Security breaches are disruptive to my business. According to the Ponemon Institute’s Cost of Data Breach Study, the average cost of a security breach in 2015 was $4 million–up from $3.8 million in 2014–so every business needs to take data security seriously.
While there are lots of steps you can take, I talk with my clients about these three best practices.
Data is most vulnerable to attack when it’s being moved.
I recommend implementing SSL/TLS protocols. They protect client data as it moves across multiple locations—for instance, to cloud-based archives or off-site servers.
Secure Sockets Layer (SSL) provides a secure connection between two endpoints across three factors:
- Encryption (provides privacy)
- Authentication (through certificates)
- Predictability (via message integrity checking)
Transport Layer Security (TLS), an update to SSL, standardizes private digital communications. TLS works on two levels:
- Record protocol (manages a stable client-server connection)
- Handshake protocol (allows for authenticated client-server communication)
I protect my business’ data by controlling access to it. Cloud hosting service providers offer system administrators tools to ensure that employees have access to the business intelligence data they need to do their job, and nothing more.
Controlled access leads into some common sense follow-ups.
First, I encourage clients to limit the number of administrators in their system. That level of access is unnecessary for most employees to perform their duties.
Second, many clients have overly permissive firewall rules that have no business justification, which create easily correctable vulnerabilities.
Finally, I recommend my clients segment their network, thereby limiting attackers’ ability to move laterally through the system. Segmenting your network makes it harder for infiltrators to access sensitive data but requires an in-depth understanding of where your critical data is stored.
My company’s greatest security flaw was around company culture. My employees were often unaware they were exposing customers to security risks. They took actions because they were faster, or easier, or because they knew nobody outside of IT would notice.
When I see employee inattention as a security flaw, I coach my clients to develop a strong company culture around data security. By making it about protecting the business by protecting the client, I’ve achieved strong buy-in.
A strong data security culture means I educate my clients around the data life cycle:
- What is the data? (payment info, personal identifying info, etc.)
- How is the data created? (form submissions, tracking, etc.)
- How is the data maintained and shared while in use by my business? (to segment my network)
- How is the data stored and archived? (for appropriate at-rest data security measures)
These help me explain to employees, clients, and prospects how they can best protect the business intelligence data that needs to be protected when and where it needs to be protected.
Tier One Technology Partners is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at (443) 589- or send us an email at firstname.lastname@example.org for more information.