Data protection is the ultimate cybersecurity endgame. For this reason, it’s near the top of the agenda in any security team meeting. They know they need to do all they can to ensure data stays inside the organization and, therefore, will layer software and hardware solutions to make that happen. Their adversaries (threat actors) will do anything to gain access to that data for resale, including damage it, lock it up and demand ransom payments for access.
This battle began because of the importance that data has in a modern digital business; it is the flow of data that makes a business unique. No two are the same and it is critical for data to be well-protected.
As crucial as it is to have technology in place for protecting data, it is just as important to ensure that users have security awareness too, since many breaches begin with an innocent double-click to open a file or email.
Data used to be simple; only stored online to make it easier for us to keep up in the digital age. Examples include one’s name, email address or password, which could be combined with the name of a pet or parent so that it could be easily reset whenever it was forgotten. None of it seemed important, and certainly not perceived to affect anyone’s life, if mislaid.
Fast forward 10 years and all of this has changed. Today, the information that we put online is not only critical, but because of the way that it can be shared across social media and analyzed for targeted advertising, it’s also possible to be used to build a detailed and accurate profile of who you are and what you do every day. Put simply, online data is now a representation of your ‘digital-self’. If anyone gains unlawful access to this information, they are able to make online purchases, take out loans or perhaps cause mischief like stop cell phone contracts or cancel airline tickets.
The same goes for business data, except that the data inside a business has corporate ownership and, therefore, loss of that data could affect thousands of people –or even force the business to close altogether.
Malware attacks are a digital reality for today’s organizations. But with a plan in place to help protect against these types of attacks, risks can be mitigated quickly and within compliance, ultimately strengthening brand equity in the event of a breach. Some useful guidelines for this plan are:
- Invest in an internal cyber-awareness program. These training resources help users understand the importance of the data they work with and the different methods that may be used by an adversary to gain access. Phishing (or spear-phishing) is still the most common attack vector but users also need to learn about malvertising, which can be used to deliver ransomware, watering hole attacks and targeted social engineering. Understanding these different methods will help users better protect themselves and others – inside or outside of the workplace – who may be at risk.
- Understand the data held by your organization. Too often, the immediate reaction following an attack or new compliance requirement is to implement blanket levels of security. This is not the answer. Different data has different business value, access needs and lifecycles. Blanket security means that a PDF on the website becomes as hard to modify as it would be to update a person’s medical records. This becomes too costly and complex to manage, impedes legitimate data use/flows and, over time, data protection will fail as users work to circumvent controls in the name of ‘efficiency’. Understanding your data – where it’s held, what it is, the lifecycle, who (internal and external) needs legitimate access and any compliance requirements – are all key to successful data protection. The project will succeed because data is safe without impacting user access; but should the worst happen, your business is also in the best position to mitigate and move forward.
- Invest only in suitable security products. Given the evolution of data protection and cybersecurity, every business will have covered the basics of firewall, intruder prevention, anti-virus, software web and email gateways. Eventually, there’s a breach and another solution is purchased to prevent the breach from happening again. This knee-jerk response is common, and from as far back as 2016, it was reported that the average enterprise has around 75 different products in use.
In the same way that users are a great first line of defense when armed with good cyber-awareness, the best security solution may be one that you already have. The real challenge is how to extract relevant information and alerts from it exactly when they are needed.
The importance of protecting data and understanding how different types of information can be used for anything from marketing to malware cannot be overstated, as it highlights the need to ensure the strongest possible protection and governance for business data.
It’s all too easy to adopt the wrong approach when protecting data, and finding the right balance that ensures a smooth flow of data within your business is key. The next step is to educate employees and reduce the risk of downloading files from untrusted sources or clicking malicious links.
By Laurence Pitt
Published with permission from forums.juniper.net/t5/Blogs/ct-p/blogs