Danger for Data, Part Three: Remedies for Risk

Danger for Data, Part Three: Remedies for Risk

Danger for Data, Part Three: Remedies for Risk 736 310 Bob Janacek

My two previous DataMotion Blog articles covered the risks of a data breach and where they live in an organization, focusing on both the IT side and the business side. As was mentioned, it is not a question of if your enterprise will suffer a breach, but rather a question of when. In this installment, I will discuss solutions and actionable steps you can take throughout the enterprise to mitigate data breach risks, improve overall security and compliance, and in some cases, greatly improve efficiency in existing workflows and daily tasks. Read on to learn more about securing your legacy systems, what to consider before implementing a BYOD program, and why due diligence is a critical part of your security strategy.

Securing Your Legacy Systems

Legacy systems are notoriously difficult for IT teams to manage, but doing a full rip and replace is an even more difficult task for the business to accomplish. These systems typically don’t easily connect with other solutions.  They also may lack support from their provider, and their code is often so old it seems as if it was written by Charles Babbage himself. Plus, finding staff with the skills to maintain the systems can be nearly impossible. Luckily, quite a few options exist for securing these systems and allowing them to participate in modern workflows. Your options can range from patching known security issues via updates and hot fixes, to implementing advanced perimeter protection, to using secure data exchange platforms to allow those systems to safely participate in modern workflows. You may even “quarantine” legacy systems from other critical data, thus reducing the number of connections they have to your network. While this is certainly not an exhaustive list of your options, it does provide a good place to start so you can begin formulating your strategy to safely extend the value of these systems.

Proper Permissions, Planning and Protocol Prevent Poor Performance

Permissions and protocols serve a critical purpose throughout an enterprise, on both the IT and business sides. By establishing expectations and guidelines, leaders in any department can mitigate the risk of a data breach from a number of factors, including malice and carelessness.

For a development team, setting lax data permissions at the outset of a project may seem like the easiest route to take.  However, this laissez-faire practice can come back to haunt you. All it takes is just one employee making a mistake, or one intelligent thief sneaking in. One recommended best practice is to grant the necessary permissions only to those who absolutely require access to a specific folder.  It is also important to verify that none of your folders give groups or individuals access to information that they shouldn’t have access to (aka permission propagation). As you modify and update permissions, you must maintain this strategy of applying only the permissions that are strictly necessary. Failing to do so will increase the chances of falling victim to a data breach.

What’s outlined above is very similar to a strategy called “zero trust.” At its core, zero trust is an internal-facing security strategy focused on hypervigilance around systems and information access, as well as who is on your systems. As mentioned in a previous blog post, a good example is White House security—someone might be a vetted, trusted entity, but that doesn’t mean they should have full access to your networks or systems.

On the business end, your organization may allow a BYOD (Bring Your Own Device) program, where staff may utilize personal devices to conduct company business. This can include hybrid use of devices, including laptops, desktops, smartphones, and tablets. A BYOD program can reduce business costs and increase employee efficiency. However, it can also make your enterprise vulnerable to a data breach if you do not put forth expectations and appropriate security measures as part of a comprehensive policy.

A few things to consider when embarking upon a BYOD program:

  • Who is eligible to participate
  • Acceptable devices and operating systems
  • Who has access to what company data
  • Ownership of information on each device
  • What constitutes appropriate use
  • Adopting a zero-trust strategy

Here are a couple of resources to get you started when creating a program and policy:

Bring Your Own Device (BYOD) Policies: Pros and Cons (indeed.com)

BYOD Policy Templates – 4 Best Samples and Examples (wordlayouts.com)

Take the Time for Due Diligence

If you’re considering using an API as part of your organization’s solution, then you’ve likely already done some research to determine the type of API you need, potential vendors, and whether or not they have ample documentation. You may have even looked into the security of the APIs you’re thinking of using – and if you haven’t, you should. As I mentioned in part one of this blog series , choosing an API with SSO authentication, strong encryption, and rate limits are a few good factors to look for that will reduce your risk of a breach.

An equally important consideration is the kind of support you will receive. Questions you should ask include:

  • What kind of support will they provide?
  • Who is responsible for updates and bug fixes?

Can you try a free version of the API to see how it works with your existing systems before you go ahead and commit?

Protect Your Data in Motion

When evaluating the security of your organization’s data exchange solutions, IT and the business alike should focus on both internal and external dangers. Today and tomorrow’s world involves higher stakes for security and evolving compliance requirements. Here are a few examples of why the business should work with IT for better secure exchange solutions:

  • The Ghost in the Fax Machine You may think your fax is complete and the job is done, but not quite. That list of client account numbers? The names and confidential information of social services clients? That sensitive data lives on in perpetuity in the machine’s memory, and can be easily accessed. And the “private” data you sent is often sitting in plain view in the middle of the recipient’s office.
  • “Confidential” is a Canard That Outlook email you sent, or that message that was automatically pushed when a client made a change to their account, may have had “Confidential” in the subject line and a confidentiality statement in the signature. These “security measures” are much like the “Do Not Remove Under Penalty of Law” tags on the pillows you just bought—useless.  Unless that information was sent via an encrypted, secure exchange method, your message is anything but secure or compliant. Only by using encryption can you make your information truly confidential, and therefore useless to a potential thief, who would have been better off stealing pillows.
  • Stumbling Around Security Having a clunky interface, or requiring more than a couple of steps to exchange information securely, is a surefire way for your security system to get in the way of productivity and be bypassed in the name of getting work done. This causes well-meaning employees to lead the business into a nasty data breach.

There are simple secure exchange options that won’t burden your development team, or blow your budget, with some even designed to accelerate your business. For example, to provide a truly seamless, productive and secure experience for your customers, clients, and employees, consider adding secure exchange into the systems they already use. With modern REST APIs and secure protocols, your development team can quickly embed message center functionality to allow easy, secure digital exchanges between your customer-facing apps and your internal customer service systems.

For a turn-key option, consider implementing a pre-built secure mailbox, and with a secure email content filter, you’ll have a secure system that scans every email and attachment sent from your organization for sensitive information. The filter will automatically encrypt messages when necessary (thus, protecting your enterprise against human errors). Or going back to those legacy systems that send out automated emails and documents containing sensitive customer information – don’t forget to protect those exchanges as well with integrated secure message delivery functionality.  The best part about all of these options? None of them involve rip-and-replace or require building a secure exchange solution from scratch. Simply evaluate your solutions and processes currently in place, determine what kind of solution is best for your organization, and then adopt your chosen solution where necessary.

Don’t Place Security as an Afterthought

To put it simply, when your organization deals with any kind of sensitive customer, client, or patient information, security should always be top of mind. In fact, in recent years there’s been a push for developers to “shift left” and move security testing earlier in software development cycles. According to Google, the rationale behind this concept is that a security flaw is typically caused by several interacting factors rather than a single error. By moving security testing to the beginning and throughout the development cycle, flaws can be detected earlier on and thus, fixed in smaller batches rather than en masse at the end of the process. In short, operating with a “security-first” mindset results in secure systems and better efficiency.

This “security-first” mindset also benefits the business side of your enterprise, particularly when it comes to staff security training and password creation. A strong password with two-factor authentication is the first line of defense for protecting critical data stored in employees’ emails, messaging systems, and other accounts.

Training your staff on the art of creating a password is a big step toward improved security. Staff should create strong passwords that are a mix of numbers, symbols, and upper and lower-case letters, ideally avoiding commonly-known cues such as a birthday or a pet’s name. Here are a few tips on creating (and remembering) strong passwords.

I’ll conclude this series (for now) with a summary of a few thoughts and takeaways:

  1. When it comes to a data breach, your organization is at risk, plain and simple. It is a matter of when, not if, your system is potentially compromised.
  2. While you may not be able to fully ward off a cyber invasion, you can take steps to mitigate the risk of a breach by encrypting your data and making it useless to would-be thieves.
  3. Human error is also unavoidable. However, there are solid actions any enterprise may take to decrease the likelihood, and potential impact of, employee errors and prevent potentially damaging shortcuts.
  4. There are many secure exchange solutions, including those listed here, that can be easily implemented and adapt to your enterprise’s changing needs without monopolizing your development team’s time and resources. And the better ones can even increase the speed of your business and improve customer satisfaction.
  5. Both IT and the business side must work together to keep their organization safe from both external and internal threats to their data and systems, including staff security training, agreeing on reasonable access policies, and overall, keeping security as top priority.

I hope that you have found this series to be helpful, and a starting point to enhance, or perhaps even map out, your own strategy for overall data breach risk mitigation. We invite you to learn more about DataMotion, and our secure exchange solutions for financial services (including wealth management), healthcare, and the public sector, as well as the new DataMotion app for securely scanning and sharing documents when you’re on the go.