One of the most common ways for breaches to occur is purely out of not knowing if or how it could happen. You can’t protect what you don’t know you have – or that you don’t know you have to. Here are some tips for auditing your data and putting some security action behind it.
Take Inventory of Your Data
Before starting anything, are you aware of the data you’re collecting – or storing? Depending on the industry and/or what sort of transactions occur between your business and the customers, you could potentially be collecting a lot of personal data that warrants protection. If this isn’t something you’ve done in the past, start with a complete audit of the type of data being collected and then continue with routine inventory checks of data. Then, see if the security measures in place are sufficient to protect user data by testing your environment’s security. We recommend sourcing a Red Team to test your organization to help provide better alternative perspectives as members of your internal security team may get too close to your security practices – not allowing for them see some attack paths.
Now since you’re collecting data, it’s time to distinguish just what information you need and why you need to collect it. Once you determine what’s necessary, it’s then important to inform users why you’re asking for their personal information all while ensuring them that it will be protected. Then it comes time to back it up with taking action. Aside from assuring your customers that you will take proper care of their data, make sure your colleagues are just as aware of the responsibility they have to protect user data and the potential risks if that responsibility is not taken seriously.
Layer Your Security
One security wall, tactic or practice is simply just not enough these days. Any security measure you put in place may still fail. Establishing layers of security in your business creates a more challenging network to breach – which may allow for you to narrow the gap between yourself and adversaries. This extends from creating complex passwords, implementing strong firewalls and conducting penetration tests on your network – and beyond.
Determine Incident Response Protocols
This comes down to having a plan that you hope you never have to use – but probably will at some point in the course of your business. So instead of living in fear of the possibilities of what could happen, come up with an action plan for how you might be able to combat potential breaches and swiftly move into action. Though each incident will be unique and have its own troubles, have the correct staff and experience on board to help remediate any potential problems as quickly as possible.
You’ll never hear this enough. Security awareness is a must across your organization. As we stated at the beginning – you can’t protect what you don’t know you have. And you surely can’t protect what you have if you don’t know how to. Make sure your employees are equipped with both skill and knowledge to help protect your network.
Hire Security Consultants
Do you need a Red Team to come in and test that what you’ve done to protect the sensitive data captured actually works? While there's no "right" answer, we recommend doing so to test the security measures you've put in place to ensure your efforts are working. After completing all of the steps previously listed, you may become too close to this information – not allowing you to take in different approaches out there towards securing your organization.