Are you more vulnerable to data breaches than you might think?
As your teams move back and forth from work from home to in office, one thing is clear—data security is getting more complicated. With those complications what do you do?
Change policies? Beef up your infrastructure and resources? Create new security initiatives?
As you already know and probably hear over and over, your team’s (and your client’s team’s) perimeter now includes home networks.
While the bring your own device policies (BYOD) might have been good enough over the past decade or so, is it sufficient today?
What about changes in migrating more data to cloud environments? Does this have any implications on where data is being accessed, stored and how can you be sure that sensitive information stays secure and private?
As we move well into 2020, we have seen some changes in cyber criminals and your data security stance. We now know that malicious hackers are more interested in getting every penny out of the data they encrypt during ransomware attacks—they have fully implemented strategies to further ransom your data from being leaked.
Ransomware attacks have become so common that many large companies are planning to include ransom payments as line items in their budgets for 2021. Could you ever have imagined preplanning paying for a ransom attack? And committing to shelling out large dollar amounts to criminals? (Not sure I’ve ever heard a bank preplanning for a bank heist in their accounting).
The way we’ve been thinking about data security is encapsulated in layers of security protecting that data. This may involve access management, firewalls (that have IDS and IPS), antivirus and other endpoint security, user training, among other layers of security.
But with data moving around back and forth, most of these necessary precautions are not good enough today to protect you from a data breach. The goal is unified—to protect the data. The problem is that data is easier to find now than before. Essentially, we are still using a border as a definition of how to protect our data assets.
We create walls or layers in the middle of which we place our data. Data no longer is easy enough to simply store in the center of all of our layers.
Even worse, strong perimeters have not kept everything as safe as we wanted our data to be. Today, I want to take a relatively new approach to data security—that data is the new perimeter.
Yes, encryption might be effective, but its slow and can be cumbersome for end users. Data loss prevention is expensive and can be hard to identify and classify as it moves across the network perimeter.
How do we protect our data rather than focus on the walls around it?
This is where the heart of a new approach should focus.
After auditing over 300 MSP networks over the past 6 months, I’ve found that changing your mindset is part of the solution. Our industry needs to change the way we are protecting our data.
I’m not saying throw away your firewall and turn off your antivirus. Rather, I’m arguing that we need to think (and get our teams to think) before they start pushing buttons. How do we create strategies that are easier for end users to stomach where they won’t try to find bypasses to security solutions?
How to make data security simpler?
That’s why the idea of data as the new perimeter might be an answer to resolve our data security problems.
Rather than focusing on breaching the perimeter and putting all of our efforts around fortifying a wall, why not invest more in focusing on our data assets?
Should we be focusing on data at rest and data in transit? Maybe have more tabletop exercises thinking through how to achieve more clarity in where our data is located and how we’re protecting it RATHER than simply layering our security around where we think the data should be.
What’s involved in data security that protects data throughout your environment?
Create understandable policies—do you have data policies that users actually follow? How can we more effectively go through security standards around data use and containment of data at rest and in transit? How can we translate our policies to easy to follow actionable items that can become more habitual for our user bases?
Understand where your data is—If you and your team have no idea where their data is and where it goes, you probably are not adequately protecting data at risk of being breached. Having a tool that can identify information assets will be important for your data security posture. I would recommend at least reviewing data in your environment quarterly.
Evaluate your data risks—if your data was deleted, ransomed or published, what would your risks be for different critical or sensitive data your company stores? Make sure you understand your data risks and how your data impacts your organization’s viability.
Prioritize data security—after you evaluate your data sets and the risks associated with them, start prioritizing which sets of data need to be treated as more important to protect. As your workforce becomes more nomadic in behavior (less people working in a protected physical office), the exercise of prioritizing what data is getting focused attention to protect it might change.
How can you prioritize and implement a data security plan?
We work with our clients to develop metrics consistent with their cybersecurity goals and initiatives. Until you understand what you are protecting and why, you won’t know what metrics are important to you.
