Most successful companies of today, whether enterprises, mid-market, or small small businesses, are either based online or have a firm presence online. And the reality is, just by conducting business online, any one of these companies can suffer a breach in data security. Fortunately, there are some universal rules about securing data that all companies online today can learn and benefit from.
Since Digital Guardian strives to provide data security solutions that are both diagnostic as well as proactive, we wanted to offer some data security tips that would apply to many companies doing business online. More specifically, we wanted to compile tips from data security experts on the most common (and avoidable) mistakes companies make when it comes to securing their data. To do this, we asked 30 data security experts to answer this question:
"What are the biggest mistakes companies make with data security?"
We've collected and compiled their expert advice into this comprehensive guide on data security for businesses. See what our experts said below:
Bill Rosenthal
Bill Rosenthal is the CEO of Logical Operations, which provides a library of 4,600 employee skills training and certifications programs, with a strong emphasis on cybersecurity. He has headed technology-oriented employee skills training businesses since 1986.
Here are eight big mistakes companies make with data security:
- Not staying up-to-date. You must subscribe to threat intelligence feeds and collaborate with other leaders in the field.
- Failing to train end users on how to do their job without jeopardizing the organization's critical networks.
- Being lax about constantly analyzing your organization's cybersecurity risk management policies.
- Failing to make security a frequent topic of conversation at the C-level - and tied to business objectives. Bring quantifiable metrics, such as potential lost revenues, into the conversation to help key decision makers recognize the need for additional investment in security.
- Believing that securing an organization's networks is only a matter of cybersecurity products. While useful tools, these are most effective when implemented in an environment focused on holistic security solutions.
- Making it hard to access critical data when a breach has occurred. Having easy access to this data allows an organization to determine what an attack is targeting. This allows security professionals to begin addressing the issue before it becomes front page news. There are numerous third-party tools that allow data to be visualized, providing insights to historical data trends as well as detailed real-time reports.
- Being mindless about BYOD. Cloud-based solutions, which focus on securing data, rather than devices are becoming increasingly attractive to organizations looking to maximize their employees' efficiency without sacrificing data security. Furthermore, device-based security policies, such as requiring encryption capabilities to remain enabled, can help to prevent unwanted network access.
- Failing to hold fire drills. It's necessary to prepare for disaster by establishing a set process and then putting it to practice. Identify key stakeholders and the role they will play should a catastrophic attack occur. The implementation of an incident handling and response architecture can ensure that the organization's security team, and other stakeholders for that matter, know exactly what to do when an intrusion is first detected. Once established, routinely practice so that gaps can be identified prior to the real thing.
- Working with the wrong third-party vendor. This can can be disastrous. This scenario is played out far too often. Assess your partner's security posture and provide steps to mitigate risks and patch vulnerabilities within their own networks, before they can be leveraged to access yours.
- Not remaining vigilant. It truly is a question of when, not if. If you've managed to evade cyber attackers to this point, you are either lucky or good (more likely a combination of both). Don't rest. Just as the threat landscape is constantly evolving, so too must our approaches to securing our information systems. Innovate, educate and train, and continue to fortify your organization's security perimeter. Nobody sees a major attack coming until it's too late.