Are you feeling safe about your organization’s personal data because of standard security policies and procedures you have in place? Don’t be fooled by a false sense of security. Managing cyber-risk is a multi-faceted, whole-organization effort that requires implementation from the top levels down.
The cost of a data breach increased 10% in the past 12 months, the highest increase in the last seven years, according to IBM’s Security Services 2021 Cost of a Data Breach Report. With remote work greatly increasing out of necessity due to the COVID-19 pandemic, cybersecurity is more important than ever. IBM’s report found that remote work directly contributed to a $1.07 million increase in breaches. While security policies and procedures are important in protecting your data, your organization should consider one largely overlooked area of weakness- human error. Examples of human error risk factors include:
- Administrator system misconfiguration
- Not updating systems appropriately
- Not managing system patches
- Default password usage
- Default user ID usage
- Lost devices
- Misplaced devices
- Unlocked devices
- Incorrect disclosure procedures
Though this list is not exhaustive, it emphasizes the importance of cybersecurity education for management and employees, so that organizations are able to prevent data breaches caused by human error. Let’s dive into 15 ways your organization can better protect itself against human error and ultimately prevent data breaches.
Security Training & Human Resources
1. Education from the Top Down
It’s no accident that I noted education as the first tip. Individuals in management may think that because they have a seasoned IT security director at the helm, their duties regarding risk mitigation are fully out of their hands. However, ensuring that management and employees fully understand the potential cybersecurity risks innate to their organization is important in preventing risks.
The development of policies and procedures to prevent data breaches is essential, and educating employees both new and old on these policies and procedures is critical. Because the cybersecurity landscape is constantly changing, regularly educating management and employees on updated cybersecurity policies and procedures is necessary in mitigating risk. In addition, your organization should inform employees on new scams or potential new risks as they arise – for example, new phishing scams or websites with potential vulnerabilities.
2. Hire Security-Savvy Employees
Strong security starts with great personnel, which is why the hiring process is important. While individuals with experience can be beneficial to an organization, professionals who have a deep understanding of the current risk landscape can be invaluable to an organization while trying to implement security controls. When recruiting individuals, management should keep in mind that those they hire will play a paramount role in ensuring the security processes and procedures put in place will be followed.
In addition, management should be sure to maintain communication lines with their security and compliance team in order to ensure that all potential threats are being monitored carefully.
3. Develop an Exit Strategy
It’s crucial to create an exit strategy for employees that are leaving your organization. This includes changing passwords, ensuring that computers and personal devices no longer have sensitive information available on them, and developing contracts that include legal repercussion for sharing or utilizing sensitive data.
Limiting Access to Data
4. The Less Data, the Better
Since cyber criminals can only steal information that the organization has access to, one of the major ways to minimize risk is to limit data availability:
- Don’t collect information that isn’t relevant to your business.
- Reduce the number of places where data is physically stored.
- Purge data early and often.
You prevent data breaches by minimizing the amount of data your organization stores on-premises or in the cloud.
5. Zero Trust
Restrict access of resources to only the people who need them. Every time a user wants to access specific data or a specific resource, the user will need to authenticate and prove who they are.
For example, if a user needs to read the details from a document to do a portion of their job, they will only be granted privileges to read the document; they will not be able to edit or modify that document in any way.
This restriction around privileges is done intentionally. After all, a zero-trust architecture uses zero trust principles to manage workflow and is designed to assume that an internal network is already infected with various threats. This is a unique mental hurdle for many organizations since most people just assume that an internal network is protected.
6. Purge Your Data Properly
It isn’t enough to simply purge your data. Getting rid of sensitive data in the appropriate fashion is the other half of the battle.
Too often, employees think that they are getting rid of all their data when they remove files that are located on their desktop, without realizing that other clones of the files are present within the body of the computer. By teaching employees’ proper data disposal techniques, you’re able to minimize the risk of having that data get into the wrong hands.
The Impact of Remote Work
7. Monitor Your BYOD Programs
BYOD or Bring Your Own Device, is a program where employees bring their own technology (computers, tablets, cell phones, etc.) to work. Many organizations allow this type of program so that employees are able to use technology that they have a better understanding of. This reduces training time and increases productivity. Oftentimes, BYOD occurs unintentionally as more of the workforce operates remotely and has daily access to their own devices.
However, one of the major risks is that employees do not feel as though they need to be utilizing organizational policies when they are using their “personal” device. The risk here is that while the device may be used for both work and fun, sensitive data is still readily available.
In addition, these programs leave IT administrators frustrated, as they have to understand necessary updates and patches for a litany of different devices instead of just a few.
By implementing strong BYOD policies that require employees to fully understand the risks inherent with the utilization of their own devices, organizations are able to fully prevent data breaches from happening. These programs should emphasize or consider:
- Password and device-encryption requirements
- Update and patch requirements
- Lost or misplaced device notification for emergency response and remote data-wiping
- Utilization of tracking software
- Establishment of secure app workflows
- Anti-malware software
- Jailbreak prevention
- Device partitioning
The creation of appropriate BYOD management and policies allow for the program to work successfully, instead of becoming a pain point for organizations.
8. Secure Your Networks
Employees are constantly on mobile devices, and often times have their devices set to “Automatically Connect” to the closest Wi-Fi available. This leaves security professionals floundering, as there have been more than a few fake Wi-Fi capture spots that pull sensitive information from these “Hot Spots.”
Ensure the security of your network by investing in a personal or corporate VPN, that way all of the data that is being utilized is appropriately encrypted at the source.
IT’s Role in Security
9. Update Software with All Patches and Updates
Software companies are constantly updating their product in order to ensure that their devices are secure for use. Outside companies are constantly finding new vulnerabilities in their software, and patches and updates allow for organizations to ensure that these vulnerabilities do not affect their business functions. Security and IT teams should not only be aware of the latest software but execute on all patches and updates.
10. Develop “Appropriate Usage” Guidelines for Company Technology
Educate employees on the appropriate usage of organizational technology. This includes when, where and how to login to accounts, how to check their connection to ensure it is reliable and secure, and when not to use devices.
11. Hold Outside Vendors to the Same Standards
By only working with organizations with the correct security and regulatory designations, you are able to prevent data breaches by ensuring all of the appropriate controls are in place. While it may be cheaper to hire organizations that hold no designations, or function outside of governing bodies with strict regulation, it is not cheaper than the consumers that are lost due to a data breach.
Service providers will likely face an increased burden in 2022 to furnish additional attestation and certification documents to comply with each customer’s own vendor risk management programs. Some customers will request standard documentation — like the ISO 22701 certification or a SOC 2 attestation — while others may layer on custom requirements for vendors based on the specifics of their relationship and business. Service providers can also expect to spend more time reporting back to customers as they implement new processes for ongoing oversight of vendors.
At the end of the day, if your vendor makes a mistake – it is your clients on the line, not just theirs.
Preparedness & Disaster Recovery
12. Prepare for the Worst
Establishing a disaster management plan allows for your organization to feel prepared if the worst were to happen. While all of your preparations can help you to prevent data breaches, your risk is never fully mitigated. Being prepared allows your team to have a full understanding of their job in order to prevent the breach from growing, or causing unnecessary customer backlash.
A-LIGN’s Ransomware Preparedness Assessment service review the risk, security preparedness and existing controls utilizing the NIST cybersecurity framework. This assessment allows A-LIGN’s expert to identify any gaps in your organization’s cybersecurity plan, uncover cybersecurity vulnerability through penetration testing and social engineering and ensures you know how to respond if an attack occurs.
13. Test Out Your Disaster Management Plan
Put your breach protocol to the test with a mock disaster. See how well your team is prepared for a potential breach and troubleshoot problems with your protocol before it becomes a reality.
14. Audit Your Organization Regularly
By auditing your team on their practices, you are able to see where there are potential problems that could lead to future breaches. This allows your organization to modify policies and protocols prior to an issue.
15. Notify Early and Appropriately
If your team even vaguely believes that there was a potential data breach, communicate with your organization’s security management team and notify the appropriate authorities immediately.
The sooner that your team is able to respond to an incident, the greater the chance you have in being able to manage the potential damage to your organization and its clients. Reporting unusual or suspicious activity is the difference between a major breach and a minor one.
Taking Steps Toward a Fully Secure Organization
I have found that most organizations begin with a combination of VPN and multi-factor authentication, or they adopt a zero-trust architecture, but that is only the start. Every organization needs to understand its own architecture in order to identify its threat surface. Penetration testing can also help to identify and highlight some of these risks.
Ultimately, it comes down to the importance of knowing where your assets reside, and implementing the appropriate security training, policies and procedures needed to protect them.