Security breaches are disruptive to my business. According to the Ponemon Institute’s Cost of Data Breach Study, the average cost of a security breach in 2015 was $4 million — up from $3.8 million in 2014 — so every business needs to take data security seriously.
While there are many steps you can take, we talk with our clients and prospects about these three best practices.
Data is most vulnerable to attack when it’s being moved.
We recommend implementing SSL/TLS protocols. They protect client data as it moves across multiple locations — for instance, to cloud-based archives or off-site servers.
Secure Sockets Layer (SSL) provides a secure connection between two endpoints across three factors:
- Encryption (provides privacy)
- Authentication (through certificates)
- Predictability (via message integrity checking)
Transport Layer Security (TLS), an update to SSL, standardizes private digital communications. TLS works on two levels:
- Record protocol (manages a stable client-server connection)
- Handshake protocol (allows for authenticated client-server communication)
You must protect your business’ data by controlling access to it. Cloud hosting service providers offer system administrators tools to ensure that employees have access to the business intelligence data they need to do their job, and nothing more.
Controlled access leads into some common sense follow-ups.
- First, we encourage clients to limit the number of administrators in their system. That level of access is unnecessary for most employees to perform their duties.
- Second, many clients have overly permissive firewall rules that have no business justification, which create easily correctable vulnerabilities.
- Finally, we recommend our clients segment their network, thereby limiting attackers’ ability to move laterally through the system. Segmenting your network makes it harder for infiltrators to access sensitive data but requires an in-depth understanding of where your critical data is stored.
Many businesses greatest security flaw has been around company culture. Employees were often unaware they were exposing customers to security risks. They took actions because they were faster, or easier, or because they knew nobody outside of IT would notice.
When we see employee inattention as a security flaw, we coach our clients to develop a strong company culture around data security. By making it about protecting the business by protecting the client, we have achieved strong buy-in.
A strong data security culture means we educate our clients around the data life cycle:
- What is the data? (payment info, personal identifying info, etc.)
- How is the data created? (form submissions, tracking, etc.)
- How is the data maintained and shared while in use by my business? (to segment my network)
- How is the data stored and archived? (for appropriate at-rest data security measures)
These help us explain to employees, clients, and prospects how they can best protect the business intelligence data that needs to be protected when and where it needs to be protected.
CTECH Consulting Group is the trusted partner when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at (403) 457- or send us an email at email@example.com for more information.
Published on 3rd November 2016 by Carl Fransen.