Top Three Security Best Practices
Cybersecurity is limitlessly complex, but diligently employing these three principles can massively reduce the risk of data breaches by cordoning off the main avenues of cyberattacks.
- By Tobin Shea
- July 7, 2022
Twenty-five percent of businesses that experience a data breach subsequently declare bankruptcy, but despite this harrowing statistic, cybersecurity is often an afterthought. Fortunately, the media has covered several events over the past few years -- such as data breaches at Equifax, Facebook, Target, and the ongoing cyberconflict centering around Russia and Ukraine -- which has helped bring the proper attention to cybersecurity. However, serious progress remains to be made.
Cybersecurity tends to be a higher priority for companies in the financial and healthcare industry that routinely manage confidential information, but nearly all businesses would benefit from proper security practices, some of which may be unique depending on business type and size. Regardless, every security strategy should start by following industry standards, updating technology, and educating employees. These are the standard practices, and every organization should ideally go beyond these measures and utilize other proactive approaches.
Follow Industry Standards
Experts across several industries work hard to build and frequently update such cybersecurity standards as NIST, SOC 2, and PCI DSS. In most cases, these standards are not required by law, but they provide a great starting framework for building an effective cyber defense.
It is also important to note that, although often not legally required, failing to comply with industry standards may place additional liability on a business in the event of a data breach. Choosing which standard to adhere to will require some discernment and depends on the company’s industry, but there is plenty of literature to help organizations choose and follow these standards.
Many are discouraged from exploring these voluntary standards by the expensive, tedious, and lengthy audit process frequently required to earn compliance certification. However, companies don’t actually need the certification to practice these standards. Employing these guidelines -- or even just getting close -- is a serious improvement over just “winging it” with security protocols.
Update Your Technology
Vulnerabilities are unavoidable in technology. With tens of millions of lines of code in an operating system alone, building a truly impervious system is an impossible task.
The risk from code-borne vulnerabilities can be curtailed by keeping systems and software up to date. Although updates often include new features and bug fixes, more critically they often contain updates to patch security deficiencies. Even though applying that Windows update in the middle of the workday on Tuesday might be inconvenient, it is imperative that it’s performed right away. Additionally, keeping individual programs -- especially anti-malware -- updated is equally important.
It is shocking how frequently we encounter completely outdated legacy systems in place at organizations dealing with massive amounts of sensitive data. Unsupported legacy systems pose a serious threat because they are no longer receiving security updates and may not be compatible with modern security technology. It’s understandable that organizations want to maximize the life of their systems and avoid costly improvements and migration, but these upgrades are unavoidable, so it’s best to perform them promptly. Otherwise, companies are placing themselves at unnecessary risk of losses far greater than the cost of replacing the legacy system.
Address the People Factor
The human component of cybersecurity is the single most important, yet also the most frequently neglected. The “cyber” in cybersecurity suggests that it is an exclusively tech-centered problem and solution, but no amount of encryption or antivirus can protect a system from employees who don’t follow security protocols, either intentionally or unintentionally.
Data suggests that in 2021, 86 percent of organizations had an employee who experienced a phishing attempt where a bad actor used social engineering to deceive recipients into revealing sensitive information; login credentials to work or financial services are frequent targets of phishing attempts. Unfortunately, phishing is often successful, and the sophistication of these plots continues to increase. Educating employees about how to detect and respond to social engineering attacks can greatly reduce the dangers of this threat vector.
Similarly, spending time building proper security protocols and educating employees about their importance can have a positive impact. This is especially true as remote work has become standard practice. Surveys report that half of employees have improperly accessed work information on personal computers, which are likely not configured with proper enterprise-level protection. Other employee-centered tools, such as multi-factor authentication and regular password changes, are also easy -- and effective -- ways to reduce security risks.
Finally, it is critical that companies do not assume that simply because proper precautions are in place that data breaches are impossible. Unfortunately, many organizations take a relaxed approach to cybersecurity once they have achieved compliance with industry standards, but this passive attitude is partially responsible for the average data breach taking 287 days to detect. Employing proactive methods such as data breach monitoring, stolen credential monitoring, and threat intelligence will greatly bolster a company’s defense capabilities. Furthermore, integrating a response plan with these tools for different types of security events will help streamline the mitigation process for attacks or breaches.
Cybersecurity is limitlessly complex, but diligently employing several core principles can massively reduce the risk of data breaches by cordoning off the main avenues of cyberattacks. Following industry standards, keeping systems up-to-date, and adequately educating employees are powerful methods for keeping cyberattacks at bay.
Never adopt a passive approach to security or assume invulnerability. As cybersecurity improves, so, too, do the tools used by cybercriminals, making it critical for your company to detect and respond to breaches with the proper monitoring solutions and response plans.