If cybersecurity is on your mind, you aren’t alone. From US municipalities and public regulation commissions to airports to healthcare organizations to retail companies to financial institutions—no industry is safe. Informa reports that the cost of Equifax’s 2017 data breach is now estimated at more than $1 billion, and Ponemon’s 2019 Cost of a Data Breach Report puts last year’s global average cost of a single data breach at nearly $4 million.
Whether you’re evaluating your information security compliance or considering a new data protection program, here are seven key insights that cybersecurity experts wish every company knew.
#1: Why data protection is so complex
Simply installing data loss prevention (DLP) software or putting a firewall around your network might have done the trick a decade ago. But in today’s cloud-centric, connected world, such steps don’t go nearly far enough to protect your organization.
Today, most organizations still spend most of their cybersecurity budget and effort protecting their network perimeter. But that perimeter no longer exists. Although on-premises security is important, it’s now equally vital to protect data wherever it resides (or travels) in the cloud or on user devices. That significantly complicates any DLP effort.
At the same time, the cybercrime landscape is becoming as complex as the technology it targets. Cybercrime is no longer the realm of disgruntled employees and petty scammers. Today, attackers range from organized crime to nation-state actors.
And of course, as our reliance on connected devices and anytime/anywhere access to data continues to grow, so will the complications around protecting that data.
What does all this mean for your cybersecurity plan?
- On-premises–only precautions aren’t enough.
- Tasking generalized IT experts with cybersecurity is unrealistic—and unwise.
- DLP is a full-time effort.
#2: What really matters—and what’s really at risk
Every organization is at risk from cybercrime. Attackers no longer seem to discriminate between global enterprises and midsize organizations, private enterprises and government utilities, customer focused industries and nonprofits. What matters to cybercriminals is the potential value of three things:
- Your intellectual property (IP)
- Users’ personally identifiable information (PII)
- The ability to use your users or data to reach additional targets
What do these targets have in common? Two things: data and people. The key to knowing what you should focus on protecting, then, is to determine which data and people are at risk, when, and where.
Before you take steps toward developing a data protection plan, make sure you have a complete and objective picture of your security posture:
- Identify your most important assets. Which data holds the most value? Which users are most vulnerable? Look outside your network to evaluate all the apps and infrastructures that touch your data. Remember to take internal governance and regulatory demands into consideration.
- Determine where your vulnerabilities lie. Simulated Targeted Attach and Response (STAR) exercises and other types of specific penetration testing can help reveal weak spots. Test your infrastructure from both an internal and external perspective.
The complexity of today’s technology and data ecosystems mean that automated vulnerability assessment tools aren’t the safest option for this task, so consider professional penetration testing by an experienced specialist.
#3: How your security strategy aligns with your business needs
By now, you might be wishing you could just lock down every file! Of course, that isn’t possible; even the most granular data protection program must enable users to continue conducting business. So how can you balance security and business needs?
Many companies aim to implement security best practices that apply to their industry. That’s a good start, but every organization has specific and unique needs.
- What is your cybersecurity budget? This question considers not just what you can afford to spend, but what you can afford to lose should attackers breach your defences.
- What are the business consequences of a data security breach? You might develop a plan that meets best practices or even regulatory requirements, but if it doesn’t truly protect your important business practices, it doesn’t go far enough.
- How do these two considerations line up? Unless you have unlimited funds, it’s likely that you’ll need to balance cost with consequences. The calculations can be complicated, so work with an expert who can help you determine the pros and cons of your various security options and the ins and outs of your information security compliance needs.
#4: Why user training is so important
A large proportion of data loss is accidental. As we’ve noted before, users are your front line of defence against data loss; they’re also often the weakest link.
People make mistakes. Users—especially those with little or no technical knowledge—can easily compromise data without even realizing they did anything wrong. That’s why educating them about security and training them to use secure practices is vital.
We encourage all our clients to take user education very seriously. Exactly what constitutes “seriously” depends on your organization. For instance, one insurance company has an incredibly developed user education program. They actually block users from taking actions that could compromise data. And they provide real-time intervention and education in the form of prompts that enable users to watch a video to see how to unlock the function they’ve been stopped from taking and learn how to protect the involved data.
But that level of intervention is simply too extreme for other companies. A healthcare organization might not want to interrupt the user experience for patients, for example, or make employees stop work on a critical task to learn about the potential data-security risks of an action.
We understand that most users don’t want to change their behavior and won’t do so unless the alternative affects them in some way. But ultimately, you need to implement an education program that matches your business model and processes.
#5: How to calculate the true cost of in-house data protection
As the cost of cybersecurity breaches rise, so does the cost of data protection. It only makes sense to look for the most economical options. However, many companies mistakenly equate “most economical” with “in-house.”
Cost is a big objection for companies that are considering managed data protection services. When considering the costs of an in-house cybersecurity program versus a managed service, make sure to look beyond the “price tag” and add up the costs associated with the work you’ll need to do to achieve the same results as the managed service:
- How many specific areas of security expertise are required to evaluate, design, and implement your security plan?
- Do you already employee experts in each area? If not, how much will it cost—and how long will it take—to locate, hire, and train those people? If you do have in-house experts, how many hours of their time will be required to fully manage your program, and which other tasks will they need to delegate—and to whom?
- What hardware and software will be required to implement your plan? Do you already have access to it? If not, how much will it cost to purchase and to maintain, update, and patch regularly? Who will be in charge of purchase and maintenance, and how much time will they need to devote to those tasks?
- How much time will you need to earmark, and how many employees will be required, for constant review of alerts to determine which need attention and which are false positives?
You can see how quickly these pieces add up to make an in-house security solution more costly, demanding, and inefficient than you might expect. For small and midsize enterprises, just the effort to hire the necessary resources to slice and dice security data—eliminating noise and focusing on priority issues, creating custom reports—can tip the calculation in favour of managed data protection services.
#6: That data protection is a process, not a project
Most organizations are aware that data protection is a constant challenge. The cybercrime industry is a huge source of criminal revenue—generating more than $1.5 trillion in 2018, according to a recent study—and breaches are headline news.
No one wants to hear this truth, but here it is: Data protection is never fool-proof. A skilled attacker can always penetrate security defences given enough time, resources, and determination. That’s why implementing information security can never be a one-time project. And it’s why InteliSecure takes a defensive, in-depth approach to security controls. Your data protection plan should enable you to continually evaluate and improve your defenses as technology and attack techniques develop and change over time.
#7: The secret to a mature cybersecurity program
By now, you might feel overwhelmed by the inherent complexity of data protection. It can be tempting to simply move this daunting task to the end of your to-do list…which brings us to our final tip. The true secret of a mature, effective cybersecurity program is…
Just start. Do something. Begin where you are.
Okay, maybe this is a simplification. But the start to a holistic security plan, one that enables you to see your security implementation from start to finish, really can be as easy as calling a data protection expert. Look for someone who can—
- Evaluate your basic security polices
- Collect information to determine where your vulnerabilities lie
- Refine your existing programs to help you meet industry regulations and best practices quickly
- Focus on your unique concerns and priorities
- Eliminate false positives so that you can address true issues in a timely way
- Offer suggestions for maturing your programs and educating users
- Answer your questions at every step of the process
Once you have foundational elements in place, your provider can work with you in an ongoing partnership to adapt and develop your program’s maturity over time.
Do you need help putting these insights into action?
Contact us. We can help you evaluate your needs, calculate your ROI, and make the case for a comprehensive data protection program that meets your unique business requirements.