A few weeks ago, the Online Trust Alliance (OTA) announced that over 90% of data breaches in the first half of 2014 could have been prevented—suggesting that there is a lot of room for improvement in 2015. As the OTA analyzed over 1,000 breaches that occurred during the beginning of 2014, they found that the majority (60%) of these breaches were caused by internal errors and not from external breaches. What this research really reveals is the fact that much of data security is actually within our control.
Looking forward, the OTA has also suggested many good security practices that can make 2015 the year of preventing data breaches, not enabling them. Take a look at the list that the OTA suggested of internal security measures that your company can implement this year:Enforce effective password management policies: Because the majority of last year’s data breaches were caused by internal errors, employee passwords should be a big concern for any company. Employers should take an active role in ensuring that their employees use smart passwords by enforcing 90-day password changes and suggesting tools like LastPass. Run accounts with least privilege user access (LUA): Creating permissions is an essential method to protect important company data. Keeping data only in the hands of people who need it is one way to protect your company data from rogue or lazy employee behavior. Harden client devices by deploying multi-layered firewall protections: Keep your network safe by updating anti-virus software, enabling automatic patch management, and using whole-disk encryption on laptops and mobile devices. Conduct regular penetration tests and vulnerability scans: Because many companies are using cloud software these days, running regular vulnerability tests is an important measure to protect your data. Require email authentication on all inbound and outbound mail streams: Email is one of the easiest ways for data to be compromised. Keep your data safe by authenticating inbound and outbound emails with SPF and DKIM. Implement a mobile device management program: OTA suggests creating a mobile device management plan. This plan would create security surrounding the mobile devices that your employees use in and outside of the office. Using encrypted data and allowing remote wiping of a device are two ways to protect your data on all devices. Conduct continuous monitoring in real-time the security of your organization’s infrastructure: In order to keep your infrastructure safe the OTA suggests monitoring network traffic in real time and analyzing centralized logs (“including firewall, IDS/IPS, VPN and AV”). Deploy web application firewalls to detect/prevent common web attacks: By using both client and WAN-based hardware firewalls, you can ensure that your network is up-to-date and safeguarded against future attacks. Check the Top 10 list of web application security risks identified by the Open Web Application Security Project for tools to help safeguard your network. Permit only authorized wireless devices to connect to your network: Every employee’s Internet practices affect your company’s security. OTA suggests that you “permit only authorized wireless devices to connect to your network” as well as making sure that all guest network access is on separate servers with strong encryptions. ImplementAlways On Secure Socket Layer (AOSSL): Using AOSSL is highly recommended by security companies. DigiCert recommends AOSSL because it encrypts user sessions the entire time they are on your site, not just on individual pages. Review server certification for vulnerability and risks of your domains being hijacked: Your website is more susceptible to attacks if you are only relying on Domain Validation (DV) SSL Certificates. Utilizing Organization Validation (OV) SSL Certificates or Extended Validation (EV) SSL Certificates will dramatically decrease your chance of being compromised. Develop, test, and continually refine a data breach response plan: Spending time creating a data-breach response plan will benefit your company both in and out of a breach situation. Don’t wait until your data has been compromised to create a response plan, make one today.
If security hasn’t been one of your organization’s priorities in the past, make it a priority this year. With the tools available today, your security is within your control.