Sometimes, data breaches happen. Taking preventative measures is incredibly important, but knowing how to mitigate after a breach should also be a priority.
TL;DR: We shall explore 4 major points on how to recoup your security procedures, so that they're stronger than ever before — even if you haven't suffered the embarrassment of a breach.
Statistically, your company might be getting attacked by hackers as you read this.
If you're not getting hacked today, then you have time to add new security measures that can help stop a data breach in its tracks. Target, Equifax, Yahoo...the list goes on. Instead of living in fear of being next, let's learn from their mistakes.
If you're recouping from a breach, you definitely want to double down on security so you can regain your consumers' confidence. It is possible, and with some thoughtful upgrades, you'll be able to move past your mistakes.
While there is no magic security system that will guarantee 100% protection, these four measures will bring you closer to an impenetrable defense.
1. Start Securing Your Data, Not Just Your Systems
Data encryption makes your data really hard to read, and most hackers don't have the mathematical muscle or the patience to decrypt secure data. If your organization is responsible for the sensitive data of millions of people, you would definitely encrypt it, right?
In 2014, hackers stole millions of customer records from Anthem, the second-largest health insurer in the US. The data was highly sensitive, yet Anthem failed to encrypt it. Fast forward three years to the recent Equifax breach where the personal data of over 140 million people were stolen. Equifax mind-bogglingly failed to encrypt their stolen data as well.
Hackers have proven they can break through the most sophisticated cyber security systems in the world. Traditional perimeter and network security like firewalls, intrusion detection, and antivirus systems are useless once the thieves or malware is inside your database.
Securing your data is the new imperative
Companies are finally waking up and implementing data protection strategies using data encryption, tokenization, and de-identification tactics to protect the actual data behind the security.
- Data Encryption converts information into another form, kinda like a secret code. The only way to read the data is to decipher it with a unique key. Modern encryption uses algorithms that make it extremely hard to crack.
- Tokenization replaces your data with unique symbols that retain all the information without compromising it. When the token is processed through the right tokenization system, it reveals the actual data.
- Data de-identification separates personal identifiers such as name or social security number with its related data, making it hard for hackers to figure out which data belongs to each individual.
With an imminent threat of cyber attacks by a group of criminals that have a proven track record of breaking into the most advanced security systems, every company should be encrypting their data, no matter what.
2. Manage Access to Critical Data
After Target's epic data breach, where they lost data from 40 million credit cards, Verizon consultants were brought in to assess the security breakdowns. While there were many factors that led to the breach, Verizon's report identified that too many people had access to sensitive data. The report reads:
“Target should limit the access to portions of the network containing business critical systems to only the employees who directly manage those systems. Where possible, Verizon recommends restricting employee network access based on job function.”
As more people within your organization gain access to data, your risk level skyrockets — and Target learned this the hard way. The good news: companies are learning from Target's mistake.
In their Global State of Information Security® Survey, PwC found that user management, including authentication and identity management, are top security priorities for 2017.
Centralize Control of all your data users
Identity and access management (IAM) tools, like Auth0, can help you manage your user's identities and permissions by automating authorizations, creating and provisioning users, and blocking users.
Implementing an IAM technology to ensure the right users are securely accessing the right data adds a much-needed layer of extra security. It allows you to authenticate, authorize, and evaluate users according to your policies and rules. There is never a need to save a list of credentials on a server or worry about too many people having access.
When more than 80% of breaches originate from static user credentials, restricting and managing access to critical data becomes a no-brainer.
3. Hack Yourself to Anticipate Future Attacks
"Find the weak spots in your ecosystem of technologies. How can you possibly keep up? Hack yourself!"
Hackers spend every minute of every day inventing new ways to attack your systems, trying to find the weak spots in your ecosystem of technologies. How can you possibly keep up? Hack yourself.
If you know the enemy and know yourself, you need not fear the result of a hundred battles. ― Sun Tzu, The Art of War
Penetration testers go beyond what automated scanners can find to actually attack your network and exploit your system's weak points. The goal is to test the real-world effectiveness of your security system against savvy, human hackers, who will try everything in the hacker playbook to break in.
Similar to a fire drill, this will give your team the experience to see what a breach looks like and practice their protocols as the event unfolds.
Hire Real Hackers To Up Your Game
Major tech companies, including Google, Facebook, and Microsoft, have taken penetration testing a step further by creating bug bounty programs. These programs challenge independent hackers to find vulnerabilities or other bugs that affect the security of their systems. Google has paid out over $3 million to law-abiding hackers who found gaps in their networks.
If you are going to get hacked, it might be better (and cheaper) to pay someone to do it first. You'll tighten up your systems and your team will be more prepared when the real thing happens.
4. Strengthen Your Weakest Link: Humans
Humans are by far the weakest link in the cybersecurity epidemic sweeping the globe. Phishing schemes, ransomware and weak passwords have led to over 55% of data breaches.
Employees are also taking their work outside the office, using several portable devices that contain sensitive data, which opens up more opportunities for theft and unsanctioned devices lacking proper encryption.
Empower your employees to be data protectors
Everyone is susceptible to making a mistake that could lead to a horrible data breach. Companies are now taking proactive steps to create a culture of cybersecurity awareness and providing extra protection to mitigate these employee mishaps.
Companies are helping employees avoid data security errors in two ways:
Educating employees with comprehensive and constant security training. Whether it's handling data, recognizing spam emails and social engineering practices, employees need to know how to identify and address security issues. Investing in training can be the most important security measure you implement as it strengthens the weakest link.
Implementing two-factor authentication adds another layer of security on your employees' devices by requiring people to verify their identity in two ways, such as a password and an SMS code. This eliminates the concern of an employee losing a device or inadvertently sharing their password. Even if their password is stolen, the account can't be accessed without the second factor like a physical device or a biological feature, such as a fingerprint.
The Next Big Data Breach Might be Tomorrow
The threat of a cyber attack is now a part of everyday business, but that doesn't mean you cross your fingers and hope that the security system you have in place will do its job.
Every major data breach that doesn't happen to your company is not only a stark reminder to be diligent; it is also an opportunity to learn from their mistakes.
Equifax didn't encrypt their data, even after Anthem suffered a similar breach three years earlier. Target gave too many people access to data that they didn't even need. At the other end of the spectrum, companies like Google and Facebook pay people to hack their systems, keeping them one step ahead of the real criminals.
Create a culture where your employees are always concerned about protecting the company's data, you're always improving your systems and you're implementing the right tools to manage authorized users.
While it might be impossible to avoid an attack, you will be well prepared to minimize the damage and stay ahead of the game.