If the headline of this article seems a little too on-the-nose, it’s because it often frustratingly is.
“Another day, another breach,” it seems. While much of the news cycle around data security in recent years is not necessarily due to more breaches happening — but rather an increase in better reporting, oversight and regulation — it’s hard to ignore the very public breaches from high-profile companies in just this calendar year alone.
So the question is: Why does this all seem so commonplace now? Have we all just become so immune to frequent and almost weekly news headlines of large-scale data breaches that solving the problem seems insurmountable? These questions have made me wonder if maybe we aren’t learning the right lessons from the mistakes that others have made.
With the right mindset, data breaches shouldn’t discourage us into inaction, but motivate and remind us why security best practices are so important to follow, and continually question and improve, in the first place. Let’s start with what we should learn from every breach we read and hear about, with takeaways for corporations, IT professionals and the average consumer. But first…
One thing to remember about data security
The unfortunate but important truth to remember about threat reduction is that we can’t stop attackers — we can only slow them down or make it too difficult to breach that they move on to lower-hanging fruit.
I know someone out there is probably thinking, “What are you talking about? We’ve never been breached. Our network is invincible.” To pull from a common phrase, threat reduction is more a journey than a destination. If you ever get comfortable and feel that you’ve arrived at a point of perfect security, that’s probably when you’re at your most vulnerable.
Security takeaways for corporations and their employees
With that in mind, how do we slow attackers down?
First, your company should schedule frequent penetration tests. Our networks change almost daily and those changes affect our security posture, so one of the best ways a company can help protect their data is to add frequent penetration tests to their security plan. And before you ask: yearly is not enough!
Second, in some recent breaches, it was reported that security logs weren’t reviewed or monitored consistently. Some of you might be gasping, thinking, “How could they miss that?” The answer to that question is usually either budget, compliance, incompetence or a combination of all three. To tackle the budget issue, it’s important to have an advocate at the C-level who understands how critical it is to invest in data security and will ensure security resources and funds are adequately allocated; there should really be no excuse not to have a sufficient security budget. For competency and compliance issues, meaningful, thorough training becomes a must.
Continual training goes beyond just the typical phishing simulation tests every employee has gotten in their email inbox. Physical security protocols, and very clear guidelines around employee device and IoT use, are even more important than most companies think. Security training on these things has to be a major focus for your IT department, and they have to be adaptable.
Security takeaways for IT professionals
The reason your IT department has to be dynamic about security training is because the threat landscape is changing constantly, and your internal users will become apathetic if you don’t bring constant awareness to potential hazards.
One thing IT professionals can do to motivate employees to stay vigilant is to ask them, “What did you learn this month? Quarter? Year?” in regards to security and vulnerabilities. This question is useful in 1:1s as a competency check and to help eliminate feelings of “invincibility,” and can also be used as an internal motto or HR talking point to rally the company around security. By constantly asking others and ourselves, “What have you learned?” we’re reminding ourselves of the importance of staying one step ahead of attacks. And as employees measurably demonstrate they are doing everything they can to help protect your company, reward them! A simple Starbucks gift card can go a long way.
With your people properly trained, you can focus on how to configure your systems, software, and tools to keep you safe. “Misconfigurations of X” seems to be the go-to phrase we hear and read almost any time a major breach is reported, to the point where it’s bordering on cliche. So how does an IT team avoid misconfiguring their “X”s? I always tell security folks that you have to first understand how “X” works. I’m not talking about understanding it at the 10,000-foot level, but rather really knowing all the ins and outs. Which API’s does it use? Does it modify any files during installation or deployment? When updates come out, are you provided extensive detail about what changes are taking place? Will those changes affect or violate your security policies? If so, you need to review and rewrite those policies and make sure everyone involved is aware of the changes.
Regularly monitoring third parties is also a critical practice for slowing down attacks. When we look at past breaches, we see that attackers have breached companies by using connections into the target network via third parties. IT departments need to make sure that the third parties they work with have the appropriate security controls in place and have ongoing oversight to make sure everyone involved has the appropriate security controls in place — and that they all have the same standards for what constitutes “secure.”
Security takeaways for consumers
I know what you’re probably thinking. “Why should there be a takeaway for me? I didn’t breach my own data.” And you’re right. Companies are ultimately accountable for keeping your data secure and being forthcoming in instances where their security has failed and your information has been compromised. But the fact is your data is out there, and you need to be vigilant in watching out for how your data can be used against you.
Consumers’ voices can have a powerful impact on motivating companies to action and holding them accountable. Evaluate products (both apps and connected devices) with rigor and vote with your wallet by refusing to do business with companies that blatantly disregard security best practices or obfuscate how they use your data. Stay up to date on regulatory action and changes happening around the world so you can be an informed consumer.
Taking all of the action I mentioned above only goes so far if you don’t have your own house in order, so it’s good practice to evaluate whether you’re following security best practices yourself, including using two-factor authentication and secure passwords, and regularly cleaning your system. And maybe don’t download that hot new Russian face-aging app if you aren’t going to read the terms of service first.