Data breaches: 5 Steps To Protect Your Company in 2016 and Beyond
By David Cook
Security breaches are a fact of modern life. These days, it seems that every time an attack hits the news, companies redouble their efforts to prevent another one—only to find themselves facing an even more insidious threat the next time around. Despite media attention surrounding mega breaches in 2013 and 2014, 2015 is set to be another record-breaking year for cybercrime. It has become a high-stakes game of whack-a-mole—except, instead of hitting back at hackers, the victims themselves keep getting hammered.
The power of trust
With new threats to cloud, mobile and IoT devices on the horizon, organizations can expect even more attacks in 2016. Unfortunately, the favored strategy of prevention is no longer working. And that begs the question: if attempts to prevent attacks doesn’t thwart thieves, what does? While it may seem counterintuitive, for many organizations, the answer is transparency. When companies engage customers and partners in their security programs, it builds trust—and that trust has the power to stop criminals in their tracks.
The threats on the horizon
While mega breaches may get all the press, it turns out they’re not very lucrative for thieves. As the attention level for a single incident goes up, the price for the stolen information on the black market goes down. Way, way down. A record consisting of personal data taken in such a breach may fetch as little as $0.0001 on the dark web.
That’s one reason hackers are turning away from large, high-profile targets and training their sights on downstream attack vectors instead. If criminals can exploit security weaknesses in a third-party vendor, for example, they are often able to get their hands on data from a desired enterprise target (employee data, credentials, etc.)—all without attracting the attention they would have had they gone after the larger company directly.
New risks—and opportunities—in the cloud With more and more companies moving to the cloud, the risk of these types of attacks is increasing. Instead of relying on their own security teams to protect important customer data, many companies are looking toward their cloud providers to offer them even better security instead. That’s why transparency—and collaboration—is more important than ever.
5 ways to protect your company in 2016 and beyond
It is no longer enough simply to meet the latest security standards. Nor can a top quality security program remain static. As businesses and technologies evolve, so do vulnerabilities and attack vectors. That means your security program must change with them. If it doesn’t, your company’s exposure to risk will continue to increase over time.
Here are the five ways to constantly improve your company’s security program:
1. Never be satisfied
A good security program reviews new technologies constantly. For example, instead of relying on traditional anti-malware software, you might evaluate a new technology by observing how files first execute in a virtual cloud machine sandbox instead. Or, because cloud providers often have better expertise and more exposure to newer security vulnerabilities, you might consider a cloud-based solution over dated on-prem appliances.
2. Share your security program with your customers
Depending on your industry, product or service, your company could benefit from letting your customers review your security program. And then listen to their feedback. Oftentimes, your customers will have expertise that can help improve your program. Although not every recommendation will be useful, being open to feedback from customers will demonstrate your ongoing commitment to them.
3. Invest in third party audits
By investing in SOC2 Type 2 or ISO 27001 certifications, you’ll have added assurances that your security controls are being correctly designed and implemented. Successfully managing all of the individuals responsible for required security controls takes a tremendous amount of work. If something does fall through the cracks, having an external auditor identify any gaps will help ensure you are following your own controls.
4. Listen to your employees
A successful security program requires feedback from your employees. Some easy ways to engage employees include:
• Creating a “security group” on your company’s intranet to foster social collaboration • Hold monthly security meetings—and invite representatives from different business units to join in the conversation • Facilitate discussions by sharing security ideas with the entire company
5. Learn from your mistakes
Mistakes happen. You may as well turn them into opportunities instead. That means conducting a postmortem review for each and every security incident or significant event. More importantly, create an action item list with delivery dates—and follow up for corrective actions or to identify areas that need improvement.
Other ways to protect your business
There are plenty of other things you can do to improve your security programs. The most important thing to remember is that no program is perfect. If you think yours is—that it doesn’t require constant improvement or that you don’t need to listen to customer or employee feedback—then there’s a good chance you’re exposing your company to unnecessary risks.
If customers perceive that doing business with your company is unsafe, no amount of amount of apologies or promises of “it won’t happen again” are going to appease them—or save you. That’s why it’s more important than ever for organizations to begin focusing on the “when” of cyber attacks rather than the “if.”
It’s time to move away from the standard approach of hiding how security is performed toward being more transparent with partners, employees and customers. Don’t wait for your security program to experience a failure—especially one that could have easily been prevented —think about how it should evolve instead.
Discover what IBM Security QRadar can do for your business. CLICK HERE
Article was originally posted here