ANS Blog

Cybersecurity’s Dirty Dozen:  The 12 Most Neglected Data Security Best Practices

Cybersecurity

Cybersecurity’s Dirty Dozen:  The 12 Most Neglected Data Security Best Practices

There are more security solutions available to small and mid-sized organizations than ever before. Yet, preventable cyber-attacks continue to happen every day. A big part of the reason is simple—many organizations struggle with cybersecurity. Most IT professionals are overrun with the many tasks needed just to keep their department and systems running. And, as the size and complexity of their network continue to grow, things have a tendency only to get more difficult. 

As a result of a lack of ability to both prioritize and streamline the implementation of best practices, organizations continue to fall prey to fully preventable attacks on their data. 

To be clear, the 12 basic data security best practices that are covered here are not a cure-all for all data security issues. Nor are they the only things organizations should be implementing to stay on top of emerging threats. The truth is, there’s no way (regardless of how sophisticated and expensive your program is) to eliminate all cyber risks and create an “attack-proof” network.  But, organizations that don’t effectively cover basic data security practices, do face near-certain risks.

Here are the 12 most neglected data security best practices that small to mid-size organizations are either not doing frequently enough, or are never doing at all. 

Data Security Best Practice #1: Classify Data Based On Its Sensitivity.

Every organization should know where their data resides within their IT environment and which data is the most sensitive. Industry experts recommend that organizations perform a classification of their data, based on its level of sensitivity, at least twice per year. 

The classification of data includes labeling it in a way that shows that its disclosure has a higher risk. Data classified as higher risk (e.g., payroll records) should have security and access requirements that are drastically more stringent than data classified as lower risk (e.g., press releases). 

Unfortunately, outside of certain government agencies, there is no formula for creating a classification system. Ideally, the system used should be dependent on the particular data. Some organizations use two types of classifications: confidential and public. For others, a higher level of granularity might be needed. 

After data is classified, a security plan can be developed to implement the most cost-effective way to protect that data from various attacks. Along with this, employee’s rights (permissions) to access various classes of data can be properly set.  

Data Security Best Practice #2: Establish and Update Data Access Rights.

To prevent unauthorized access to data, security experts recommend strictly enforcing the principle of least-privilege, reviewing access rights every 4-6 months, and deleting rights after important events like an employee termination.

Operating under the principle of least privilege means only granting user permissions that are necessary to carry out duties, for a limited time, and with the minimum rights required for their tasks. This practice can be implemented with respect to data access and technology usage, with the goal of ensuring the security of information. 

Improperly assigning permissions to users, can allow them to carry out actions that they aren’t authorized to do, including accessing, modifying, or distributing sensitive information. 

Data Security Best Practice #3: Review Who Sensitive data is Available To.

According to Varonis’s 2018 Global Data Risk Report, 21% of all folders used by organizations are open to everyone! Watch out for sensitive or confidential information that ends up in “public” areas on the network. Shared or open access drives or folders — ones that anyone who uses the network can access — are a double-edged sword. They can be an effective way to add more functionality for users, but they can also pose a data security risk because they’re usually the first place a cyberattacker will look. 

The design and maintenance of data storage have to be carefully thought through, with benefits and consequences carefully weighed.  It may seem like a “no brainer” that sensitive files and data shouldn’t be put in a generally open folder or directory, but it happens. A lot. Security experts highly recommend that organizations check the content residing on public drives and folders at least every three months, to ensure they don’t contain sensitive data. 

One of the best, basic ways to reduce unauthorized access or use of sensitive data is to remove it from areas of general use. Unless it’s required for compliance reasons, when you no longer need data for daily operations, it should be securely archived or deleted. Experts recommend conducting this important exercise every 90 days. Going back to Varonis’s 2018 Data Risk Report, on average,74% of organizations have over 1,000 stale sensitive files on their operating network. Only 18% delete unnecessary data once a quarter, meaning the rest (82%) are needlessly increasing their threat exposure.

Data Security Best Practice #4: Have Current, Working Backups.

Regardless of size, all organizations are creating significantly more electronic data every year. Most smaller organizations know they rely on this data to operate every day, and can’t afford to lose it. Yet more than half of them are not prepared for an incident involving data loss.

Having a reliable data backup program is an essential part of any security plan because it protects your organization against data loss and drastically speeds up the recovery process. Chances are, at some point, your organization will experience an incident where you lose access to your data. This can be due to any number of factors including a ransomware attack (or other form of cyber-extortion), a user error, a hardware failure or even a natural disaster. 

One of the biggest mistakes made is the assumption that since you’re making routine system backups, all is well. Most experts agree that, at a minimum, a 3-2-1 plan should be followed. The 3-2-1 rule is an easy-to-remember best practice for backup and recovery. It means that when you build out your strategy you should: keep at least three backup copies of your data, keep the backed-up data on two different storage media types, and keep at least one backup copy in an offsite location such as the cloud. Regular recovery testing using your stored backups is also a best practice and critical part of ensuring you can get your critical data back if and when needed. 

Data Security Best Practice #5: Manage Your Endpoint Protection.

One device in your organization with an outdated version of antivirus is all it takes to open up the entire organization to an attack. A single unprotected laptop, tablet or other internet-connected device that uses your network puts all at risk. Just protecting your servers with a current anti-virus subscription isn’t enough. Requiring each device user to maintain their own antivirus protection is not enough. Waiting until you have the time to scan and update devices with the right security patches is not enough.

Having a managed endpoint security solution, installed on every network endpoint (servers, desktops, etc.) will significantly improve your level of protection from a multitude of malware threats. The “managed” part of managed endpoint security means centralized management that ensures every device on your system has the most current version of protection, and provides alerts about where updates are missing. 

In addition to reducing the burden and cost of endpoint security, a managed solution provides: (a) continuous monitoring of all devices and (b) system-wide patches and updates that are automatically pushed out and routinely applied. Another important feature of these solutions is their ability to detect new endpoint devices on the network, as well as discover, report, and prioritize vulnerabilities.

A comprehensive, centrally-managed endpoint security is a fundamental component of a secure IT environment. It’s essential if the number of devices on your network is growing faster than you can keep up with, you employ remote workers, or you have a policy that allows users to bring in their own devices. 

Data Security Best Practice #6: Conduct an IT Asset Inventory.

Security experts encourage the identification of all your IT assets at least once a quarter. This includes  files, databases, software, network resources, printers, employee devices, etc. It’s tempting to consider IT asset management as low-value work, but the truth is, to effectively protect the security of your network, you need visibility and control over all your assets running on it. 

IT asset inventories help you manage the growth of devices and services. They also facilitate faster patching when a new vulnerability is released, as well as the retirement of software when it reaches the manufacturer’s end of support (EOS). 

When conducting an inventory, consider all of your devices no matter whether they are; either on or off your corporate network. Then, document the purpose of each device. What business functions do they perform? How and where are they used? Who is using them? Who is responsible for them? Also, document the expected lifespan of each device and end of life warranty.  Most importantly, determine whether or not the asset might hold or access sensitive/confidential information. If it’s being used by the CEO or HR department, for example, the answer is always going to be “yes.”

Data Security Best Practice #7: Update and Patch Software Promptly.

Nearly 60% of organizations that suffered a data breach in the past few years can point to a known vulnerability for which they had not yet patched (as the source). So, if your organization is one of the 33% that don’t update their software even once in 90 days, you are essentially playing a dangerous game of Russian roulette.

Over the past decade, the amount of new software released has drastically increased the target footprint for cybercriminals. A recent TechCrunch article reports that at least a million computers worldwide, mostly in the United States, remain vulnerable to widely-known malware because system administrators haven’t installed the necessary patches. Cybercriminals continue to use this malware, or similar variations of it, to deliver all sorts of malicious software to unsuspecting victims. So, even though on average 8,000 vulnerabilities a year were disclosed over the past decade, the vast majority of new threats are still leveraging the same small set of vulnerabilities!

When it comes to installing updates and patches, timeliness is also key in enabling you to reduce vulnerabilities. According to Gartner, over the last decade, the average time it takes between the identification of a vulnerability and the appearance of an exploit in the wild has dropped from 45 days to 15 days. This means, under theoretical best circumstances, you have approximately two weeks to patch or remediate your systems against a new exploit.

Data Security Best Practice #8: Use a Password Policy and Enforce Strong Passwords. 

When it comes to passwords use this simple rule-of-thumb: if it’s easy for you to log into your accounts, it’s easy for a hacker to do the same. Current data breach reports tell us that somewhere around 60% of hacks take advantage of weak passwords. Establishing a password policy that’s enforced is the first step in being able to build a stronger defense. 

A password policy starts with a set of rules governing how you design combinations of words, numbers and/or symbols that grant access to a restricted online area. A password policy can also mandate password updates on a regular schedule.  While usually disliked by most, a strong password policy is the front line of defense against unauthorized access to information by curious employees, ex-employees and, of course, hackers. To make and keep passwords robust:

  • Use a minimum of 10 symbols, including numbers, both uppercase and lowercase letters, and special symbols—better yet, use passphrases consisting of a minimum of 15 symbols using letters and numbers. 
  • Enforce regular password updates (no less than every 90 days).
  • Do not use the same password for multiple websites containing sensitive information.
  • Use a password manager to make the process easier. 

When it comes to system administrators, changing passwords is even more important than regularly changing them for lower-privileged users. Administrator passwords need more stringent security requirements because the consequences if these accounts are compromised are much greater. If an attacker gets the password of a low-level user with limited privileges, the amount of damage that can be perpetrated can be contained. If an attacker gets the password of a systems administrator, who has the ability to make major changes to systems, the entire infrastructure can be at risk. Experts recommend changing administrator passwords at minimum once every 90 days as well as prohibiting the use of shared administrator passwords; so, make sure each highly-privileged user has their own administrator login credentials.

Data Security Best Practice #9: Deploy Multi-Factor Authentication. 

Multi-factor authentication (also known as MFA) is a security method that requires the presentation of more than one piece of evidence to verify whether someone or something is, in fact, who or what it declares itself to be. It combines two or more independent credentials: something the user knows (e.g., their password), something the user has (a security PIN or code) or something that defines what the user is (a biometric element like a thumbprint). Multi-factor authentication can be employed for both on and off network access to your network, including the use of VPNs, as well as access to resources that reside in the cloud. 

The goal of MFA is to create an additional layer of defense to make it more difficult for an unauthorized person to access a computing device, network or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. 

The case for using MFA is clear and compelling. To start, we operate in a world where approximately 80% of hacking-related breaches leverage either stolen or weak passwords. Second, according to TeleSign, 54% of consumers use five or fewer passwords for ALL of their accounts (including work-related accounts).  When people “recycle” their passwords—and you can bet money that your employees do—hackers can take down multiple accounts just by cracking a single password. So if a password from someone’s social media account is the same one they use to log into your organization's network, there is risk.

Data Security Best Practice #10: Perform Periodic Vulnerability Assessments.

A vulnerability assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in IT systems, applications and network infrastructures. It also provides the organization doing the assessment with the necessary knowledge and risk background to understand its threats and react appropriately. They are also an essential tool in the process of improving your security posture.

Vulnerability assessments can be performed within the network, as well as from outside the network. They yield a report where each identified vulnerability is prioritized by severity and/or business criticality, along with recommendations for remediation to reduce the risk. Armed with the list of discovered vulnerabilities, an organization can take specific, targeted actions like applying required patches and fixing misconfigurations. 

The risk/benefit information provided by a vulnerability assessment also helps organizations prioritize and optimize their security investments. This is important because cyberthreats are a moving target; with limited resources to spend, knowing where to apply your security budget for maximum impact is the key to reducing risk. 

Often, IT teams only conduct a vulnerability scan as a procedural ‘check the box’ measure. Sometimes they're only used in reaction to a security incident. Either way, when vulnerability assessments are used so infrequently, they usually have almost no measurable impact. To be effective, organizations should conduct them regularly (at a minimum, twice per year) and view them as a key measurement tool in an ongoing process of improving their security stance.  

Data Security Best Practice #11: Educate Users About Cybersecurity. 

Despite investments in security technologies, risks to confidential data are here to stay. One of the big reasons for this is the reliance of organizations on employees’ always “doing the right thing and doing things right.” Security awareness training educates employees on how to recognize and respond to various forms of social engineering, like phishing, as well as spot other threats designed to breach systems and steal sensitive data. It’s a proven, front-line method for helping organizations protect themselves from hackers and other bad actors. 

According to Verizon’s 2018 Data Breach Investigation Report, over 90% of attacks, including ransomware and data breaches, stem from employee phishing, social engineering, and other employee error-related incidents. These relatively low-tech criminal tactics are designed to evade traditional security controls by starting from inside an organization—primarily through emails and text messages. Phishing attacks are effective because they’re often personalized and sophisticated, usually containing provocative messages that compel staff to unknowingly turn over access to company systems, data and funds.

Human vulnerabilities and careless mistakes are baked into our DNA; they are factors that can never be eliminated solely through technology. This is where security awareness training becomes important. When employees are given sufficient training, on the whole they make better, and more efficient use of security controls. They learn to appreciate that the technology controls in place are there for an important reason. So, they are less likely to ignore, bypass, or disable them. 

Understanding why we need long passwords, for instance, and how to choose a passphrase, makes it easier to be secure. Along the same lines, employees who understand how they might be targeted by cybercriminals are less likely to fall for scams or to ignore the early signs of trouble. When applied, awareness training turns employees into the equivalent of skilled drivers, who learn to spot and be extra cautious when dealing with an unknown path. 

The effectiveness of security awareness training can be measured in a very straightforward way. All employees can be tested using simulated phishing messages or phone calls throughout the year. The testing provides performance reports so that you can measure improvements in employee behavior as their training progresses.

Data Security Best Practice #12. Have a working incident response plan.

In order to quickly recover from a security incident, every organization needs to have a security response plan. And, in order to have a solid security response plan, a few key elements are required. These include: drafting a plan, getting it approved, continually training employees, and carrying out test runs. In reality, a whopping 83% of organizations admit to failing to execute all of these elements.

Having a plan to deal with a cyber incident — should one occur — is as equally important as building your defenses. Why? Because there is no such thing as guaranteed protection. And, in the event of an attack on your systems, time is of the essence. 

A cybersecurity incident response plan establishes a set of response tactics and tools to ensure that when you need to respond quickly and effectively, you have the people, processes, and technologies in place to do so. In turn, a quick and effective response minimizes the financial damage and, most importantly, protects your organization and its reputation. In short, how you plan and execute a response to security incidents can make the difference between a “crisis” and an “event.”

A Cybersecurity Solution Designed for Small and Mid-Sized Organizations 

When it comes to cybersecurity, there is no “silver bullet” that can guarantee your organization will never experience an incident. But following these 12 fundamental security best practices can help you significantly reduce your attack surface and the risk of security and compliance issues. 

At Advanced Network Systems, we recognize that many small and mid-sized organizations don’t have the internal resources to properly assess their own needs and defend against the newest threats. At the same time, we also recognize that small and mid-sized organizations need the same cyber-protection as large corporations. Our cost-effective Managed Security Services Program provides all the services needed to correct vulnerabilities and build a stronger, ongoing cyber defense. Plus, it provides a team of cyber experts who proactively monitor, analyze and respond to suspicious activity that can damage your organization and your reputation. 

All of this is now available at a fraction of the cost of adding even one IT security specialist to your own staff.  Don’t wait for a major crisis to strike — better control over the security basics and beyond is available today.