Read 15+ minutes
The opinions of entrepreneurs' contributors are their own.
We live in a world where data breaches and ransomware have crippled even large multinational companies. What does every company need to tighten its approach to data protection and cybersecurity? What new threats should businesses be aware of?
In a recent series of interviews in Authority Magazine titled "5 Things You Need to Know to Streamline Your Organization's Approach to Privacy and Cybersecurity," we interviewed nearly two hundred privacy and cybersecurity professionals, as well as CTOs and CISOs, who discussed these issues . Here are some highlights from their interviews.
Angela Saverice-Rohan, EY Consulting
Understand the value of your data at risk: To make risk-based decisions about your cyber strategy and prioritize privacy compliance priorities, you need to know not only what data you have, but how your organization uses it. This doesn't mean the company has to go to great lengths to inventory all of its data. Instead, identify and prioritize the systems that contain high value assets – that information that, if exfiltrated, corrupted, or made public, would have a significant negative impact on your business operations.
Know your data defense and data breach strategies: You can explain why either strategy carries more weight in a given year. Data defense is focused on minimizing the downside of data risk, and data breach is about maximizing the value of your data for growth and efficiency in your business. Data defense imposes restrictions and includes cyber and most of your privacy measures. Depending on how you set up your cyber and privacy controls, your data breach strategy could be affected. Your board should be shared about these strategies as it allows them to understand the bigger picture and make informed decisions about the tradeoff between two equally important goals.
Understand how cybersecurity and data protection are operationalized in your cloud environments and data lakes: I see a lot of customers talking about cybersecurity and data protection at the beginning of these projects in order to modernize their data ecosystem, but they do not transfer the requirements into the operating environment. This means that the control rights for cyber or data protection may be unclear (vis-à-vis the cloud provider vis-à-vis the company) or, in the case of a data lake, there may be uncontrolled access and a lack of restrictions with regard to data use cases.
Integrate your cybersecurity and privacy controls into your business through three lines of defense: That means you should have security and privacy controls that apply at the right level of the process and apply to each business unit. This establishes who is responsible for control and provides the right level of risk coverage. An appropriate framework that forms the basis for effective internal control should demonstrate the traceability of all laws, regulations, standards and contractual obligations related to cybersecurity and data protection. It should also have demarcated controls across the enterprise and act as the sole source of truth to aid cyber and privacy programs, resources, and technology support.
Prioritize certain functions over others based on the benefits they will gain: As attacks get more advanced, they take longer to be detected, which increases the risk to the business. Don't diminish your investment in the discovery domain. From a privacy perspective, create controls that support privacy by design in accordance with your product / service lifecycle and the collection, processing, storage, disclosure and disposal of personal data. Build these controls into the business over the points where change management takes place. Don't assume that all of your change management activities are centralized. Instead, discuss with the business units how company-specific changes are managed and place the controls in these existing processes.
Gabe Turner, Security.org
Use VPNs: Especially if your employees are on public Wi-Fi networks such as a coffee shop or library, have them connect to VPNs or virtual private networks before working online. This encrypts their web activity and hides their IP addresses, making them much less vulnerable to hacking. After getting tired of being banned and cafes opening, I started working in cafes to escape my home and always connecting to a VPN first before going online.
Use password manager: To protect employee accounts from unauthorized access, let them use a password manager for all business-relevant online accounts. Password managers check their current passwords and make sure that there is a long, unique, and complicated password for each account. Then some password managers can add advanced authentication methods, such as two-factor authentication in the form of a passcode or multi-factor authentication in the form of a fingerprint or face ID, which prevents unauthorized access. Before I had LastPass as my password manager, I had to constantly reset passwords and used a variation of the same password for each account. Now, not only are my passwords protected in an encrypted vault, but I use Touch ID to log into accounts on my phone, which is both more secure and easier than remembering millions of different passwords.
Identity Theft Protection for Businesses: Many people do not realize that both businesses and individuals need identity theft protection. Identity theft protection services scan a number of areas for identifiable information from companies, such as their tax number. When our business email was implicated in a data breach at Poshmark, we immediately received notifications on our phones and changed our password.
Use anti-virus software: To protect against malware, it is important that all work-related devices are downloaded with anti-virus software. Many services also offer protection from phishing, ad tracking, and even spam calls. I used to get multiple spam calls a day which would drive me crazy, but with antivirus software I get less and less.
Training Employees: This should be pretty obvious, but some companies are making serious savings on training their employees to protect business and customer data. At the very least, train your staff to recognize phishing links and emails as these are the most common types of hacking.
Bindu Sundaresan, AT&T Cybersecurity
1. Develop an offensive strategy with a security-oriented mindset: Assume you are already hacked. At any time. If a company builds its operations and defenses on this premise, the chances of detecting these types of attacks and preventing the violations are much greater than for most companies today.
2. Formal vulnerability management doesn't just involve patching and reconfiguring insecure settings: Vulnerability management is a disciplined approach that requires an organizational mindset within IT that new vulnerabilities are found daily that require continuous detection and remediation
3. Data governance is necessary to provide and protect high quality data throughout the entire lifecycle of this data: this includes data integrity, data security, availability and consistency. The data governance program policies must include:
Delimitation of responsibility for those responsible for data and databases
Providing integrity controls to ensure the quality and accuracy of the data
Identification of security measures to protect data
Define who can carry out which actions, with which data, under which circumstances, with which methods.
Assigning responsibility for managing and protecting data to the appropriate levels in the organization
4. A company's brand is a valuable asset, but also a great target. Threat actors take advantage of the public's trust in this brand by phishing or counterfeiting its products under the organization's name. The problem becomes even more difficult when a company interacts with the world through so many digital platforms – the web, social media, mobile apps. Obviously, these commitments are of vital importance to a company. Therefore, something else should also be obvious: Protecting an organization's “digital trust” – “public trust in the company's digital security” – is crucial for a company and not just part of a compliance checklist.
5. Building a safety culture takes time and effort. In addition, cybersecurity awareness training should take place regularly – at least once a quarter – in constant conversation with employees. One-and-done won't be enough. People have short memories, so it makes sense to repeat a topic that is so strategic to the organization. This also needs to be part of a larger, top-down effort, starting with senior management. Awareness training should be built into any organization, not just limited to governance, threat detection, and incident response plans. The campaign should be about more than just setting rules apart from the general business reality. It means instilling a security-minded mindset in order to protect a company and get better business results. Security belongs to every employee in the company, from the C-suite to the seasonal intern – every employee owns part of the exposed attack surface, but security programs work best when everyone understands that security makes the company stronger and makes their job easier.
Newt Higman, Sharp Electronics
Make sure you have layered protection in place to secure all aspects of your business: A network risk assessment can help you uncover gaps in your cybersecurity.
Train, educate, train your employees: Hackers use tactics like phishing to trick your employees into giving them access to your network – and they just keep getting better at it.
Have an Incident Response Plan: Just like you have an emergency evacuation plan, you need an incident response plan that outlines all of the steps your organization must take in the event of a security breach.
Know that everyone is a target: Large businesses are an obvious target because of the cash out opportunities, but small and medium-sized businesses (SMBs) are particularly vulnerable to cybersecurity threats. This is because they often lack the resources larger companies have to invest in more sophisticated and comprehensive solutions.
Know that you are not alone: if your IT department is running out of resources, hire a managed service provider (MSP). In fact, Sharp recently conducted a survey that found that 90% of small and medium-sized businesses are using or planning to use an MSP today. Partnering with MSP is cheaper than you might think, especially when compared to the cost of a cyberattack.
Doug Clare, FICO
Take a risk-based approach to cyber-related challenges: Organizations need to continuously evaluate the cybersecurity prevention measures they are taking. It's not uncommon for organizations to run out of resources dedicated to day-to-day security activities, but the important part is taking a step back to assess the most important assets and make sure they have the appropriate protection. Organizations need to broaden their thinking and make sure they are taking a risk-based approach to protection, which means they understand where the high risk areas are and focus more on those areas.
Avoid a “checklist” mentality: It can be easy for companies to fall into a “checklist” mentality. One of the biggest challenges cybersecurity companies face is having allowed activity or “employment” as a substitute for effectiveness. Some cyber teams do it all – push all patches, update all certificates, respond to all vulnerabilities, etc. However, they don't back off from these activities to find out where they really are at risk so they can target these high risk areas can double.
Changing times call for heightened diligence: With employees working remotely and the list of vendors and third-party vendors businesses work with changes due to new requirements, this is the time for bad actors to strike. In times of intense change, organizations need to be more careful about monitoring vulnerabilities as they are now, as the likelihood of new security risks increases.
Convergence is king: Risks can mean different things to different organizations, but in general there is a trend towards convergence of important areas within an organization where violations or crime can occur. This includes areas such as cyber risks, fraud, compliance and possibly financial crime. This trend is certainly one to be considered by key decision makers as sharing insights within these departments is a real benefit in preventing breaches and fraud.
Know your network: make sure you take into account everything for which you are responsible. This goes beyond cyber risks and network security – it can also be a problem with securing product or customer portfolios. We find and hear many stories about organizations that are often exploited in the one area they don't mind … the part that has been forgotten. A well-researched risk inventory can be an important asset because the chain is only as strong as its weakest link.
Raju Vegesna, Zoho
Use ad blockers and anti-tracking plug-ins in web browsers: of course, most of the websites we use are free, but most of the free products still come at a price, and that is in the form of ads. As harmless as many online ads are, some pop-ups tend to overload your browser and can become extremely frustrating. Cookies and other ad trackers are notorious for being cybersecurity threats and for weakening your online privacy. Ad blockers are great for protecting your privacy online. With the more advanced ad blockers and anti-tracking apps, you can block irritating ads, keep your computer running more smoothly, and stop annoying popups.
Thoroughly review user agreements and make software decisions accordingly: One thing that makes privacy very difficult for consumers is that consumers sign terms and conditions that allow these companies to collect huge amounts of data and sell that data. Technically, what they're doing is legal. But if consumers and businesses took the time to read these terms and conditions and user agreements carefully, I think they would find a lot they disagree with and perhaps more careful with the software they choose to download. You may not think you are vulnerable, but anything connected to your company's network is a potential threat to you and your business.
Turn off unnecessary tracking and location services on phones and computers: apps and even services on your smartphone are constantly tracking your locations, and many consumers don't even know it. Of course, while location tracking can be convenient, it is also a major privacy and security concern. There are many articles online about how to turn off these features, and I highly recommend turning them off and making sure that you prioritize your privacy.
Avoid exchanging information on websites whenever possible: Most websites on the Internet collect data and information all the time. Some websites can even collect data from your open tabs. So when you are in control of who is using your data, take the time to understand what information you are disclosing. You can use websites like Simple Opt Out, which make it easier for consumers to opt out of exchanging data with more than 50 companies. For example, you may not be aware that Chase Bank may share your account balances and transaction history with non-market partners. Similarly, Crate & Barrel can share your personal customer information such as transactions, email and home address with other selected companies.
Executives should invest in remote software solutions that protect employee privacy and data: With 2020 forcing most companies to work remotely, the need for remote software solutions has increased, exposing a new area of privacy and data abuse. In adapting to the “new normal”, business security and privacy concerns must be a priority. Malicious activity by hackers, phishing scams, and more are getting smarter and more common. Companies need to view remote software not only as a tool that helps employees stay productive, but also ensures the safety of the company and its employees. 2020 uncovered the weaknesses in software security and data protection and showed us that we can no longer ignore the importance of information security.
Michael Zachman, Zebra Technologies
Know your surroundings: It is extremely difficult to protect things that you do not know you own. This seems very easy, but it is a common problem for businesses. Maintaining an up-to-date list of systems, applications, and devices is a surprisingly difficult task. Knowing which systems are the most important is even more difficult, but a prioritized inventory of digital assets is the foundation for developing and executing a security program. Imagine it is your job to protect a group of school children on a field trip, but you don't have a list of who is going on the trip. This list is probably the first thing you would ask for before leaving school.
Find out about your protections: Based on your inventory, you need to make sure that you have taken appropriate measures to protect your assets. “Adequate” is an important word because not all assets should be protected equally. To use a common example: a company's “Coca-Cola recipe” should be heavily protected, but the menu in the canteen should not. Constantly look for loopholes in your defense. After all, that's what cyber criminals do. If you lock 99 out of 100 windows, cyber criminals will find that one unlocked window. Always keep an eye out for your weakest link so that you can strengthen it.
Make sure to manage your alerts: the best countermeasures will occasionally fail. A good cybersecurity program comes with many warnings to indicate potential bugs. The key is to manage these alerts with the correct sensitivity. A common mistake is to use overly sensitive warnings that produce a lot of false positives. False reports are not only expensive to track, but they also typically result in warnings associated with real errors being ignored or overlooked. Many post-breach analysis has shown that one or more alerts were raised very early in the security breach, but were overlooked or ignored at that point.
Practice Your Response: Organizations will have a security incident / breach. It's only a matter of time, so any good cybersecurity program involves effective incident response. As I mentioned earlier, one of the most critical parts of incident response is pre-planning, which is done in anticipation of a future security breach. These pre-planning activities give companies the best chance of ensuring a quick and effective response to a security incident / breach. Think about fire exercises; The time to find escape routes is not during a real fire. It is not enough to have these routes planned; we are obliged to practice them through fire exercises.
Communicate well: People equate security with secrecy, and there is some truth behind that. However, good cybersecurity programs also need to be reasonably transparent. For example, executives need to know and understand the cybersecurity risks the business faces. An effective program does not exaggerate the risks by spreading FUD (Fear, Uncertainty, and Doubt) in hopes of getting more budget. Also, an effective cybersecurity program doesn't underestimate the risks of getting good reviews or avoiding difficult conversations. When dealing with external stakeholders, transparency is paramount. Previous approaches of denying and disclosing violations to the public have often proven more damaging to the company than the violation itself. As the saying goes, "It's not the crime, it's the cover-up." the same is often true for security incidents / breaches. External stakeholders are much more adept than companies might think; they are able to understand the good and bad facts about security incidents. In some cases, companies and executives have been found to hide illegal activities from executives in order to cover up major data breaches or other obstacles to justice.
Satya Nanda, Fujitsu America
Don't Let the Perfect Be the Enemy of Good: While the ambition to develop a "perfect" comprehensive security and privacy program is honorable, I would recommend starting small, with a security baseline self-assessment, to fill in the most critical loopholes understand and close stages.
Automate, Automate, Automate: With so many new tools and technologies now available – including Robotic Process Automation (RPA) – to automate basic tasks like vulnerability management and patching, engineers have more time to focus on complex analysis and remediation work focus .
Seek outside help: Most organizations find it prohibitive to have all security and privacy skills in-house. If necessary, seek help from outside consulting and MSS providers to fill in the gaps.
Implement a zero trust model: With remote working the new normal, identity access requirements are reversed as more users, devices, applications, and data are outside of an organization than inside. Protect your business and your customers by implementing a zero trust model for devices.
Focus On Cyber Security Training For Remote Workers: With the changes in the way we work during this pandemic, cyber criminals are attempting to exploit vulnerabilities in remote work. Businesses need to ensure that employees do their part to keep the company safe while they work from home.
Robbert Emery, NEC X
At the risk of saying the obvious, it is important for companies to take a holistic view of data protection and cybersecurity. This means leveraging the competitive advantages of both the human and computational aspects to build a robust, sustainable data protection and cybersecurity system.
Accountability: Implementing a holistic, robust solution is complex and dynamic, and its requirements evolve with new state guidelines; including changes to existing policies and compliance with company policies. So the responsibility I'm referring to is top-down – providing the right tools and resources to ensure that the company's data stewards can protect their own data while ensuring that the tools get to them quickly evolving data protection and cybersecurity environment.
Motivation: Data breaches, data leaks and misuse are all too common problems. When this happens, network and data security teams need to be motivated to face any challenges and be aware of the consequences of delays or out-of-order execution of the security incident plan. It is important to advise the team about the consequences.
Communicating Consequences: The high cost that data misuse and leaks add to productivity, the fines for businesses, and the severe damage that could be done to the creditworthiness of a young adult entering the world of work or college are those Main reasons for companies to keep their security teams accountable.
A Closed System: In addition to the human aspects, there are the computer aspects of the system where semi-automation and a closed system enhance the company's data protection and cybersecurity implementation. By that, I mean that using an AI platform and models enables companies to comply with the numerous regional guidelines for protecting consumer and personal data.
Semi-automation: This type of appliance searches various corporate data lakes (and other data sources) for data types and, in particular, for personal data, as defined in the data protection guidelines. It then applies legal remedies in accordance with the guidelines. Since this system is programmable, changes to guidelines or guidelines can be easily incorporated into the framework of the AI model. As a result, the system can be retrained within a few days and the updated solution can be redeployed.
Marijus Briedis, NordVPN
Know Your Data Flow: It's an amazingly difficult task for large organizations, but you should know what data is going where and why. Knowing all of the “pipes” and “flows” will help you investigate, analyze, and identify anomalies faster.
Encrypt data in transit: Using ancient and unencrypted protocols for data transmission is a straightforward path to disaster, even if you use them in isolated environments. The MITM attacks can go undetected for a long time, and if the data is sniffed out, it can be a gold mine that allows an attacker to break into other systems. The encryption of data and the use of modern protocols prevent cyber attacks.
Encrypt data at rest: In addition to knowing where your data is stored and physically stored, you should also make sure that it is encrypted. Irgendwann in meiner Karriere erhielt ich eine Warnung, dass eine der Festplatten einen Fehler eines RAID-Controllers anzeigte. Es ging in 10 Minuten wieder in den Normalzustand zurück, aber die Seriennummer der Diskette war anders. Nach einem langen Gespräch mit dem Anbieter sagten sie, sie müssten "das ändern". Ich war erleichtert, dass alle Daten verschlüsselt waren.
Aktualisieren Sie die Software und die Technologien, die Ihr Unternehmen verwendet: Die Software auf dem neuesten Stand zu halten, ist für jeden im technischen Bereich eine Selbstverständlichkeit, aber auch andere Technologien ändern sich tendenziell. Vergessen Sie nicht, dass MD5 nicht der Hash ist, den Sie immer noch verwenden sollten, um Ihre Passwörter in der Datenbank zu verschlüsseln – es gibt bessere und stärkere Alternativen.
Informieren Sie Ihre Mitarbeiter über Cybersicherheit: Regelmäßige Schulungen sind für jeden wichtig, egal ob es sich um einen nicht technisch versierten Buchhalter oder einen geeky Entwickler handelt. Letztendlich liegt das schwächste Glied der Cybersicherheit zwischen Stuhl und Computer.