How to Prevent Data Breaches: 6 Best Practices

 




It’s not “if” a data breach occurs, but “when”. Learn the 6 best practices to prevent a data breach and help you organization better prepare.


If your organization handles customer information, preventing data breaches using best practices and an acceptable NIST framework must be your top priority. Unfortunately, data breaches are commonplace in today’s modern world, even as cybersecurity standards and methods continue to change and improve. The result of such a breach can be catastrophic for an organization in terms of both finance and reputation.


Understanding the full cost of a data breach is the first step in raising organizational awareness. Then, learning more about the six best practices to prevent a cybersecurity breach will help your organization to establish a plan of action. After all, preparation is the key to success!


The Cost of Data Breaches

A report conducted by the Ponemon Institute uncovered a number of unsettling statistics regarding the true cost of data breaches in 2021. By analyzing data breach costs reported by over five-hundred and thirty organizations across seventeen geographies and seventeen industries, researchers were able to identify global benchmarks regarding data breaches:





  • Average total cost of a data breach: USD $4.24 million
  • Most expensive country for data breaches: United States, USD $9.05 million
  • Most expensive industry: Healthcare, USD $9.23 million
  • Average number of days to identify and contain a data breach: 287

Other noteworthy data includes the fact that the average cost of data breaches has increased by ten percent in the past year. The cost per breached record is now $180, up from $146 in 2020. Globally, the healthcare industry has the highest breach costs—up 29% in the past year and the highest industry cost for the past 11 consecutive years.


Besides the significant financial setback of a data breach, the other largest cost is a loss of business. Across all industries, loss of business has been the biggest breach cost, averaging a cost of $1.59 million or thirty-eight percent of total breach cost. Customers often feel betrayed or misled about an organization’s security procedures after their data is compromised. This can lead to them choosing a competitor with a better—or at least perceived-to-be-better—data security framework.


The Best 6 Practices for Avoiding Data Breaches


Managing your organization’s cyber-risk is a multi-faceted, whole-organization effort that requires teamwork from every member of your staff—from top to bottom. With 95% of data breach incidents reported as the result of “human error”, implementing these best practices can help your organization avoid these costly breaches before they occur.

1. Involve employees in protecting your data with regular training.

Human error is the most common cause of data breaches, therefore an educated workforce is your best defense against these slip-ups. After all, an organization’s security is only as good as the least knowledgeable person with access to internal networks and databases. Training sessions should educate all employees on the policies and procedures in place to prepare for cyber threats and explain their roles in responding to a security incident. Implementing regular training on how to encrypt data, generate strong passwords, properly file and store data, as well as how to avoid malware can empower employees to avoid costly mistakes. Work with your security and human resources teams to create a resource that informs employees about new scams or potential risks as they occur—focusing on phishing scams or vulnerable websites in particular.

2. Data retention- keep only what you need.

Cyber criminals can only steal information that an employee or organization has access to. Limiting data availability can minimize the risk of valuable client information being stolen. This involves taking steps such as:


  • Inventory the type and quantity of information in company files and computers
  • Reducing the volume of information collected and retaining only what is necessary
  • Not collecting irrelevant or unnecessary data
  • Minimizing the number of places where personal, private data is stored
  • Knowing what information your organization keeps and where it’s stored


Only store records for as long as your audit type requires. If you still need access to this data, archive the records in a secure location.

By keeping the depth and volume of the information you collect slimmed down, you prevent malicious parties from accessing a full profile of the data they want to manipulate.

3. Secure company computers and networks with an acceptable framework from NIST.

All company computers should operate under strict security protocols. Implementing password protection and “lock-out” functions—which requires re-login after periods of inactivity—can keep devices secure both in and out of the office and be used to prevent brute force attacks to gain access to the information. All employees should know to never leave their devices unattended while in use. This is especially important with the increase in remote work due to the COVID-19 pandemic.

For network security, investing in a personal or corporate VPN can help keep data secure by encrypting the data in transit across networks. A VPN creates a secure tunnel from one endpoint to another, such as an employee’s home and office. With the high prevalence of Wi-Fi hotspots—some legitimate, others not—in today’s remote world, having this system in place is important for keeping company and employee mobile devices risk-free.

4. Implement intrusion detection, logging and monitoring.

Intrusion detection and prevention should be in place for all mission-critical systems, as well as systems that are accessible from the internet. These include web servers, e-mail systems, servers that house customer or employee data, and active directory servers. With these checks in place, team members can quickly notify your organization’s security management team about even the hint of a breach.

If you aren’t already gathering logs, auditing Active Directory (AD) changes, and monitoring all information via security information and event management (SIEM) technology, now is the time to start. Logs can detect suspicious activity and therefore, a critical part of compliance; many cybersecurity frameworks require some degree of log collection and management.

By gathering and analyzing logs, organizations can catch risky activity early on as they help to create a timeline of events. With alerts set up to flag anomalies, security teams can take a closer look, which could help detect an intruder or catch unsafe or potentially malicious behavior from an insider, like an employee or a partner.

5. Require the compliance of third-party vendors.

Any and all outside vendors who have access to sensitive information filtered through your organization must also be held to the same standards as your own company. Your organization should only work with other parties that have the correct security and regulatory designations. While groups lacking these certifications may be cheaper to partner with, this is the wrong area to cut costs. Working with a less-than-reputable organization increases your risk for breaches and lawsuits from disgruntled customers. Transparency is something any reputable vendor will offer your organization—if they don’t, it may be a red flag for bad business practices. For further guidance, review the NIST Vendor Management Framework for best practices in vendor selection and management.

6. Conduct regular audits and penetration tests on your cybersecurity framework.

Regardless of the industry your organization operates in, completing regular audits to identify potential gaps or governance can aid in validating your cybersecurity measures. A security audit—of which there are many types—examine the overall nature of your organization as well as how your organization handles information security.

Source

Comments

Post a Comment

Popular posts from this blog

SOC 1, SOC 2, and SOC 3 Reports: Type 1, Type 2 or Readiness Assessment?

Image
  SOC reports are gaining in popularity across industries and across the globe. More and more customers are asking for demonstrated SOC compliance, and independent cybersecurity control validation and attestation are becoming necessary to compete for high-priority contracts. Beyond customer demand, SOC reports ensure that controls are properly implemented and used within your organization, greatly reducing potential security threats. For organizations seeking a SOC 1 , SOC 2 , or SOC 3 report, there are two attestation options available: Type 1 and Type 2. Additionally, a readiness assessment can be performed to prepare your organization for the attestation. With so many options, what type is best for your organization to prove compliance? Our experienced assessors break down the options so the path to compliance is clear between SOC 1, SOC 2 and SOC 3. We then dive into the various types of SOC reports: Type 1, Type 2 and a readiness assessment. SOC 1 Report A SOC 1 report foll...
Read more

What is NIST 800-171?

Image
  Your organization can’t afford to lose valuable government contracts. Protect your business by bolstering your organization’s ability to comply with NIST800-171. Government contracts are highly lucrative, but also tough to secure and manage. That’s because the Federal Government deals with a lot of classified and controlled information on a day-to-day basis. Any contractors or subcontractors who wish to work with the Federal government must, therefore, have security procedures in place to protect that sensitive information. National Institute of Standards and Technology (NIST) 800-171 is a mandate that states that federal contractors and subcontractors that handle, transmit, or store controlled unclassified information (CUI) must comply with certain standards to protect that data. Compliance with NIST 800-171 is required under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. What is Controlled Unclassified Information (CUI)? CUI is information crea...
Read more

Federal Compliance 2022: CMMC 2.0, StateRAMP, FedRAMP & Beyond

Image
  With the recent unveiling of CMMC 2.0, the expanded presence of StateRAMP, and new FedRAMP advisory guidelines for external servers, it’s safe to say that 2022 has a lot in store for Federal compliance changes. Tony Bai, A-LIGN’s Federal Practice Lead, and Emily Cummins, Anitian’s Director of Cloud Security, had a chance to sit down and discuss the latest news in federal compliance and what it could mean for your organization. Let’s dive in and get their thoughts on the latest CMMC 2.0 introduction, the new FedRAMP authorization boundary guidance, StateRAMP and more! CMMC 2.0Like everyone else in the world of federal compliance, A-LIGN and Anitian have been closely tracking the Cybersecurity Maturity Model Certification (CMMC) since the U.S. Department of Defense (DoD) shared its initial draft of the model in early 2020. With the release of CMMC 2.0 , three major changes were recently announced: fewer security tiers, removing some third-party assessment requirements, and allo...
Read more