern of IT executives,
according to data management firm Iron Mountain, which has compiled five
steps to securing data to mark Data Protection Day.

The international initiative, now in its ninth year, is aimed at raising
awareness among consumers and businesses of the importance of safeguarding
data, respecting privacy and creating trust.

The 28th of January was chosen because on that day in 1981, the Council of
Europe passed Convention 108 on the protection of individuals’ personal
data, the root of all data privacy and protection legislation.

Iron Mountain senior product and solutions marketing manager Jennifer Burl
said businesses of all sizes can benefit from tips on how to improve their
data security.

“According to the National Cyber Security Alliance, 50% of targeted cyber
attacks are directed at companies with fewer than 2,500 employees,” she
added.

Burl said there are five steps that businesses can take to keep data safe
and secure to avoid legal and regulatory trouble.

Step 1: Learn where your data lives

“You can't complete your security plan until you know exactly what you're
protecting and where it's stored,” said Burl.

Most businesses store data on multiple media types: local disks, disk-based
backup systems, offsite on tape and in the cloud. Each technology and
format requires its own type of protection.

Step 2: Implement a need-to-know policy

To minimise the risk of human error (or curiosity), create policies that
limit access to particular data sets.

Designate access based on airtight job descriptions. Also be sure to
automate access-log entries so no one who's had access to a particular data
set goes undetected.

Step 3: Beef up your network security

“Your network is almost certainly protected by a firewall and antivirus
software. But you need to ensure those tools are up-to-date and
comprehensive enough to get the job done,” said Burl.

New malware definitions are released daily, and antivirus software needs to
keep pace with them.

The bring-your-own-device philosophy is here to stay, and your IT team must
extend its security umbrella over smartphones and tablets that employees
use for business purposes.

Step 4: Monitor and inform your data's lifecycle

Create a data lifecycle management plan to ensure the enterprise's secure
destruction of old and obsolete data.

As part of this process, companies should:

Identify the data you must protect, and for how long;
Build a multi-pronged backup strategy that includes offline and offsite
tape backups;
Forecast the consequences of a successful attack, then guard the
vulnerabilities revealed in this exercise;
Take paper files into account, since they can also be stolen;
Inventory all hardware that could possibly house old data and securely
dispose of copiers, outdated voicemail systems and even old fax machines.

Step 5: Educate everyone

“Data security is ultimately about people," said Burl. "Every employee must
understand the risks and ramifications of data breaches and know how to
prevent them, especially as social engineering attacks increase.

“Talk with your employees about vulnerabilities like cleverly disguised
malware web links in unsolicited email messages. Encourage them to speak up
if their computers start functioning oddly."

Build a security culture in which everyone understands the critical value
of your business data and the need for its protection. “Because when you
think about it, every day is data privacy day,” said Burl.

Educating users to protect the economy

Content management firm Intralinks said many people bring bad security
habits from home into business, so educating users is not just about
protecting them, but also about protecting the economy.

Intralinks chief technology officer for Europe Richard Anstey said it can
be counter-intuitive to tell people to use strong passwords as it creates a
false sense of security that people then bring into work.

“When dealing with very sensitive information, such as internet protocol,
people need to know about very secure measures, such as information rights
management,” he said.

According to Anstey, security is about knowing what the danger is and how
to deploy the appropriate level of protection.

“If we want a truly data-secure society we need to start by ensuring people
know what value their data has, then they can make informed decision about
how to secure it,” he said.

Too much focus on outside threats

Encryption firm Egress has warned that too many businesses are focusing on
outside threats.

An Egress Freedom of Information (FOI) request to the UK’s Information
Commissioner’s Office revealed 93% of data breaches occur as a result of
human error.

Egress chief executive Tony Pepper businesses should start looking closer
to home to prevent data breaches.

“Mistakes such as losing an unencrypted device in the post or sending an
email to the wrong person are crippling organisations,” he said.

Pepper added that the FOI data shows a total £5.1m has been issued for
mistakes made when handling sensitive information, whereas to date no fines
have been levied due to technical failings exposing confidential data.

“Human error will never be eradicated as people will always make mistakes.
Organisations therefore need to find ways to limit the damage caused by
these mistakes,” he said.

According to Egress, policy needs to be supported by user-friendly
technology that enables safe ways of working without hindering
productivity, while providing a safety net for when users make mistakes.

Businesses need proactive approach to data security

Data governance firm Axway said businesses need to take a proactive
approach to data security in the face of malicious hackers and data
breaches.

Axway Go-To-Market Program vice-president Antoine Rizk said in an
increasingly connected world, businesses need to proactively monitor their
data flows to prevent costly data breaches.

“However, many large organisations still wait for something to go wrong
before addressing the flaws in their security strategies – a move that
backfired in some of the most infamous security breaches of 2014,” he said.

Axway predicts that in 2015, bring your own device will quickly evolve into
bring your own internet of things, with employees bringing wearable devices
into the work place.

“For such increased enterprise mobility to open windows of opportunities
for businesses, without paving the way for hackers to access private data,
security must evolve at the same rate as the devices themselves,” said Rizk.

“Organisations also need to know what data employees are bringing into and
taking out of the office to ensure that malicious attacks and conspicuous
activity is blocked,” he said.

Important to highlight risks on mobile platforms

Application protection firm Arxan said that on Data Protection Day it is
important to highlight the increased risks on mobile platforms,
particularly in the banking and payments sector.

Arxan director of sales for Europe Mark Noctor said the firm predicts the
security risks in the financial sector will be a key threat area for 2015.

“With this in mind, it is vital that mobile application security takes
priority as bank, payment providers and customers seek to do more on mobile
devices,” he said.

Arxan research revealed 95% of the top 100 Android financial apps and 70%
of iOS apps have been hacked in the past year.

The company said: “We would advise banking and payment customers who are
considering the use of a mobile financial application to take the following
steps to increase security:

Download banking and payment applications only from certified app stores;
ask your financial institution or payment provider if their app is
protected against reverse engineering;
do not connect to an email, bank or other sensitive account over public
Wi-Fi. If that’s unavoidable – because you spend a lot of time in cafés,
hotels or airports, for example – pay for access to a virtual private
network that will significantly improve your privacy on public networks;
Ask your bank or mobile payment provider if they have deployed application
self-protections for the apps they have released in app stores. Do not rely
only on mobile antivirus, anti-spam or your enterprise-wide device security
solutions to protect apps that reside on your mobile device from hacking or
malware attacks."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!