Despite the intense media coverage over the years, magazines, blogs, YouTube channels and podcasts dedicated to Internet security, the people responsible for designing and implementing security on web-applications and corporate networks seem to get lost in the battle between cost and benefit... until it's way too late.
It's not simply a matter of exposing sensitive company data either, exposing the data of your clients can devastate not only your business, but your clients as well. The recent Ashley Madison case is a perfect example of how devastating a data breach of customer details can be. The 37 million odd records that were exposed is small compared to the 200 million exposed in the Court Ventures financial data breach in April 2014. There have been reports of suicide as a result of the exposure of data from the Ashley Madison breach - possibly the worst social consequences of security breaches to date.
Hackers are not the only ones to blame however, people with very legitimate reasons to have access to sensitive information can sometimes be corrupted into doing bad things with it. One of the hardest resources to secure can be your own staff. All it takes is one disgruntled employee with the right credentials and a USB stick, and all your corporate secrets, data, finances, dirty laundry, everything, can be exposed to the world. According to a recent survey, one third of staff would sell corporate data for the right price.
There are some simple security considerations that need to be built into every application. But even before that, have a look at the companies themselves. Have a look at this beautiful interactive info-graphic, which shows just how much data has been leaked in recent years:
Specifically, have a look at how many security breaches were not due to hackers. Scary huh!
Vetting your staff is absolutely essential these days, especially if those staff will be in a position to gain privileged access to data. In all cases, access to restricted material should be monitored and logged, so that all cases of access can be linked to the user and subsequently a reason for the access. Uber's God-Mode is a perfect example of how unrestricted access can lead to devastating effect on a companies image, even if no data is stolen.
As for data theft, it may seem like overkill, but restricting the way data can be released can go along way to ensuring you've closed as many holes as possible. Restricting access to USB ports on company hardware, file-sharing websites like Mega, DropBox, Google Drive, and having strict BYOD policies with management capability, enabling sensitive corporate data to be wiped when devices are lost, stolen or when employees leave the company, can really save the day.
There are some elementary steps you can take to ensure an extra level of protection given that at some point in time someone, internal or external will obtain access to your data..
- Encrypt sensitive data
This may come at an overhead, having to decrypt information when required for use in application, communications etc. however, regardless of how the data is collected or distributed, leaving personally identifiable, regulated or sensitive data unencrypted is like dumping sensitive papers in the rubbish - anyone who wants it, can just take it.
It may not require total encryption either. For example to protect customer identities, you could encrypt their address details, phone numbers and surnames. None of this information should be required on a regular basis. On those occasions you do need to view this data, decrypting a few kilobytes of data then displaying it only adds milliseconds of overhead to the process.
You can even build encryption into your applications login process so email addresses used as login credentials do not need to be exposed.
- Control access to and use of sensitive data
People need access to data - that's part of why you collect it in the first place. But restricting access to and auditing access of that data can go a long way to preventing breaches. At the least, by tracking who access what, when and why you'll have an audit trail that can be used if you do face a data leak. But additionally, users who know their actions are being audited are much less likely to risk doing anything nefarious or below-board in the first place.
If you have the right systems in place, you can even go so far as to monitory the ability of users to copy/paste, take screen-shots or transmit data. It sounds like overkill, but one record or two hundred million records being leaked could result in the same disastrous outcome.
Isolate sensitive data
Whether used as part of your applications or simply part of your corporate data collection practices, sensitive information should be kept separate to benign data, serving to both reduce the risk of sensitive data being exposed, and to complicate the ability of anyone to relate the data to actual people or events without information on how the applications handle and relate data internally.
Enforce security policies
A few obvious points here:
- Auditing policies;
- Internal computer policies;
- Password policies;
- Email and communication policies;
- Secure document management;
- Security information packs/training for all staff;
- Anti-Virus software;
- Network/Perimeter security;
- File transfer monitoring and restrictions;
- Application roles and entitlements;
ComputerWorld: Three steps CIOs should take to protect corporate data
Wall Street Journal: Five Simple Steps to Protect Corporate Data
Small Business Computing: 15 Data Security Tips to Protect Your Small Business
Symantec (PDF): 8 Tips to Protect Your Business and Secure Its Data