New Year Resolutions that every Data Security Team can Love
By Mark Settle | February 2, 2021
The incessant implementation of new tools to protect sensitive enterprise data sometimes feels like a high tech arms race between the forces of good and evil. Renewed focus on some basic ‘blocking and tackling’ practices can go a long way towards reducing risk at a lower cost.
Detailed analysis of historical cyberattacks has shown that many forms of intrusion could have been avoided if standard industry practices such as network segmentation, asset management and OS patching had been enforced on a consistent basis. Similarly, many attacks based on credential hijacking could have been deterred if password complexity standards, rotation schedules and multifactor authentication safeguards had been enforced enterprise-wide.
The security of sensitive corporate data can also be measurably improved by simply employing standard hygienic practices on a consistent basis. As the new year of 2021 gets underway, this is the ideal time to refocus the attention of data security teams on some basic ‘blocking and tackling’ drills.
Clean the data attic. Corporations collect data that is irrelevant, unusable, out-of-date or unfindable in the same way that humans collect junk in their attics. Business teams can come up with dozens of reasons why data that was collected years ago for reasons that no one can quite remember needs to be retained, just in case a use might be found for it in the future. No one really thinks about the potential security liabilities associated with retaining such information. Data retention policies in many companies are relatively lax or simply unenforced. The first quarter of the new year is the ideal time for some data housecleaning (including stored backups) and updating retention policies.
Roll back unused permissions and privileges. Employees, contractors, business partners and customers acquire a steady stream of data access permissions and authorization privileges during the normal conduct of business. Some of these data rights are only needed to perform specific projects or engage in specific activities. Others are awarded simply because an end user is a member of a specific group, not because they actually need them to perform their work assignments. In an ideal world, data permissions and privileges might be suspended on a regular basis and only reinstated at the explicit direction of business managers. In the nonideal world in which we live, a company might simply suspend all data rights that have not been exercised during the past 3, 6 or 12 months to reduce its overall inventory of user credentials.
Beef up authentication procedures. In a cloud-first working world, people are the security perimeter. Data security can be easily improved by simply adding more contextual attributes to the process that’s used to verify end user identity prior to data access. A wide variety of attributes can be employed in this regard, such as user location and IP address; user device type, identity and characteristics; time of day; or historical patterns of user behavior. There’s no need to over-engineer the authentication process by introducing all of these attributes as one time. Adding one or two per quarter would be an ideal new year’s resolution for 2021.
Chip away at sensitive data in the clear. Encryption and de-identification tools are far too ubiquitous to justify the exposure of sensitive data in motion or in storage. Homomorphic encryption can even protect data in use. Sensitive data should be encrypted whenever and wherever possible. The storage or motion of unencrypted data should be the exception to standard operating procedures, not an acceptable way of conducting business as usual. This is an initiative that typically cannot be completed overnight but should be pursued on an incremental basis throughout 2021.
Ideally, the practices listed above should be performed on a routine, ongoing basis, and in many companies they are. But in others, they’re not prioritized or institutionalized and consequently they’re neglected due to other business demands. Many of these practices don’t require new tools or high priced consultants – they just require time and management attention. Ironically, rigorous enforcement of more stringent data retention policies might actually free up expenditures on data storage that could be redirected elsewhere, such as new encryption tools.
The initiatives recommended above don’t constitute an exhaustive list of data security best practices. Nor can they guarantee the absolute protection of sensitive data from theft, inadvertent exposure or misuse. But they can collectively go a long way towards reducing the data-related risks associated with ongoing business operations.
Incenting good data hygiene
Few IT leaders or business executives would debate the utility of the initiatives referenced above, but it’s admittedly hard to motivate people and organizations to do the things that they should be doing when they have so many other pressing concerns. (How many new year gym memberships or dieting plans are abandoned by the end of February for similar reasons?) Some degree of gamification might help.
Metropolitan police organizations conduct annual gun buyback programs to reduce the risks that firearms pose to individual safety. Perhaps commercial enterprises should place financial bounties on gigabytes of data destroyed, the number of permissions and privileges suspended or gigabytes of data newly encrypted to reduce their risk exposure. The funds generated through this type of self-help campaign might be distributed to employees in the form of a security dividend or contributed to a civic cause. In either event, employees would have a clear line of sight between their risk reduction efforts and more tangible, monetary outcomes.
Many articles have been written about how to foster a security culture within a corporate environment. This article breaks new ground in suggesting that modest financial incentives might influence most employees to take data safeguards more seriously. In short, it’s an opportunity for companies that stress the importance of data security to put their money where their mouth is!