How Executives Can Prevent Data Breaches
When the total average cost of a data breach is $3.86 million, preventable problems are not acceptable. Here's how to mitigate the risk.
Data breaches are so much a part of our way of life that we barely bat an eye any more when another company gets their data stolen. In fact, some publication or another has called every year since 2005 the “year of the data breach”. Every year there are multiple new high-profile thefts of consumer data, and a lot of them are preventable.
Equifax’s 2017 data breach is one of the best-known, and it stemmed from one of the dumbest possible reasons: not keeping up to date with patches. There are multitudes of basic, preventable problems that have caused huge data breaches: sequential user IDs in plaintext, plaintext password storage, transaction logs that don’t check balance on every transaction — the list goes on and on…
When the total average cost of a data breach is $3.86 million, preventable problems are not acceptable.
But data breaches are preventable, and as an executive you have the responsibility to make sure they don’t happen. Here’s how you can mitigate the risk.
1. Get Your Staffing Right
Equifax’s data breach was particularly egregious for a few reasons. One was the scope of the breach, with 143 million people put at risk. Another was their chief security officer being a music major with no known credentials in security.
A company of that size putting their trust in someone who had no credentials in the field is unfathomable. For patching to go undone for that long is also unfathomable, given that the patch that would have fixed the security hole had been available for months.
This could have been fixed with proper staffing. Getting the right people in the right positions is key in any organization, but in an organization that’s responsible for this much user data, it’s absolutely crucial. Make sure those key security positions are locked down.
2. Make Sure There’s Accountability In Place
When two-thirds of CEOs have organizational control over IT and 60 percent have control of the IT budget, the buck stops at the top desk.
Creating a culture of accountability starts at the top. You can’t get into a checklist mentality — once you’ve got your security checklists done, you still can’t rest. A properly-motivated staff looks for other ways to safeguard against things like zero day exploits and other possibilities that won’t show up on a checklist. Even if you’re trying to be GDPR-compliant, it will help — but there are things that won’t show up if that’s all you do.
Accountability starts with the C-suite. Are you empowering the right people to make decisions in the department? Giving them the budget they need? Holding them accountable for breaches and helping them create a better infrastructure?
As Ashley Leonard, CEO of Syxsense, told me in an email, “When it comes to an IT department, it’s important to give them the tools and people they need to do their job. Otherwise, when mistakes happen, the responsibility lies with the C-suite and not the people on the ground. Automatic solutions for patching, innovative employees that come up with possible vectors of invasion, pen testing … all those things go into creating a strategy that keeps your company safe.”
3. Educate Your Employees
This doesn’t just apply to IT. It’s important for every level of a company.
Kaspersky Labs notes that “The vast majority of data breaches are caused by stolen or weak credentials. If malicious actors have your username and password combination, they have an open door into your network. Because most people reuse passwords, cyber criminals can gain entrance to email, websites, bank accounts, and other sources of PII or financial information.”
Make sure you’re keeping your employees up to date with common phishing strategies and testing them periodically to make sure they’re on top of it. Rotate passwords frequently, even if they grumble. It’s important to make sure they don’t unwittingly open your network to attack, and that starts with proper education.
Phishing is one of the most common routes of attack for both personal identity theft and corporate data theft. It’s also getting harder to detect as groups start to use multiple redirects to obfuscate URLs. If you can stop at least the very common methods, you’ll be a lot safer.
4. Stop Data Breaches Before They Happen
Not every breach can be stopped, but it’s absolutely key that you do everything you can to keep them from happening. Data breaches are on the rise across the United States and the world. As more information makes its way onto the Internet, there are more and more ways for us to have our identities compromised and more companies that have our personal information to steal.
You can’t prevent every incursion, but what you can do is harden your perimeter. Make sure you’re not leaving holes in your security through negligence or starving your IT department of resources. Establish a culture of accountability, hire the right people, educate your employees, devote the proper resources to staying patched and secure, and you’ll be able to stop most attacks before they happen.