Editor's note: The following is a guest article from Sundhar Rajan, chief information officer at Casepoint.
As multiple high-profile data security events have demonstrated in recent years, the financial cost of a breach (including remedial costs, fines, and reparations) is only the most obvious impact on an organization. Companies are also likely to suffer from declining stock prices, erosion of brand value and reputation, loss of consumer trust, and customer turnover.
While most trends identified in IBM's 2020 Cost of a Data Breach Report are not new, companies lacking robust cybersecurity measures and a detailed privacy framework should take full measure of the report's headline data points: the average cost of a breach in the U.S. is a stunning $8.64 million, the average time to identify and contain a breach is 280 days, and personally identifiable information (PII) costs of $150 per lost or stolen record.
These are sobering numbers, especially during a global pandemic, as companies scramble to develop, implement and pay for new data security technology and protocols in an environment where remote work has become the norm.
Regulations such as the EU's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and similar measures emerging from other U.S. states make the data security stakes even higher, because companies can be held accountable for non-compliant practices even if an actual breach never occurs.
The recent enactment of sweeping privacy regulations also reminds us that data security is a moving target. Companies must be vigilant and agile to mitigate data-based risk in a fast-paced, global business environment that is constantly changing.
Key breach prevention strategies
Because data security is a dynamic, large-scale, multidimensional business problem, it should be addressed from several different perspectives encompassing company policy, technology and culture:
The National Institute of Standards and Technology (NIST) developed exhaustive resources, including a cybersecurity framework and a privacy framework to help organizations understand the scope of data challenges and plan for contingencies related to their business.
Every company should use these guidelines to develop cybersecurity policies and procedures, tailored to the industry they operate in and the regulations they are subject to. This should be a formal, living document that is updated annually.
At my company, Casepoint, where security measures are held to the highest standard, risk management meetings are at the heart of our data security strategy. We hold weekly, cross-disciplinary risk management meetings in which we review ongoing and emerging risks, assess organizational appetite for risk, and prioritize mitigation efforts.
These meetings are part of an overall governance strategy that specifies accountability for risk across the organization, provides oversight of security and compliance measures, and ensures such measures are aligned with business objectives. Discussion topics range from the latest attack vectors and details of our incident response plan to the specifics of account management in the age of remote work and change management processes.
Companies should also have a robust, independent and well-funded compliance program that combines process analysis, data-based tools, employee training and companywide programs that explicitly link core values and ethics to compliance and embrace proactive compliance as an essential component of data security.
COVID-19 has driven home the many advantages of cloud technology for organizations making the transition to remote work. This is particularly true when it comes to data security.
Organizations that have migrated to the cloud have more control around data access and security and are better positioned to quickly respond to potential breaches or compliance issues. Advanced security monitoring tools, events logging, and intrusion detection and prevention systems are all standard among today's major cloud providers.
Web application-specific firewalls built into cloud systems monitor data coming into individual applications and warn users about specific vulnerabilities. Perhaps even more important than specific tools, moving operations to the cloud forces organizations to develop better thought processes about security.
For companies seeking the most essential security tools and protocols for data security, consider:
Ongoing server updates and patch management ensure companies are using the best and most recent versions of tools to protect their data.
Security information and event management (SIEM) tools should be deployed for real-time analysis of security alerts generated by applications and network hardware. These tools can also be used for log management, managed security service (MSS) and security as a service (SECaaS), including authentication, antivirus, anti-malware/spyware, intrusion detection, penetration testing, security event management and other tools.
For vulnerability scanning and web application penetration testing, tools like Nessus and Burp Suite are excellent. Software as a service companies should also incorporate static code analysis to identify potential vulnerabilities.
Data encryption at rest and encryption in-transit — using FIPS 140-2 compliant methodology — is a must, as are management services ensuring there is total ownership of data from creation to deletion.
Account management tools must be used to implement strict access control policies in conformance with the principle of "least privilege." This is especially important in an era of remote work. Tools should be able to monitor unsuccessful login attempts and implement session lock when user activity ceases temporarily. Companies should also conduct access reviews at least twice annually.
Of course, data security measures must also be applied outside the organization. Companies should rigorously vet any vendor who handles company data to understand their data security protocols. This is a due diligence responsibility that too many companies fail to embrace.
At minimum, vendors should deploy cloud technology with industry-standard security tools, including multifactor authentication and compartmentalized data storage. Organizations should seek vendors that routinely undergo testing conducted by third-party assessment organizations (3PAOs) and have met rigorous certification requirements, including FedRAMP, SOC 2 Type II and ISO/IEC 27001:2013.
Data security and compliance cannot be addressed with technology alone. Companies must build a solid security culture within the organization, and leadership on security must come from the top.
Employees and email inboxes are still the most common attack vector and the weakest link in company defenses. Companies that take security and compliance seriously conduct regular, mandatory role-specific training at all levels.
In addition to role-based training, general awareness training is essential to establish clear rules of behavior, alert employees to phishing schemes and similar threats, and encourage them to remain alert and report anything suspicious.
Casepoint uses — and trains its employees in — the zero trust security model, which assumes networked devices, even if previously verified, should never be trusted by default, even if they are connected to a managed network.
Develop comprehensive incident response plan
In spite of every precaution, most organizations will eventually suffer some kind of data breach, compliance failure, or other cybersecurity security event. The advent of widespread remote work in the wake of the pandemic only makes this more likely.
A company whose security plan adopts a purely defensive posture is much more likely to bungle their response to an incident and amplify its negative impacts. Organizations must develop, and regularly review, a detailed incident response plan that designates key roles and responsibilities, establishes incident reporting procedures, and outlines protocols for IT to follow to secure operations and fix vulnerabilities.
Incident response plans should also establish protocols for preserving evidence, documenting mitigation efforts, fulfilling notification requirements to regulators, and communicating both within the company and externally. Companies should also mandate post-event debriefing sessions to understand the strengths and weaknesses of their response.
It may be helpful for some organizations to consult resources like the NIST Computer Security Incident Handling Guide, which was published in 2012 but is still relevant, and the Federal Trade Commission's Data Breach Response: A Guide for Business to get a better sense of the scope of an appropriate incident response plan.
Solid data security programs are not developed overnight. They are long-term, strategic initiatives aimed at mitigating existential threats to the organization. They require rigorous, sustained effort over a period of years. Companies should focus on making continual, incremental improvements to frameworks and toolsets, and reinforce these efforts through regular training and communications reminding employees that security and compliance are responsibilities shared by everyone.