2019 is set for being the worst year on record for data breaches, with as many as 3,813 breaches reported so far. As a result, businesses can no longer cross their fingers and hope that they won’t fall victim to a breach, as the chances are, they will.
Businesses who are responsible for the personally identifiable information of consumers will be likely subject to a major compliance regulation (such as CCPA or GDPR), that can, and will, impose substantial fines on those who fail to comply.
If you haven’t done so already, now is the time to make sure that you are sufficiently prepared to keep your sensitive data out of the wrong hands. The following 15 security solutions and best practices are a good place to start:
1. Data Classification
Data discovery and classification is usually the best place to start as you won’t be able to protect your sensitive data if you don’t know where it resides. Data discovery and classification solutions will automatically scan your repositories looking for data that matches a pre-defined criterion. These tools can discover and classify a wide range of data types including PII, PHI, PCI, IP, as well as types of data covered by specific data protection regulations
Naturally, to prevent privilege abuse, only authorized users should be able to classify the data. Once you have classified your data, you can set up policies and implement Access Control Lists (ACLs) in a more structured manner.
2. Data Encryption
Data Encryption is probably the most affordable solution available to protect sensitive data, and it is one of the most effective too. All sensitive data should be encrypted both at rest or in transit. There are many free/cheap solutions available that provide full disk encryption, encrypted communication between clients and servers, password managers, virtual private networks, as well as browser extensions which provide encrypted communication on the fly.
3. Firewalls and Intrusion Detection and Prevention Systems (IDPS)
Firewalls are designed to block suspicious traffic entering the network and are commonplace in most IT environments. While they are still your first line of defense, they are not a relevant as they once were. As attack vectors continue to evolve, more sophisticated technologies have emerged.
Intrusion Detection and Prevention Systems (IDS/IPS) perform a similar role to the traditional firewall, however, they are able to provide a much deeper analysis of the network traffic and have more advanced reporting functionality. They can monitor event logs, search for anomalous traffic patterns, check signatures, raise alerts, and even terminate sessions in the event of a DDoS attack.
4. Data Loss Prevention (DLP) and User Behavior Analytics (UBA)
Data Loss Prevention (DLP) is a term used to describe the technologies and processes used to ensure that sensitive data is not lost, either through unauthorized deletion or sharing. The differences between DLP and UBA are subtle. DLP is used to monitor the flow of data between endpoints, while UBA is used to monitor how users interact with the data. Together they provide a sufficient level of visibility to identify most types of anomalous events.
This is probably one of the most widely adopted security solutions amongst enterprises today, and for good reason. There are hundreds of antivirus providers, all with similar methods of threat detection (which helps drive the costs down). Antivirus solutions can help you to root out and destroy trojans, rootkits and any malicious code that threatens the security of your sensitive data.
6. Data Access Governance
Data Access Governance (DAG) solutions enable organizations to see who has access to their most sensitive data so that they can ensure the appropriate access controls are in place. Using Data Access Governance solutions, you can monitor when permissions change, spot users with excessive permissions and much more.
7. Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM) solutions give you a granular analysis of the security logs recorded by your environment. SIEMs can organize your log data by deduplication and execute actions based on set alerts and conditions. If you ever want to investigate an incident, a SIEM solution is a must (although they often carry a hefty price tag).
8. Privileged Access Management (PAM)
Often cited by Gartner amongst their top security projects each year, privileged access management (PAM) is a must for organizations serious about data security. PAM solutions allow you to restrict privileged access within an existing Active Directory environment in order to isolate privileged accounts and reduce the risk of stolen credentials.
9. Cloud Security
Both consumers and enterprises are trending more towards cloud-based data stores, and the trend is set to continue into 2020. Despite the numerous benefits from cloud storage, there are still some security concerns. Many cloud security vendors provide security as a service (SECaaS) on a subscription basis to help improve cloud security. Be sure to check what platforms are covered so that you can get the solution best suited to your cloud or hybrid environment.
10. Change Auditing
One of the most basic and fundamental aspects of data security is visibility. Knowing what changes are occurring to your permissions, data and environment is essential when it comes to detecting and reacting to potential security threats. Look for change auditing solutions that provide real-time alerting and predefined reporting to help with compliance and security challenges.
11. Disaster Recovery and Backup
Should the worst happen, and you lose important data, you will need to have a backup and restore solution in place to recover from the damages. All of the most important aspects of your environment should be regularly backed-up to provide easy restoration in the event of a data breach or ransomware attack.
12. Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) is still one of the most common methods of security. MFA adds an extra layer of security to your systems, ensuring that malicious insiders or outsiders cannot log in. Even if a malicious user has the password to a privileged account, with an MFA solution in place, they would not be able to gain access.
13. Zero Trust
Using a combination of DAG and PAM solutions, you should implement a zero-trust policy where users only have access to the data they need in order to do their job. This way, you reduce the risk of privilege abuse by narrowing the potential attack surface.
14. Security Awareness Training
End users are often the target of cyberattacks, and it never hurts to have regular security awareness training. Teach end users about the most common cyber threats facing them today, how to recognize and deal with phishing emails, how to handle sensitive data and so on.
15. Physical Security
Lastly, you cannot overlook the importance of physical security when it comes to protecting data. You need to make sure that all workstations are locked down so that they cannot be physically removed. Cabinets and drawers should be locked if they contain sensitive information. Security cameras should be installed to monitor unauthorized access. You should even consider implementing a policy that restricts users from taking photos of their screens.