8 Terrible Assumptions You’re Making about Data Security
We’ve all heard the saying that “employees are a company’s greatest asset” and with my career focused in helping great companies find great talent for a tech staffing firm, I would usually agree with such a sediment without second thought. But are employees really a company’s greatest asset? They’re important, yes, but not too many companies fail because they lost a critical employee to a competitor or their CEO retires. However, countless companies, most recently Yahoo, have crumbled due to lost or stolen data. After a massive data breach was announced affecting 1B customers, Yahoo experience unprecedented customer loss, dropping stock prices, and was sold to Verizon for a measly $5B. For a company that was worth over $100M at one point or another, putting their security on the back-burner in favor of convenience was directly related to the failure of one the most recognizable tech giants in history. I think it’s safe to assert that in today’s high-tech world, a company’s greatest asset is their data and protecting that data from vulnerabilities should be their top priority. People and skill-sets are generally replaceable; your company data is not.
Are you doing everything possible to keep your data secure? Here are 8 common (and terrible) assumptions about data security and the massive risks you’re taking by believing them.
This security tool is good enough because it alerts us if we have a breach
Most companies are only concerned about keeping threats out of their data. They use services and tools to monitor the data and are alerted if something breaches the perimeter. Those protection mechanisms are great, but once someone can access the data, it’s a free for all if the data doesn’t have its own security controls to be able to protect itself.
A great way to think about this is by using the example of home security. Many programs can detect if the door to your house is opened and alert you of the intruder. However, they don’t go the extra step of monitoring the intruder while they’re in your house (to see what they might have gotten in to) and actively trying to protect your valuables, aka data. It’s important to choose a solution that acts like an in-house safe, so if an intruder can break the perimeter, they still won’t be able to access valuables that are safely inside a vault. You also want to make sure to invest in tools that can actively resolve problems, not just alert you that you have a problem. This commercial for LifeLock shows the difference between monitoring and actively resolving security issues in a clever way.
When researching tools for your business the following questions are important to ask in the decision-making process:
1. Do you actively protect data where it lives or just the data perimeter?
2. Do you help resolve issues or just monitor when potential issues arise?
We only need to protect our data if industry regulations force us to
Many businesses are required to protect their data due to federal and state regulations. For example, Retailers must follow things such as PCI and hospitals/healthcare companies are regulated by HIPAA. Although your specific company may not be physically obligated to protect your data, there is always a moral obligation and potential legal implications if you do not. Customers will also lose trust in your organization if their data is affected by a security breach.
We don’t need back-ups of our data or computer systems
Whether by negligence or lack of resources, some companies are not consistently back up their data or computer systems, causing them to fall victim to ransomware attacks, the cyber equivalent of kidnapping. “We see ransomware happening across all types of companies,” said DataGravity CEO, Paula Long. “The frequency seems higher and the damage seems greater when there’s lots of shared information, for example University’s and Law Offices.”
This warning came too late for Los Angeles Valley College in Valley Glen that recently was forced to pay $28,000 in bitcoins to the hackers. “It was the assessment of our outside cybersecurity experts that making a payment would offer an extremely high probability of restoring access to the affected systems, while failure to pay would virtually guarantee that data would be lost,” the college said in a statement last week.
The problem? The school simply didn’t have backups to their computer systems. Take note, unless you have Liam Neeson on staff to track down these data kidnappers, not having strong backups will result in either losing all your data or having to pay a hefty ransom, which is what keeps these hackers in business.
It’s common sense — we don’t need any rules or policies for handling sensitive data
A common assumption many companies make is that they don’t need any official policies or rules when it comes to handling of data. Banks don’t close for the day with their safe open and cash left sitting on the counter — they have rules and checks/balances in place to make sure they are not setting themselves up as a target. The same concept should be applied when it comes to your company data — having rules and policies for data handling makes sure everyone is on the same page and important data isn’t a sitting duck for thieves.
On that same note, companies often have a disaster recovery plan that is focused primarily on physical disasters: lightning strikes, hurricanes, etc. The problem is that human error is probably the biggest disaster that happens to any IT organization. They are not thinking through what happens in the case of “virtual disaster” caused by humans. By not including possible human error resulting in an IT disaster, companies also aren’t focused on training and setting up ways to prevent common causes of human error.
“Policies and procedures being put in place can also help prevent some human error. You can also have forced steps set up by IT to help prevent some human error,” commented Paula Long, CEO of DataGravity. “For example, you can have a policy that requires data in a certain place to be encrypted, products like DataGravity can see if certain data is in the wrong place and/or encrypted and quarantine that data until the issue is resolved. You need to assume you have way too much data to police it manually and you need technology to help you.
How can companies try to prevent human error? Education is important, but realize it is going to happen so it’s important to minimize what could happen if someone makes a mistake. It’s also critical to have tools that can alert you that something DID happen to have a remediation plan.
Our environment is virtual, so we don’t have to worry about security policies on new/moved data
In virtual environments, data is movable and there are several incorrect assumptions about data security and policies on moved or newly added data. According to Paula Long, CEO of DataGravity, these are the top three incorrect assumptions in virtual environments that companies should be concerned about:
Incorrect assumption 1: When you move the data, the security policies move with it. That may or may not be true, depending on the type of product you’re using, so it is important to check to make sure security policies actually moved with the data or take steps to add the appropriate policies to the moved data.
Incorrect assumption 2: When you add data, it will get the same policies as everything else. This is not always the case, and any new data being added to virtual machines needs to be reviewed to ensure it’s receiving the necessary security policies.
Incorrect assumption 3: When you add data with updated security policies, it will apply to all data. This is also not true, and in fact, old data is often the most susceptible because new data and policies may be added without steps being taken to update security policies on older data. If you assume your old data isn’t relevant or don’t bother considering the consequences of keeping your older data cleaned up and up to date security wise, it could cause serious issues down the line.
My data isn’t important so I don’t need to worry about security
On both a personal and corporate level, there’s an incorrect assumption that your data just isn’t important. We all can understand why hackers would want credit card information or social security numbers, but other types of data just don’t seem worth protecting, right? This incorrect assumption can cause serious problems for companies if they aren’t cognizant of how valuable their data really is. Even something as mundane as an expense report might contain valuable information to a hacker.
And even if your data doesn’t have a monetary value, it’s valuable to your organization, and losing this data often results in your company unable to operate. This is the reason ransomware has become a billion-dollar business — your data is extremely valuable to you even if it’s not valuable to others.
My company is too small to be a target
Companies of all size are at risk, and startups are the most vulnerable in their first 18 months of operation. Hackers target companies in every industry and for smaller companies, a serious breach can mean the end of your company. Don’t make the incorrect assumption you’re too small to be a viable target — especially with the very real threat of ransomware.
Thank you to Paula Long, CEO of DataGravity, for sharing her tips in the IT security space. DataGravity is the creator of data-aware security solutions, announced its new product suite, the only industry solution to combat ransomware and secure unstructured data in virtual environments.
Elizabeth Becker is the Client Partner of IT Staffing Firm PROTECH, www.protechitjobs.com. Her hiring and recruiting expertise has been featured in a variety of publications including The Ladders, Recruiter.com, Monster, LinkedIn, Tech.co and more. You can reach her with comments, feedback or to be featured in an upcoming story at firstname.lastname@example.org.