Whether you obsess about cybersecurity every day or you are completely new to the process, there are certain things that you should consider to make your company’s cybersecurity strategy successful. In this post, we’ll reveal five elements you should include in your strategy, regardless of whether you are the sole proprietor of a brand new business or looking to transform the security posture of a large, well-established organization.
- Understand the difference between compliance and security. In any instance where your company collects personal information or data as part of your relationship with your customers or vendors, you have an ethical if not legal obligation to be a responsible steward of that data. It is not enough to say “we won’t share your personal information” or be able to produce required audit reports if asked, because that’s not really security. The first step to creating a security strategy is knowing what data you collect, where it’s stored, who has access to it, and why. This enables you to establish what is “normal” data use for your organization and makes it much easier to see when someone is trying to steal it.
- Make data security everyone’s responsibility. Forrester Research recently reported that 80% of security breaches involve privileged credentials. That means an insider either unwittingly or with malicious intent exposed their credentials, and likely sensitive personal data, to a cyber-criminal. Another pillar of a cybersecurity strategy should be educating employees on the fundamentals of how to proactively limit exposing their credentials. This can be as simple as asking people to log out of sensitive databases when finished with them or helping them identify a likely phishing attack. An organization like the National Cyber Security Alliance offers great resources to get you started. It’s also important to consider data access control issues. With the right technology, organizations can apply role-based user privilege access control rules to align individuals’ privilege levels with the actual requirements of their job function. Not just once, but on a continuous basis.
- Know your enemy. In the process of analyzing 100 data breaches, the Imperva Research Team identified the four types of attackers from whom you need to protect your assets. The first type is the unwitting or malicious “inside” attacker that usually has access to assets or credentials and is less suspicious. The others are “outside” attackers that either “smash and grab” and take the sensitive information they want and leave; or more concerning, “hang around” undetected for a period of time looking for more opportunities to make mischief. Some use keyloggers, sniffers, and other methods to steal credentials and compromise databases. A security strategy should account for both “inside” and “outside” attackers, and have mechanisms in place to discover and remediate abnormal data exfiltration. It should also provide robust malware detection/prevention capabilities to make it hard to install and spread malware on end-user machines.
- Account for the roles of your cloud vendors and ISPs. Organizations large and small share sensitive data with cloud-native architectures for a myriad of reasons. AWS’ very useful Shared Responsibility Model explains very well that cloud vendors provide secure architectures in which their customers can store data, but it’s the customer’s responsibility to apply their security policy to the data. This detail seems to be lost on the vast majority of organizations. Gartner reports that at least 95% of cloud security failures until 2022 are predicted to be the customer’s fault. Part of your security strategy should be working with all your cloud-native vendors to ensure that their environments are configured to enable full visibility into your data so you can apply your security policy to them. Many retail and services organizations use ISPs to host their websites. They depend on their ISPs to keep their websites up and running regardless of traffic levels. If your website were ever subject to a Distributed Denial of Service (DDoS) attack, an incident whose sole purpose is to make your website and servers unavailable to legitimate users, you could be facing an existential threat. In many instances, to ensure the other websites they host are not subject to diminished performance, an ISP will simply shut down a website under a DDoS attack until it stops. Part of your security strategy needs to account for DDoS attacks and have a solution in place to disperse illegitimate web traffic without shutting down your website and ensure real customer traffic reaches your organization.
- Have a plan for if you are breached. In spite of best efforts, breaches happen and your data security strategy needs to account for what happens next. You should have a disaster recovery plan in place to secure your network, prevent further damage and identify the breach source as well as inform stakeholders and law enforcement. The plan should turn the incident into a positive by ensuring knowledge gleaned during the breach is internalized so it can be used to prevent future incidents.
While these elements are essential, they are not all you need. We strongly recommend working with cybersecurity experts to accurately evaluate your specific threat landscape and help you build a sustainable data security strategy for today and the future.
Try Imperva for Free
Protect your business for 30 days on Imperva.