How To Prevent Data Breaches: 15 Best Practices
Businesses across all industries continue to be plagued by data breaches. A December 2020 Security Magazine article revealed that 36 billion records were exposed during 2020’s first three quarters. This was a result of 2,935 data breaches. Data breaches are an everyday reality in a connected business world. Organizational leaders know this. These 15 best practices can be used to reduce the likelihood of a data breach and help you respond more quickly to an attack.
1. Sensitive data about identity collected, stored, transmitted, or processed
You must know what sensitive information you have collected, stored, transmitted, or processed before you can prevent data breaches. Cybercriminals are looking for non-public personal data (NPI) or personally identifiable information (PII), as they can sell it on Dark Web. Cybercriminals also target intellectual property such as trade secrets and patent documents.
Although they are often interchangeable, NPII and PII can overlap in certain categories. They also refer to other non-overlapping data types.
The NPI includes:
- Social Security Number
- Driver’s license number
- Account numbers
- Payment History
- Education data is covered under the Family and Educational Rights and Privacy Acts (FERPA).
- Combinations of anonymized data from the above list can be used to draw inferences
In other words, a lot of the information an organization collects must be protected or at least disaggregated.
2. Identify sensitive data storage, transmission, collection, and processing areas
Security experts argue that it is impossible to secure data you don’t already know. Any data security strategy must include information about where sensitive data is stored, transmitted, collected, or processed. You might consider an asset detection technology to help you identify and catalog your assets.
- On-Premises Servers
- Virtual Machines (VMs)
- Identity and Access Management Platforms
- Download forms for corporate websites
Your digital footprint will grow and you will need to add more locations that store, transmit or process data. You should monitor your assets continuously to prevent or minimize the risk of data breaches.
3. Identify people who have access to sensitive data
While it may seem simple to identify users, companies often struggle with this because “users,” which can include multiple identities, are not easy to identify. When you are creating your data breach prevention strategies, think of the following “users”:
- Standard Users
- Application Programming Interfaces, (APIs),
- Robotic Processing Automation (RPAs/bots).
- SSL/TLS Certificates
- SSH Keys
Each of these machine and human identities act as an access point in your ecosystem, which makes it a potential data security breach.
4. Identify devices that store or transmit sensitive data
Management of all devices that can interact with sensitive information is one of the greatest challenges organizations face. You should ensure that all devices are captured as part of asset detection.
Every device connects with your network via a communication port. To gain access to your network, cybercriminals search for dangerous ports. Therefore, you must know which ports your devices use to protect them.
5. Assess the risk
Assess the risk poses to every person, device, or location that stores, transmits, and collects sensitive data. This may seem simple at first, but many organizations find it difficult because you create more risks by adding devices and locations to your ecosystem.
A standard user might only have access to one application on-premise that does not contain sensitive data, but this could be considered low risk. A high-risk user is a privileged user who has elevated access to a cloud database storing PII and connects from home using a personal device.
It is more difficult to assess risk if there are more devices and identities that store, transmit, transfer, or process sensitive data.
6. Analyze risk
While analyzing and assessing the risk may seem like one thing, they are two distinct processes that provide different information.
Risk analysis is a way to identify the risks in your organization. A risk analysis is a process that takes each risk assessment measure and adds the potential impact of a data breach.
Organizations use a mix of quantitative and qualitative approaches. One qualitative approach could consider the productivity impact of a data breach, while a quantitative approach would look at the financial costs of a data breach.
Organizations often use a risk evaluation equation that looks like this: Risk = Criticality (probability or severity of data breach x vulnerability score x impact
7. Determine risk tolerance
Your risk tolerance is the whole point of risk analysis and risk assessment. Risk tolerance is basically a cost-benefit analysis. It compares the importance of technology to your business goals with the potential impact that a data breach could have on them.
You can choose from four options when deciding your risk tolerance:
- Accept: You may accept a risk even if it has a low business impact.
- Refuse to Accept: Risks may be rejected if they have a significant potential for impact, even if you could transfer them or reduce them.
- Transfer: You can have someone else take on the risk, at a reasonable price, such as with Cyber Insurance.
You must establish controls to reduce any potential risks. These controls demonstrate that you are aware of how a cybercriminal could gain unauthorized access to sensitive data and that you have options to minimize that possibility.
Some security measures include:
- Management of Access and Identity
- Monitoring Vulnerability
- Installing Security Patch Latest
9. Initiate an IT security policy
A cybersecurity policy describes the written documents that include your risk analysis and tolerance. It documents the procedures and processes that are in place to mitigate data breach risks.
At a minimum, every IT security policy should include:
- Objectives: What the policy aims to achieve
- Scope: What data, systems, and networks is the policy cover?
- Specific goals: Compliance requirements and controls according to industry and regulatory standards
- Responsibilities: Who is responsible for the day-to-day activities?
Privacy and security go hand in hand, but they have their differences. Security policies are designed to prevent unauthorized access from outside to sensitive data. Privacy policies can also be used to prevent unauthorized access from the outside.
- Definition of sensitive data
- Data collection
- Data Use
- Data sharing
- Log Data Management
- Data Protection and Security
11. Anti-virus software should be installed
Ransomware attacks are still being carried out by cybercriminals. Research starting in 2020 revealed an increase of 715% in ransomware attacks that were detected and blocked year over year. Ransomware is not all malware. Cybercriminals often include malicious code in cyber engineering attacks to steal login credentials. Once they have the credentials stolen, they can gain access to networks, software, and systems where they can continue to increase privileges unnoticed.
Installing an antivirus solution is one way to reduce the dangers posed by malware. Also, it’s important to keep your antivirus software up-to-date. Anti-virus software providers often update the malware signatures and use advanced analytics to predict new ones. Anti-virus software detects malicious websites and files, quarantines them, and protects them.
12. A data governance policy should be established
Data governance is an offshoot IAM that has distinct functions. Your data governance policy defines the processes and procedures that will ensure the safe handling and protection of your data.
It should at a minimum include procedures and processes for ensuring data.
Also, you should think about assigning responsible persons to enforce these policies.
13. Initiate a vendor risk management program and policy
In today’s hyper-connected environment, third- and fourth-party business associates are vital to your business operations. Your vendors can enable digital transformation, but they also pose new risks due to the lack of visibility into their security status.
You need to protect yourself against data breaches by creating a vendor-risk management program and policy that address the following:
14. Initiate a program of employee training
Training employees in cybersecurity awareness is essential to guard against social engineering attacks. You must provide training and assess user knowledge to prevent data breaches.
Cybercriminals often engage in social engineering attacks to obtain otherwise-unauthorized access to systems, applications, and networks. Include the following information in your training materials:
- Phishing, vishing, and smishing are all possible.
- Strong password creation
- Recognizing and avoiding malicious websites
- Problems with unsafe media like USB drives
15. Data backup and recovery
Backup and recovery is not always preventative measure. However, it can mitigate many of the productivity and data loss risks that are associated with ransomware attacks.
Include your business continuity and disaster recovery plans as a backup and recovery plan. It is important to have at least three backups on different media, with at least one off-site.
16. Establish a strong password policy
It is possible to incorporate more web-based applications in business processes by moving to a cloud-first IT stack or a cloud-only IT stack. You need to establish a strong password policy in order to prevent attempted cybersecurity attacks like dictionary attacks.
These best practices should be used when creating your password policy.
- More than 10 characters
- Minimum one upper-case letter
- Minimum one number
- Minimum one unique character
It may be worth giving your employees a password management account to increase their chances of creating unique passwords.