Security takeaways for corporations and their employees
With that in mind, how do we slow attackers down?
First, your company should schedule frequent penetration tests. Our networks change almost daily and those changes affect our security posture, so one of the best ways a company can help protect their data is to add frequent penetration tests to their security plan. And before you ask: yearly is not enough!
Second, in some recent breaches, it was reported that security logs weren’t reviewed or monitored consistently. Some of you might be gasping, thinking, “How could they miss that?” The answer to that question is usually either budget, compliance, incompetence, or a combination of all three. To tackle the budget issue, it’s important to have an advocate at the C-level who understands how critical it is to invest in data security and will ensure security resources and funds are adequately allocated; there should really be no excuse not to have a sufficient security budget. For competency and compliance issues, meaningful, thorough training becomes a must.
Continual training goes beyond just the typical phishing simulation tests every employee has gotten in their email inbox. Physical security protocols, and very clear guidelines around employee devices and IoT use, are even more important than most companies think. Security training on these things has to be a major focus for your IT department, and they have to be adaptable.
Security takeaways for IT professionals
The reason your IT department has to be dynamic about security training is that the threat landscape is changing constantly, and your internal users will become apathetic if you don’t bring constant awareness to potential hazards.
One thing IT professionals can do to motivate employees to stay vigilant is to ask them, “What did you learn this month? Quarter? or Year?” in regards to security and vulnerabilities. This question is useful in 1:1s as a competency check and to help eliminate feelings of “invincibility,” and can also be used as an internal motto or HR talking point to rally the company around security. By constantly asking others and ourselves, “What have you learned?” we’re reminding ourselves of the importance of staying one step ahead of attacks. And as employees measurably demonstrate they are doing everything they can to help protect your company, reward them! A simple Starbucks gift card can go a long way.
With your people properly trained, you can focus on how to configure your systems, software, and tools to keep you safe. “Misconfigurations of X” seems to be the go-to phrase we hear and read almost any time a major breach is reported, to the point where it’s bordering on cliche. So how does an IT team avoid misconfiguring their “X”s? I always tell security folks that you have to first understand how “X” works. I’m not talking about understanding it at the 10,000-foot level, but rather really knowing all the ins and outs. Which APIs does it use? Does it modify any files during installation or deployment? When updates come out, are you provided with extensive detail about what changes are taking place? Will those changes affect or violate your security policies? If so, you need to review and rewrite those policies and make sure everyone involved is aware of the changes.
Regularly monitoring third parties is also a critical practice for slowing down attacks. When we look at past breaches, we see that attackers have breached companies by using connections into the target network via third parties. IT departments need to make sure that the third parties they work with have the appropriate security controls in place and have ongoing oversight to make sure everyone involved has the appropriate security controls in place — and that they all have the same standards for what constitutes “secure.”
Security takeaways for consumers
I know what you’re probably thinking. “Why should there be a takeaway for me? I didn’t breach my own data.” And you’re right. Companies are ultimately accountable for keeping your data secure and being forthcoming in instances where their security has failed and your information has been compromised. But the fact is your data is out there, and you need to be vigilant in watching out for how your data can be used against you.
Consumers’ voices can have a powerful impact on motivating companies to action and holding them accountable. Evaluate products (both apps and connected devices) with rigor and vote with your wallet by refusing to do business with companies that blatantly disregard security best practices or obfuscate how they use your data. Stay up to date on regulatory action and changes happening around the world so you can be an informed consumer.
Taking all of the actions I mentioned above only goes so far if you don’t have your own house in order, so it’s good practice to evaluate whether you’re following security best practices yourself, including using two-factor authentication and secure passwords and regularly cleaning your system. And maybe don’t download that hot new Russian face-aging app if you aren’t going to read the terms of service first.
Check out Syntax for more information about data analytics-powered education, certification, and career opportunities. Syntax technologies offer certification courses in Data analytics, such as a business intelligence Certification Course and many more. Enroll now to boost your data analytics career!