Even smart companies can make data and information security mistakes. Over the past few years, the mistake-prone have included the largest banks, entertainment companies and health care providers. Even law firms are now vulnerable. And it’s not always lack of resources that leads to vulnerability, although for some that’s an issue – it’s often about common traps that are easily avoidable.
In 2014, the average cost of a data breach to a company was $3.5 million, according to the Ponemon Institute. And some put the costs of Sony’s well-publicized breach in excess of $35 million. The impacts are not trivial, but companies can take steps now to reduce their exposure. In this slideshow, Digital Guardian has identified seven mistakes that even smart companies make, according to some top data security experts, and what you can learn from them.
Common Security Mistakes
Click through for seven common security mistakes even smart companies often make, as identified by Digital Guardian.
Securing Only Networks
Securing networks is always a good idea, but endpoints are every bit as critical, particularly since many breaches occur due to human error (downloading malware along with that PowerPoint) or disgruntled employees. Anything connected to the network can be used to bring it down, including testing facilities, end-user PCs and mobile devices, says Artem Metla, OSCP (Offensive Security Certified Professional), security QA engineer at Ciklum. One successful attack can give someone with less-than-honorable intentions the credentials to acquire administrator permissions.
Not Aligning Security with Business Goals
Security projects cannot exist in silos; they need to match up with their overall impact on business goals and revenue, according to Kevin West, CEO of K logix. Security teams miss out on funding because their projects are just seen as an operational expense, not a business enabler. When this happens, data security overall is less effective, since no one except the security team knows why the project is important. Another critical component of getting the whole company aligned with security initiatives is user training. Given the popularity of phishing attacks and other social engineering tactics, employees must receive effective and ongoing training on secure user behavior.
Not Changing Passwords Often – or Tracking Access
Companies that don’t change passwords often – especially when employees leave – are open to data breaches. Disgruntled former employees can cause serious damage with their still-active passwords, according to Sean O’Donnell, chief technology officer at WebiMax. Additionally, companies must keep track of which users have accounts and access to ensure that passwords are deactivated upon departure.
Not Knowing Where Their Data Is
Data security becomes significantly less effective if a company doesn’t know what’s happening to their data – where it is being stored and sent, who’s accessing it, and how it’s being used. This information is critical not only to understanding the extent of the risks facing your data, but also for measuring the effectiveness of your security efforts. Christopher Burgess, CEO of Prevendra, Inc., asks “where are your crown jewels? Who can access them? What monitoring or anomaly detection is in place to alert of a compromise?”
Not Vetting Encryption Used by Vendors
The U.S. government requires FIPS 140-2 encryption for data. If an encryption method is not tested and validated by an independent laboratory, then the government considers any data encrypted using that method to be equal to plain text. That poses unnecessary risks to companies, particularly with regulators, according to Ray Potter, CEO and co-founder of SafeLogic.
Neglecting Data Governance
All the technology in the world won’t help if organizations fail to enact policies to protect their data, says J. Wolfgang Goerlich, cybersecurity strategist with Creative Breakthroughs, Inc. Companies need to know how new data is classified and added, who gets access to data and how often access is reviewed. Additionally, there must be policies around backups and redundancies, how data access is controlled and how data is purged. Companies should also evaluate whether their current data loss prevention technologies and strategies will effectively protect them.
Not Disclosing Data Breaches
Transparency at the first sign of a breach is critical for companies to win back customers and rebuild their trust, according to Giovanni DeMeo, vice president of global marketing and analytics at Interactions. Companies must communicate early – and often – about data breaches and what’s being done to remedy them.
These are just seven of the data security mistakes that smart companies make. You’d be wise to check out the 23 additional data security tips offered by experts on the Digital Guardian blog.