by Anne Grahn
In an era where major data breaches seem to be commonplace in the headlines, developing a modern cyber security strategy is an absolute must for today’s enterprises. Many organizations are putting a renewed focus on security in 2015, and it starts by assessing vulnerabilities and formulating a plan.
Here are 10 tips to help you secure your data:
1. Assess your vulnerabilities.
Addressing the volume and evolution of cyber attacks is daunting. It requires an in-depth understanding of organizational risks and vulnerabilities, as well as current threats and the most effective policies and technologies for addressing them. By understanding their risks, organizations can target limited security dollars and resources.
2. Get actionable insight.
Security analytics are ushering in an era of predictive insight, offering us the opportunity not only to collect large amounts of previously untapped data, but also to understand it and take advantage of its value. Integrated intelligence gained through the evaluation of all types of data — internal and external, security and non-security — can help us harness the most relevant information and find hidden correlations in the attacks being perpetrated against us.
3. Assume you have already been breached.
Social networking, cloud computing, mobile devices and the ubiquity of information have shifted information technology (IT) paradigms and opened new avenues of attack. Learn the critical elements of a successful advanced persistent threat (APT) defense strategy, assemble the right team and implement the plan.
4. Use identity and access management to fill gaps left by the traditional perimeter.
Users and their identities are the most vulnerable link in a network. For today’s chief information security officers (CISOs), the challenge of identity and access management (IAM) is managing the identities and privileges of an increasingly diverse group of users that use a multitude of devices to log into systems both inside and outside the enterprise. IAM technology can generate the intelligence about identity and access activities you need to increase your understanding of broader security events and advance your overall security posture.
5. Develop a comprehensive data loss prevention strategy.
Data loss prevention (DLP) identifies, monitors and protects data in use; data in motion on your network; and data at rest in your data storage area or on desktops, laptops, mobile phones or tablets. It can help you transform sensitive data into an operational asset and prevent your organization from making the wrong kind of headlines.
6. Embrace mobile devices in the workplace, but don’t overlook the challenges.
Employees aren’t just bringing their mobile devices to the workplace ± they’re living on them. CISOs and other security executives are finding that the proliferation of mobile devices and cloud services are their biggest barriers to effective breach response. In order to secure the corporate data passing through or residing on mobile devices, it is imperative to fully understand the issues they present.
7. Subdue cyber attackers without cyber war.
We are still on the proverbial frontier of the legal doctrine surrounding self-defense in cyber space. But, that doesn’t mean we have to stand by while our intellectual property is being stolen and leveraged against us. Your organization can stave off cyber attacks by proactively enhancing your staff and defenses, gathering intelligence, taking advantage of the right services and pursuing a carefully considered continuum of mitigative actions that will help you protect your brand.
8. Defensive deception can be an important part of your security strategy.
We can use our enemies’ most valuable tool against them and deploy defensive deception methods to detect hackers and make it more difficult, time consuming and cost-prohibitive for them to attack. With the right tactics, security professionals can make cyber attackers feel like they have successfully hacked, when in reality they have fallen into a trap.
9. Remember: Visibility is an advantage.
Cyber attackers are trying to gain access, whereas we already have it. All of our processes should take advantage of this head start. Rather than attempting to emulate the attacker, instead we can understand that an attacker is only an agent of an event, and an event can be defined as a collection of data points with probabilities and impacts.
10. Work with a managed services partner to fill skill gaps and extend your team.
A managed security services provider doesn’t replace the internal IT team. Instead, it augments the existing team by providing the expertise, threat modeling and other compliance and protection services needed to mitigate risk in line with regulatory obligations and business goals. It is much harder to bounce back from business interruptions or unexpected losses caused by IT security gaps. The cost of avoiding such threats is typically much less than the cost of recovering from them.
Anne Grahn is the Communications Specialist at Forsythe Security Solutions. In her role, Anne is responsible for security communications within Forsythe’s IT Risk Management line of business. She has worked in the IT industry for more than a decade, and has extensive writing and editing experience. She previously worked for Oracle Consulting, and as a freelance writer contributed to white papers and articles on topics that range from Oracle’s Global Single Instance to combat aviation.