Most successful companies of today, whether enterprises, mid-market, or small small businesses, are either based online or have a firm presence online. And the reality is, just by conducting business online, any one of these companies can suffer a breach in data security. Fortunately, there are some universal rules about securing data that all companies online today can learn and benefit from.
Since Digital Guardian strives to provide data security solutions that are both diagnostic as well as proactive, we wanted to offer some data security tips that would apply to many companies doing business online. More specifically, we wanted to compile tips from data security experts on the most common (and avoidable) mistakes companies make when it comes to securing their data. To do this, we asked 30 data security experts to answer this question:
"What are the biggest mistakes companies make with data security?"
We've collected and compiled their expert advice into this comprehensive guide on data security for businesses. See what our experts said below:
Meet Our Panel of Data Security Experts:
Casey Fleming
Casey Fleming is Chairman and CEO of BLACKOPS Partners Corporation, the global leader as advisors to the Fortune 500 on Information Security: Cyber, Human (insider Threat), and Physical. Prior to BLACKOPS, he served as CEO of Strategic Security Partners, SVP & GM of Good Technology and held executive positions with Deloitte Consulting and IBM Global Services.
The biggest mistakes companies make with data security are...
- Failure to understand the true threat against their employees, suppliers and ultimately, their data
- Failure to have a cutting-edge comprehensive Information Security plan
- Failure to view data security as a "business problem" and not just an "IT problem"
- Failure to view data security as a 3-D ecosystem
- False reliance on an obsolete ‘perimeter protection' strategy vs. ‘data-centric' strategy
- False reliance on cyber products and anti-virus
- Failure to classify data and trade secrets
- Failure to properly train and certify employees, contractors, vendors, suppliers
- Failure to understand the true significance of Insider Threat
- Failure to use ongoing intelligence to shape and strengthen their data security strategy
Ajay Patel
Ajay Patel is a Co-Founder and CEO of HighQ, the enterprise collaboration and content publishing software provider. Founded in 2001, the London-headquartered company provides software to some of the world's largest law firms, investment banks, and corporations.
The biggest mistake businesses can make with data security and when moving to the cloud is...
Not checking where their data is hosted.
Data sovereignty is a massive issue right now, particularly with the recent US Senate vote against NSA reform, and the Patriot Act, which allows the US government to access digital data no matter where in the world it is stored. This should be a concern for all businesses venturing into the cloud, but especially for highly regulated industries such as law and finance.
Businesses should be cautious about choosing a cloud provider that doesn't let them choose which jurisdiction their data is stored in, or cannot guarantee that their data will stay there. Cloud providers based in the United States will always be subject to American laws, no matter where in the world they host their data, but these laws also apply to data hosted in the United States data centres by non-US providers.
Always check with a prospective cloud provider where they host their data. Good providers should offer hosting in a range of jurisdictions and should be able to talk you through the laws surrounding each jurisdiction so you can make an informed choice as to where is the best place to store your company's and clients' confidential data.
Ray Potter
Ray Potter is the CEO and Co-Founder of SafeLogic, a security company that delivers innovative security, encryption, and FIPS validation products to applications in mobile, server, wearable, IoT, and appliance environments. Previously, Ray founded Apex Assurance Group and led the Security Assurance program at Cisco Systems.
One of the biggest mistakes that companies make with data security is...
Not properly vetting the encryption used by their various vendors.
FIPS 140-2 is the benchmark that the US federal government requires for any encryption in any product for any data. If the encryption has not been tested and validated to that standard, it is considered to be equal to plain text. Private industry should insist upon the same validation level, because if it has not been tested by a reputable laboratory, it is of unknown quality and poses an unnecessary risk.
Guido Laures
Guido Laures is the CTO of Spreadshirt, an e-commerce platform for creating, selling, and buying of ideas on things that consumers love to share, use, and carry. In his leadership role, he is responsible for the European and North American IT sector of the Spreadshirt international eCommerce platform. Prior to joining Spreadshirt, Laures was an executive at itCampus, a subsidiary of Software AG. He served as Vice President of Global Consulting. Previous career highlights also include associations at SAP, the Hasso Plattner Institute and Daimler research.
My advice applies to global retailers. The biggest mistake companies make with data security is...
Relying on apps for the check out process. Instead, build in your own security features.
Optimize your site for mobile for a global audience but don't rely on apps for check out and build in security features like Content Security Policy, integrate external scripts as an added layer of protection for even trusted scripts, use https to avoid breaches in unsecure areas, and educate customers to continually update their browsers. Make the process fast, simple, and intuitive for shoppers to use.
Kevin West
Kevin West is CEO of K logix, a company that provides security consulting and technology integration to enterprise companies.
A lot of people will give very technical answers, such as leaving data unprotected, not keeping track of the data you store, etc. But the biggest mistake companies make with data security is actually...
Not aligning security with business goals.
When security teams make decisions in a vacuum without considering how their projects impact overall business goals and revenue, they are less effective, miss out on additional budget dollars, and position themselves as an operational expense rather than a business enabler. It all adds up to a less effective data security program.
Artem Metla
Artem Metla, OSCP (Offensive Security Certified Professional), is the Security QA Engineer at Ciklum, a leading supplier of technical personnel and teams, software development and agile business consulting to high growth companies globally. Artem has an extensive experience in penetration testing, application security and information security audits.
One of the biggest mistakes companies make when it comes to data security is...
Securing only critical servers and keeping no attention to other hosts in the network (like testing facilities, end-user's PCs, etc.)
An old IT wisdom says: "You're only as secure as your weakest link." All hosts in organization's networks are chained together. And this chain is under Administrator's control. So successful exploitation of any host managed by Administrator could give the attackers everything they want.
For example, successful attack on user's PC could provide the attacker with user's credentials, which gives a good starting point for escalation to Administrator's permissions by using one of the publicly available privilege escalation exploits.
Many organizations tend to cut security testing or information security auditing budgets during external or internal reviews by limiting scopes of auditing to only critical information systems' parts. Of course, this approach is still better than nothing. However, it is crucial to understand that vulnerabilities could be found in any component and there are other hosts (outside the limited "scopes") which are suitable for attackers who work in the same environment.
Joe Ferrara
Joe Ferrara is the President and CEO of Wombat Security Technologies. Headquartered in Pittsburgh, PA, the company provides information security awareness and training software to help organizations teach their employees secure behavior.
The biggest mistakes companies make with data security are...
- Emailing unencrypted data
- Having unencrypted data on mobile phones
- Taking sensitive data home on work computers
- Re-using passwords
- Sharing passwords
- CSO's not sharing data security policies with employees
By teaching employees and consumers how to make better and safer decisions when they are outside the boundaries of the office, they are empowered to make better decisions for an overall impact on the global security chain to help reduce breaches in 2015. Security Awareness Training is no longer an option for "Best in Class" companies and it's imperative to effectively change user behavior.
J Wolfgang Goerlich
J Wolfgang Goerlich is a Cyber Security Strategist with Creative Breakthroughs, Inc. (CBI), an IT risk management and security company.
The fundamental mistake companies make with data security is...
Neglecting data governance.
Many companies lack the processes, policies, and standards for protecting data throughout its lifecycle. How is new data added and classified? How are people given access, and how often is that access reviewed? Are the backups and redundancies sufficient given the type of data? How is data access monitored and reported on? Is sufficient data loss prevention in place to protect the company? And, once the data reaches its end-of-life, how is the data gracefully retired? The companies which fail to think through the long term implications of data leave themselves open to security incidents and breaches.
Chris Tonkinson
Chris Tonkinson is a technologist and entrepreneur with experience in software and institutional data security. He currently operates Forge Software, the web & mobile development company he co-founded in 2013.
The biggest mistake companies make with data security comes down to...
Budgeting.
Companies which haven't suffered from the results of a breach don't feel the importance of proactive threat analysis, defense, and recovery. Even if there is a perceived need, security is always at odds with convenience and often when the rubber meets the road, the tension between security and convenience always breaks favoring convenience (convenience in this context meaning employee productivity).
The more distressing fact though is that whatever resources organizations do allocate toward information security are typically weighted disproportionately towards defense and prevention, and not nearly enough attention is paid to response and recovery. The sad fact is that most organizations never fully consider that no matter what precautions they take, a breach is going to happen sooner or later, and a planned, coordinated response is absolutely crucial.
Bill Carey
Bill Carey is VP of Marketing for RoboForm, an award-winning password manager and form filler app that allows you to use your logins from your RoboForm Everywhere account on your Android.
I suspect that organizations will continue to defend themselves against cyber attacks and the public's data will continue to be leaked in several successful data breaches. So, my advice to companies who want to protect themselves from security threats is...
- Make sure employees use strong passwords on all devices. Passwords are the first line of defense, so make sure employees use passwords that have upper and lowercase letters, numbers and symbols. It's also important to use a separate password for each registered site and to change it every 30-60 days. A password management system can help by automating this process and eliminating the need for staff to remember multiple passwords.
- Train employees on cyber security best practices and offer ongoing support. Some employees may not know how to protect themselves online, which can put your business data at risk. Hold a training session to help employees learn how to manage passwords and avoid hacking through criminal activity like phishing and keylogger scams. Provide ongoing support to make sure employees have the resources they need.
- Hold employees accountable. It's crucial to make sure everyone in the company understands how important it is to use effective cyber security practices. Managers and business owners should lead by example, modeling excellent safety habits. It's also a good idea to provide an online security manual and ask employees to sign an acknowledgement form after training to indicate they understand and will abide by company policies.
Giovanni DeMeo
Giovanni DeMeo is Vice President of Global Marketing and Analytics at Interactions, the largest provider of in-store product demonstrations and outdoor experience marketing programs for retailers and brands.
One of the biggest mistakes companies make with data security has to do with responding to a data breach, which is almost inevitable for companies today:
Some brands think that disclosing a data breach is overrated and could expose vulnerabilities, but 47 states actually require it.
Transparency and taking action to minimize the risk of future breaches are the keys to winning back consumers. While breaches can mean immediate declines in traffic and sales for companies, consumers are more willing to forgive a security infringement than it might seem, especially if they feel like the retailer is communicating early and often with them about what happened and what steps it is taking to minimize risk in the future.
Dan Fugardi
Dan Fugardi is Co-Founder of Clout, the world's first spending intelligence network that changes the way we spend, the way we pay, and how we are rewarded for the things we purchase each day.
One of the biggest mistakes I have found that companies make in protecting data is...
Settling with the minimum allowable securities that will probably do the job but could be stronger.
For example: Supplementary internal encryption, multi-factor authentication, or not operating at a PCI-1 compliance when it's not technically required. I believe that the reason for this is the same reason why one would cut corners on anything else...the decision that time or resources are better spread across completing all elements needed to conduct business as a whole. In the case of a consumer-data heavy product, "minimally viable" is, in this unique case, a concept that can certainly be costly later on.
Sean O'Donnell
Sean O'Donnell is the Chief Technology Officer at WebiMax, the leading Internet marketing company internationally, providing complete online marketing strategies listed on the INC. 500. In his current role as CTO, Sean focuses on developing solutions that help our team and our clients to operate more efficiently. He has also lead the development of WebiMax's platforms including Client Center and Website Analyzer.
One of the biggest mistakes companies make with data security is...
Not changing passwords for important online accounts regularly, especially after employees move on.
It can be a disaster if a disgruntled employee with an axe to grind decides to do damage to your business using old passwords that you haven't done your due diligence to update.
Another thing to consider is the ever growing scope of systems/accounts that users have access to also creates a challenge for IT to keep up with who has access to what.
Michael K. Kelly
Michael K. Kelly is a Partner at Jennings, Strouss & Salmon Law and is Chair of the firm's Intellectual Property practice. He has over 27 years of experience in dealing with intellectual property related matters and is well-versed in patent, trademark and copyright (including software) prosecution and infringement, trade secrets and unfair competition, international dispute resolution, and intellectual property insurance and legal opinions. Mr. Kelly's technical expertise includes encryption, cyber security, medical imaging, software architecture, data cache and database systems, cloud computing, mobile devices, smart phone applications, and consumer electronics.
As many companies are realizing, it is a matter of "when," not "if," they will have a data breach. There are numerous mistakes companies make when it comes to securing data, whether it be their own or their customer's; however, some have a larger impact than others. Following are five of the biggest mistakes companies make with data security:
- Heavily relying on technologies, such as firewalls, to prevent security breaches.
These technologies have their own security vulnerabilities. Moreover, no technology can completely override human error. - Failure to adequately appreciate the company's exposure to a breach.
Many companies, particularly small businesses, think "that won't happen to us." Ransomware, such as CryptoLocker, is a type of malware that phishes its way into the computer system of a small company. It then restricts access to the system until a "ransom," often less than $1,000, is paid to the creator(s) of the malware. - Failure to adopt a response plan prior to a breach.
Critical information rendered unavailable, even for a brief period, can cripple a company's operations. - Wholesale delegation of data security to the Information Technology Department.
Senior management must exercise oversight over breach mitigation with the same level of seriousness as it regards the company's financial and product information. - Failure to persistently patch vulnerabilities.
Eighty percent of security breaches are preventable. The costs of implementing technology and processes to secure data are significantly less than the costs of a breach.
Dr. Federico Simonetti
Dr. Federico Simonetti is the Founder and CTO of Extenua, Inc., a California-based technology startup that aims to be the world's leading innovator in secure, trusted enterprise and cloud storage access software. He is also a Professor at Università degli Studi di Milano.
The largest mistake that a company can make with data security is...
Accepting one solution as the save all.
There is not "ONE CONCEPT," it's going to be a huge amount of new security tools, practices, algorithms, policies... If companies don't want to continuously have their customer and internal private information victimized, security needs to quickly become part of their DNA.
True Story - I was on an airplane flight yesterday. The woman seated next to me works for a MAJOR pharmaceutical company. We struck up a conversation. While we were talking, she used the airplane WiFi and her web tablet and to log on to the company site. I was sitting there watching each key stroke; I now know her password. Obviously, I removed the password from my memory, but just think about the consequences. What if someone with poor intentions was sitting next to this woman?
This is a moment in time when there is a lot of enthusiasm for new technologies, especially cloud and SaaS. Even though such technologies bring undoubtable advantages, very often companies underestimate that the adoption of such technologies implies a total redesign (re-thinking) of all their security policies and employee behaviors. It's not just about encryption, accessibility from anywhere means that your HTTPS (SSL/TLS) protocol channel is not enough to keep safe!
The cloud requires a brand new security concept; to be invented and designed from scratch.
Lamar Bailey
Lamar Bailey is the Director of Security Research and Development for Tripwire, a cybersecurity firm that works with companies like Mastercard, Visa, PayPal, Safeway, Walmart and Starbucks as well as many smaller firms.
The biggest security mistake companies make is...
Not controlling their critical data.
Most companies do not have the controls in place that track where the critical data is located. Even fewer companies have the controls necessary to prevent that data from being copied to unapproved systems. For example, lost or stolen laptops have played a major role in many data breaches because employees have copied large amounts of data to their devices and then the device was lost or stolen.
The reason most companies don't effectively control sensitive data is because it's like herding cats. It's difficult to balance the needs of employees, who need access to the data do their jobs, and making sure access is controlled enough to ensure the data is secure enough to prevent accidental loss or access by cyber attackers.
Cloud applications and client/server environments are a good solution because they allow employees to access to the data while keeping it 'corralled' on secure corporate servers.
Ray Cavanagh
Ray Cavanagh is a leading Security Expert. He is a council member of the ASIS (American Society for Industrial Security) Physical Security for Cloud Computing Council, as well as for the Physical Security Council. He spoke at the ASIS conference in Philadelphia on The Convergence of Physical and IT Security and also spoke at the AAPA (American Association of Port Authorities) seminar in Jacksonville on The Role of Physical Security in Technology. He also holds CVI Certification (Chemical-terrorism Vulnerability Information) from the Department of Homeland Security.
When it comes to the biggest mistakes companies make with data security, these are my thoughts...
As IT and the Cloud become more prevalent the physical security side of it is typically forgotten. Protection of IT and the Cloud by physical means is incredibly important yet is barely talked about.
Are the servers secure from damage? Theft? Vandalism? Disaster? Also, what about the coordination of the IT and security teams? Are they talking enough? At all? What is the plan of protection? Is it cohesive enough? Can employees bring their own devices? Do they have access to servers and info? Is that device logged in at all times, creating a huge potential threat if stolen? All things that need more addressing.
A plan needs to be developed on how to best manage your data's security. There are a multitude of vendors in the market vying for your business; be sure to take a hands on approach and work with those vendors who will open their processes to you for review. A hands-on approach will ensure your adherence to corporate governance and will enable you to react quickly if there is any evidence of a security breach. Since breaches come from within as well as from the outside world, you must continue to hone your internal processes as a complement to your cloud partner. You need to ensure adherence to all of the security processes and procedures you implemented as an on premises provider.
As criminals become more tech-savvy, it is up to security professionals to stay several steps ahead. While completely eliminating all threats is impossible, a comprehensive, integrated security plan that converges both physical and IT security can put companies in a position of power instead of fear, action instead of reaction.
Securing both public and private cloud environments, along with understanding both the risks and benefits of cloud computing for physical security, presents a sizable challenge for security professionals -- but nothing the continuously evolving security industry can't handle. In short, physical and cyber security teams simply must work together now to better anticipate, thwart and reduce threats, not just after an incident occurs.
When considering your overall security system, it is important to ensure it is fully integrated and working as one cohesive unit. If your system grew by adding components piecemeal or you don't know for sure if your various security personnel are talking, you should consider having a professional, full service security firm perform an assessment.
The greatest challenge for security in the 21st century won't be figuring out how to stop outside threats -- been there, done that -- but instead making sure the many components of a security system are all working as one. In reality, the greatest threat often comes from within.
Christopher Burgess
Christopher Burgess is the CEO & President of Prevendra, Inc., a security, privacy and intelligence company. He is also an author, speaker and advocate for effective security strategies. Christopher co-authored "Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century" (Syngress, March 2008) and authored the e-book, "Senior Online Safety" (Prevendra, March 2014) and is the voice behind the website, "Senior Online Safety." Prior to the founding of Prevendra, Christopher held a variety of private and public sector positions, which included: chief operating officer and chief security officer of a big data analytic company, Atigeo; Senior Security Advisor to the CSO of Cisco, a Fortune 100; and 30+ years within the Central Intelligence Agency.
The biggest mistakes companies make with data security are...
- Lack of security process / procedures: When a company expects an individual to take appropriate steps to protect the data they touch in the course of their work, they must take steps to educate. The BIGGEST mistake is thinking this is a "once and done" event - on the contrary, this is ongoing educational necessity. The most common barrier for not taking action? We are focused revenue generation, a more important item. However, by focusing on securing your and your customers data, you are securing revenue - revenue preservation.
- Lack of resources to allocate: We'll get to security when we can afford to invest in security. This phenomena is most often encountered with start-ups. The BIGGEST mistake is the belief that lack of resources means one can not invest in security. Any entity can invest in number 1 above; in addition, every entity can invest in low-cost/no-cost security implementation with respect to data access and technical processes. Adhering to the need-to-know/need-to-access doctrine reduces risk to data exposure.
Vignette: The small startup was creating their website by using independent contractors and providing them direct access to the backend of the website to post and edit. The independent contractor practiced poor cyber-hygiene - the first action the individual took was to change their issued password to the one they used on all their other contracts, thus violating the one-password one-use doctrine. The independent contractor's password/email combination was previously compromised (see the numerous articles on the DarkWeb sales of web credentials), and cyber criminals hacked into the company's website backend, harvesting customer data as well as user data. - Knowing where their data is: Every enterprise size entity has this issue. The BIGGEST mistake is no data storage/access control regime. Where are your crown jewels (customer data for example)? Who has access? What monitoring or anomaly detection is available to alert of a breach or unauthorized access? Do you permit third-party storage of company data? Would you know if your employees violated the policy and put your customer data into their personal cloud storage to work at home (or share in an unauthorized fashion with another)?
Douglas Landoll
Douglas Landoll is the President of Lantego, a security consultancy specializing in risk assessment and policy development. He is the author of the best selling "Security Risk Assessment Handbook" and a cybersecurity expert specializing in security risk assessment, compliance/governance, and building corporate security programs. He has been a leader in information security for over 25 years, training over 2000 CISSPs and CISAs, founding 4 information security organizations and running security consulting divisions for public and private companies. Mr. Landoll has led projects to assess and improve security at many corporations and Federal, state, and local government agencies including the NSA, CIA, NATO, FBI, State agencies in Texas and Arizona, and Fortune 50 companies.
The biggest mistakes companies make with data security are...
1. Making assumptions regarding control effectiveness.
Organizations typically do a great job at procuring technology and putting policies in place but they too often make assumptions about their effectiveness. Internal company resources that place controls, create training, or write policies and procedures rarely perform adequate testing of the effectiveness of these controls. Internal testing or limited security testing (i.e., penetration testing) do not provide an adequate review.
Moreover, conclusions based on assumptions or limited testing lead to drastic errors in the allocation of limited resources to improve organizational security. What I see a lot of is security investments limited to technology, followed by penetration testing and a continued investment in technology. All the while the weakest controls in the organization (i.e., configuration management, security training, security policies, contingency planning, third party management) go un-assessed and continue to represent the largest risk. Simple solution here; get an independent security risk assessment and quit relying on untested confidence or penetration testing only.
2. Compliance with Regulations.
When considering internal company data and third party data, most organizations are required to be compliant with one or more information security regulations or security standards such as HIPAA, PCI DSS, State Privacy Acts, or custom contract requirements. A common mistake within organizations is to simply assume compliance based on a brief internal review and completion of a questionnaire. This set and forget approach to compliance has led many organizations into a false sense of compliance and an increased risk when the inevitable breach occurs.
Information security regulatory compliance is a speciality of its own and requires not only a knowledge of the regulation itself, but current industry interpretations, compensating control processes, risk-based exceptions, audit processes, breach notification requirements and the complexities involved when multiple regulations appear to conflict. Non-compliance with information security regulations remains one of the top mistakes made by companies in their current data security approach.
3. Its an IT Issue.
Information technology (IT) represents a large portion of data security controls, but data security is by no means limited to information technology. Many organizations have launched data security projects fully within the IT department. This is a mistake and will lead to a strong IT implementation of data security controls but limited (if any) attention paid to the majority of available or required security controls such as physical security, policies and procedures, training, and other administrative and environmental controls.
Dr. Engin Kirda
Engin Kirda, PhD is Co-Founder and Chief Architect at Lastline, a global breach detection platform provider. He is also a computer science professor at the Northeastern University in Boston, and the director of the Northeastern Information Assurance Institute. He previously held held faculty positions at Institute Eurecom and the Technical University of Vienna, where he co-founded the Secure Systems Lab. Dr. Kirda has served as programming chair for several security conferences including RAID, Eurosec and USENIX. He has counseled the European Commission on emerging threats, and gave a Congressional Briefing in Washington D.C. on advanced malware attacks and cyber-security.
What are biggest mistakes companies make with data security?...
- One big mistake companies make with data security is using weak encryption. Companies may use weak encryption keys or easy to use pass phrases that get emailed around. This can open them up to brute force attacks as well as interception and extraction of unsecured data that can leak intellectual property or personal information, leading to further security vulnerabilities.
- Another common data security mistake is securing communications at the endpoints (e.g., using SSL, TLS), but not securing the communication between servers at the backend. Unfortunately this mistake is common as many SMTP servers are not securely configured and email communications aren't encrypted so it is relatively easy for third parties to intercept and access email communications.
- A third data security mistake companies make is using proprietary encryption like XOR that can sometimes be easy to crack by a determined attacker.
- Finally, a fourth data security mistake that companies make is failing to use two layers of encryption on notebooks depending on the importance of data. For example, companies might encrypt the hard disk, but malware that infects the machine can read everything on the disk. A better approach would be to encrypt some of the sensitive data on disk and to decrypt it when it is needed. For example, you can encrypt archival emails and decrypt them if and when they're needed. Why keep emails from 2011 in unencrypted form if you just need to access it once every two years?
Daren Boozer
Daren Boozer is the CEO of NCC Data, one of the top independently owned IT consulting and managed service firms in the Dallas Fort-Worth Metroplex. Daren's insights on disaster recovery, data security and information technology have been featured in Virtual Strategy, Dallas News and more.
The biggest mistake companies make with data security is...
Apathy, and it can occur for any sized business.
Enterprise companies often have the right procedures and team in place to prevent an attack, but having the perception that your business is safe can lead to apathy and apathy leads to mistakes. Cyber criminals are constantly looking for vulnerabilities. To stay ahead your IT team must be just as deliberate – frequently look for vulnerabilities, upgrade software packages and monitor 24/7.
Small businesses have the same problem, except they often don't have the team or safeguards in place. Never think that your business is boring for cyber criminals. If you have access to larger business networks, if your industry is growing and gets media coverage or if you have access to credit card/personal consumer data, you are at high risk. You may not be the final target, but the entry point.
Never treat data security with apathy, especially after all that has happened in 2014.
Alberto Artasanchez
Alberto Artasanchez is a Managing Director at Note Dashboard, a cloud based mortgage note and loan management software for lenders and financial institutions of all types and sizes. Mr. Artasanchez worked in Wall Street for 10 years for companies such as Credit Suisse and Citibank. He now manages the development team at Note Dashboard. Note Dashboard is a feature rich cloud-based loan management system.
The biggest mistake companies make with data security is...
Falling for phishing attacks.
It amazing how people can still fall for phishing attacks. I once worked at a start up in silicon valley during the go-go internet years and the head of security at our company actually clicked on a phishing email we all received. He didn't last much longer after that incident.
Greg Kelley
Greg Kelley is CTO for Vestige, Ltd, a company that performs computer forensic services and data breach response for organizations.
The biggest mistake companies make with data security is...
Not reviewing their data security with a skeptical mindset.
Too often the review involves asking members of the security team, or IT staff, questions about what is being done, tracked, logged and backed up. Answers to those questions are accepted without a request for the data to back those answers. The person being asked the question might also be multiple levels removed from the person actually doing the work. Case in point, we assisted a client with a folder permission issue related to Active Directory. Their environment was mostly virtual and according to the upper level IT those machines were being backed up. Those backups would allow us to "play back" what happened in AD. However, when they went to the person in charge of the backups, it was discovered that AD wasn't being backed up at all.
Organizations need to have the mind of a skeptic with no preconceived notions when it comes to security. Question everything and demand proof in the form of logs, screenshots or otherwise to make sure that what you think is in place is actually in place, running and operating as desired.
Bill Rosenthal
Bill Rosenthal is the CEO of Logical Operations, which provides a library of 4,600 employee skills training and certifications programs, with a strong emphasis on cybersecurity. He has headed technology-oriented employee skills training businesses since 1986.
Here are eight big mistakes companies make with data security:
- Not staying up-to-date. You must subscribe to threat intelligence feeds and collaborate with other leaders in the field.
- Failing to train end users on how to do their job without jeopardizing the organization's critical networks.
- Being lax about constantly analyzing your organization's cybersecurity risk management policies.
- Failing to make security a frequent topic of conversation at the C-level - and tied to business objectives. Bring quantifiable metrics, such as potential lost revenues, into the conversation to help key decision makers recognize the need for additional investment in security.
- Believing that securing an organization's networks is only a matter of cybersecurity products. While useful tools, these are most effective when implemented in an environment focused on holistic security solutions.
- Making it hard to access critical data when a breach has occurred. Having easy access to this data allows an organization to determine what an attack is targeting. This allows security professionals to begin addressing the issue before it becomes front page news. There are numerous third-party tools that allow data to be visualized, providing insights to historical data trends as well as detailed real-time reports.
- Being mindless about BYOD. Cloud-based solutions, which focus on securing data, rather than devices are becoming increasingly attractive to organizations looking to maximize their employees' efficiency without sacrificing data security. Furthermore, device-based security policies, such as requiring encryption capabilities to remain enabled, can help to prevent unwanted network access.
- Failing to hold fire drills. It's necessary to prepare for disaster by establishing a set process and then putting it to practice. Identify key stakeholders and the role they will play should a catastrophic attack occur. The implementation of an incident handling and response architecture can ensure that the organization's security team, and other stakeholders for that matter, know exactly what to do when an intrusion is first detected. Once established, routinely practice so that gaps can be identified prior to the real thing.
- Working with the wrong third-party vendor. This can can be disastrous. This scenario is played out far too often. Assess your partner's security posture and provide steps to mitigate risks and patch vulnerabilities within their own networks, before they can be leveraged to access yours.
- Not remaining vigilant. It truly is a question of when, not if. If you've managed to evade cyber attackers to this point, you are either lucky or good (more likely a combination of both). Don't rest. Just as the threat landscape is constantly evolving, so too must our approaches to securing our information systems. Innovate, educate and train, and continue to fortify your organization's security perimeter. Nobody sees a major attack coming until it's too late.
Pavel Krcma
Pavel Krcma is the CTO of Sticky Password where he utilizes his software engineering expertise to design software architecture and create new updates for the company's password management software. He has more than 15 years of experience in the security industry and is the former head of the virus lab at AVG Technologies. Pavel speaks on topics related to malware and cybersecurity and has also co-authored several articles about online security.
The biggest mistake companies make with data security can all be boiled down to...
Carelessness.
Many companies don't truly know the amount of information their employees are privy to when at work or logging into professional accounts. What's more, many employees lack the proper training with a clear understanding of the information they have on hand. Steps such as changing passwords, never using the same password for multiple accounts, and maintaining software updates are overlooked and valuable company or consumer information can fall into hackers' hands with ease.
Max Aulakh
Max Aulakh is the Founder & Chief Security Architect for MAFAZO and is a cyber-security entrepreneur focused on solving cyber risk issues for businesses and government environments. His company provides security engineering and cyber compliance services to diverse clients in United States such as the U.S. Air force, Department of Defense and Dell Inc.
The most common mistake companies make when securing data is...
Failing to understanding the potential impact on the organization if the data is lost or stolen.
This is done through a cyber-security risk assessment process. Many organizations are quick to implement technical solutions without understanding the business. Technical solutions may satisfy a security requirement but can significantly impede the organization's capability if implemented improperly.
Ashley Schwartau
Ashley Schwartau is the Creative Director of Production & Development at The Security Awareness Company, a company that offers and specializes in a range of information security services for today's corporate, government and non-profit organizations. She has over 10 years of experience with The Security Awareness company writing, researching, and developing e-learning materials about security awareness, data privacy, and data security.
I think one of the biggest mistakes companies make is two-fold:
- Assuming their employees know internal security policies
- Assuming their employees care enough to follow policy
So many of the security problems out there come down to an ignorant user base – or worse, users who just don't care. Most data breaches that we hear about occur due to the bad guys being able to take advantage of employees who either don't know policy, aren't security aware enough to think "oh this is a moment when I should be following policy," aren't clued in enough to report suspicious activity, or don't understand why they should care about their company's security well-being.
The easiest / cheapest fix? TEACH your employees. Don't just hand them a policy PDF and say "read this" and think now they're aware and know how to protect data. No, you've got to teach them policy, then teach them basic security practices (don't give out sensitive data over the phone, how to recognize and react to phishing emails, why you need to change your passwords, why you should have different passwords for different accounts, etc), and you've got to not only teach them about these things in relation to your company but teach them how to protect their family's data, how to protect their kids' IDs from being stolen, how to protect their financial information. Because if you can hit them where it hurts – their family, their own personal lives – and get them to care about security from a personal viewpoint, then once you've educated them, you can very easily say, "oh you know all that stuff we've taught you about protecting your personal data?? Do the same stuff here at work, and here's why we need you to do it."
Education and awareness are the biggest and most effective tools companies have and often the ones they don't think to use. Too many people think technology is the answer, but who uses technology? People. People who may or may not know best security practices, people who make mistakes, people who may or may not care one bit about digital threats to the company. You've go to get them to care.
Michael Pesochinsky
Michael Pesochinsky is VP and Co-Founder of GovernmentAuctions.org, a website that provides information about government auctions of seized and surplus merchandise from all over the country.
One of the biggest mistakes I've seen companies make when it comes to securing their sensitive data is...
Keeping their passwords stagnant.
The best practice would be to change your passwords every 30-90 days. This would drastically lower password-based security breaches.
Another mistake I'll see is that many companies will have executables sitting bare instead of in Stored Procedures. Stored Procedures are very important to protect against SQL injection attacks, and many in fact do. But stored procedures do not by themselves necessarily protect against SQL injection. How useful a stored procedure is has everything to do with how it's written, so make sure you write it correctly by including an execution plan on any query which dictates what query will and will not be executed, and excluding Parameter values, thereby treating any inputs as user input and not as SQL code.
And finally, it's important for companies to use custom filters to immediately disable access to your site from the attacking IP address or range of addresses. Filters also prevent SQL injection and other forms of hacks and cyber attacks.
Louis Ashner
Louis Ashner is a technology entrepreneur and the Founder of NoPass, a touch ID fingerprint iPhone App that allows users to secure their device without a password. He was recently featured in the Wall Street Journal.
One of the biggest mistakes companies make is...
Using username and passwords to log in to internal systems that are the same or similar as they use on other sites.
Company X may have extremely tight security, but if Employee A has his login info stolen on Company Z's website, a hacker can use that info to log in to Company X's secure systems. I like to say that we are only as strong as the least secure website we put our login information into.
I could be sitting in a coffee shop and enter my credentials to my buddy's insecure blog. A hacker could potentially steal that login information from what's called "packet sniffing," or he could even find a way to breach the blog's site to steal login info. Now once a hacker has that login info, he can try it on any other site, from banks to internal business systems. This is exactly how many of the popular data breaches have happened: a leaked password from someone with system access.
Derek Spampinato
Derek Spampinato is an IT Technician at Technology Seed, an IT support and consulting company based in New Hampshire. He has certifications in VMWare vca-dcv, Comptia A+, and Comtia Network +, which make him well versed in a variety of technologies and technical issues.
In my experience working with many different types and sizes of companies, I have found that most have the same data security flaw...
Most of the companies are too worried about the physical networking and the file permission side of security that they neglect to train the end users, whose actions hold a big role in whether or not the company data is secure.
Untrained and unknowledgeable users are very susceptible to making improper changes with data, phishing, and carelessness with data. Since the users are not trained, they do not see a reason to: keep their credentials secret, change their passwords, use complex passwords, use different passwords for everything, encrypt and password protect their BYODs that hold company data and/or company email, be careful of what they download/install, be careful opening unknown attachments, double check reply email addresses to prevent email phishing, not give the private wifi password to unauthorized people, and to save all company data on secure shares to prevent possible data loss.