Protecting against data breach costs
Preventing a breach is the best case scenario, but even the most diligent and well-funded organizations can’t avoid every vulnerability, every phish, and every system glitch. While managing a cybersecurity program is complex, here are the top 5 ways organizations can mitigate the potential for and costs of a data breach:
Learn your networks
Between network sprawl, cloud and container adoption, shadow IT, IoT, BYOD, and myriad other acronymed business use cases, organizations often don’t have full visibility into what’s communicating on their networks, much less where sensitive information resides, and how or with what it’s communicating.
To manage networks, organizations must:
- Achieve a full visibility into all assets present and communicating
- Map data and application flows
- Establish baseline “normal” activity per the business
The above steps are essential to identifying (then stopping) anomalous behavior. Asset inventories and communication mapping can be automated so that the organization always maintains an up-to-date, real-time view into what’s happening on their networks, regardless of infrastructure or deployment.
Flat, overly permissive networks have been the conduit for many mega breaches. If an attacker can successfully penetrate the perimeter using a system vulnerability (e.g., unpatched Apache Struts) or targeted phishing email that results in stolen valid user credentials, they gain access to the “crown jewels.” But only if additional protections haven’t been placed around them.
Network segmentation and microsegmentation place barriers in front of data, systems, applications, hosts, and other valuable system resources and prevent lateral movement. Creating secure zones which can only be accessed through zero trust permissions (end user and system) ensures that adversaries can’t tamper with the network or gain unauthorized access to sensitive data which, if leaked, destroyed, or stolen could cost the company millions in breach costs.
Control access to sensitive data and systems
Pursuant to the point above, tightly controlling access to system resources is a key to preventing data breaches. Most security and network practitioners automatically think “end user” when they think about access, but it’s important to remember that system resources require access permissions to function properly.
As such, companies should implement least privilege access for all users and systems communicating on and across their networks. Limiting who/what has access to resources reduces the probability of a breach and makes it easier to detect when an adversary is attempting access. To bolster protection, organizations should also consider time-bound sessions, especially for administrative access. Admins should be required to re-authenticate using two-factor authentication after a certain period of time, thereby reducing the amount of dwell time an attacker can achieve. (Remember our static from above regarding mean time to identify a data breach.)
Encrypt (at least) sensitive data
Looking back through the highly publicized breaches over the last ten years, it’s amazing that so many big name, profitable companies continue to store customer data, financial data, health data, passwords, and other (often regulated) sensitive data in clear text. Encrypting data and databases is the best way to prevent a data breach, even if an attacker is able to achieve system compromise. In other words, you may not be able to keep attackers out of your networks entirely, but if the attacker can’t find what they’re after (because it’s encrypted) you’ve avoided a breach.
Automated and manual testing of systems and resources is the only way to understand your network risk. Vulnerability assessments, penetration testing, and audits should be continuous and (optimally) performed by both internal and external testers. Internal users know your systems and business requirements inside and out, while external parties have the worldview of the threat landscape.
Networks change all the time, so any assessment will be a point-in-time snapshot only. This is why testing and assessments must be ongoing and conducted from different points of view. Motivated attackers will patiently conduct reconnaissance; defenders must put equal weight into understanding system and process vulnerabilities and threats, then take the time to create and execute remediation plans. Not every found vulnerability requires a patch, but preventing an intrusion and/or data breach—and skirting multimillion dollar cleanup costs—requires that organizations be fully aware of the biggest risks to their networks and attend to those that pose the greatest threat.