Data breaches are expensive, that isn’t a surprise to anyone. The top 13 breaches of last year alone cost the affected companies more than $32 billion. After the initial incident, the exposed information can take on new lives. Once the data is out there, it is completely exposed and the backlash of a breach can seem never ending and be costly well beyond the initial event.
The only real way to save money and keep security costs low is to take preventive steps to avoid common vulnerabilities and to minimize their impact. A good enterprise security solution will keep your information secure, will allow you to maintain your business’ reputation, and will cost significantly less than a data breach. The damage of a breach goes well beyond fines and fees. Fines and fees are certainly an issue, but we now see breaches impacting consumer confidence and company share prices. Unfortunately, for many organizations, security improvements and overhauls seem overwhelming, and few initiatives get off the ground unless there is a significant problem. At that point, the damage is already done.
Luckily, as 2016 is underway, reducing the number of hacks is becoming an important item on the enterprise agenda this year. Here are five best practices to consider for your 2016 security plan.
Enterprise security is a cross-departmental problem that affects many different stakeholders. Everyone from the C-suite to Operations, Development, and Security needs to be on the same page before any action takes place. This means your organization’s security requirements need to be carefully outlined and agreed upon while aligning with each department’s strategic goals for the year. Remember to approach these discussions with a sense of collaboration and without any confrontation.
Create Success Metrics
Once aligned, how can you determine if you are succeeding? Creating a series of success metrics will help align your team as well as demonstrate if you are improving along the way. Some meaningful metrics you may consider tracking are as follows:
- The percentage of servers with automated credentials management
- The number of users with privileged access
- The time it takes to create and secure a production environment.
Define Roles and Access Policies
Role-based access control (RBAC) is another key component in preventing data breaches. Clearly defined roles and access policies for users and applications can ensure that all exposure to data is appropriate and based on a well-defined set of policies. A well-defined policy will scale with your organization and allow you easily to maintain privileged access management in the future.
Identify, Authorize, and Audit Everything
By identifying all the elements in your environment and assigning them roles via your policy, you easily will be able to audit who has access to what and when. This workflow enables you to automate your development and operations processes for engineering velocity while enforcing security policies. The increased transparency is especially important in highly regulated industries, in which compliance is just as important as deployment speed.
Measure, Iterate, and Improve
Your organization will not master data security with its first effort. It is important to realize that securing your applications and infrastructure is an iterative process that needs to be closely monitored and improved upon. Leveraging tools like dashboards and reporting can provide a quick snapshot of your key metrics and enable you to communicate your progress effectively across stakeholders. Setting up a regularly scheduled meeting to review the execution of your data security initiative and how it aligns with your overall business and security goals is vital. Don’t be afraid to re-assess the set of metrics and processes periodically if you find security traction stalling.
Although the information in the infographic above seems daunting, data breach prevention is possible. By starting with these five best practices and finding the proper tooling for your teams, you can help keep your infrastructure secure and mitigate the costs associated with a hack.
Elizabeth Lawler is CEO and Co-founder of Conjur, Inc. a security company which focuses on security for next generation infrastructure. Elizabeth has over 20 years of experience working in highly regulated and sensitive data environments. Prior to founding Conjur, Elizabeth was Chief Data Officer of Generation Health and held a leadership position in research at the Department of Veterans Affairs. She has been a programmer herself and is constantly working to make software development and IT systems easier to manage for people working in regulated industries.
Elizabeth is a member of the MassTLC Security Advisory Board.
Subscribe to Data Informed for the latest information and news on big data and analytics for the enterprise.