How is it that so many organizations focus on perimeter defense but do little to protect the target data inside that perimeter? Wouldn’t it be wonderful to protect sensitive data even if the network is breached?
Rather than rehash statistics and evidence of recent data breaches in multiple industries, let’s assume that we all know that sensitive data whether financial, clinical or personally identifiable such as social security, passport or driving license numbers is the primary target of cyber criminals. There are many examples of successful breaches, and few are surprised that human error and/or lack of security is often the root cause.
It’s a little too optimistic to speculate that any specific company will never be affected by a data breach, but surely organizations can make it a little more difficult for hackers to profit from it?
When breached companies fail to encrypt data, they are culpable, in my opinion. When the security of sensitive data is not considered both at rest and in motion, we could wonder if those in charge have a true understanding of the hacker mindset. What kind of data security plan is needed to ensure clients, suppliers and other contacts are fully protected?
At this point, most companies have a cybersecurity plan in place, most likely focusing on possible attack vectors, securing the IT infrastructure against known vulnerabilities and in some cases, semi-regular security awareness training for staff. IT staff may rely on crowdsourced or automated threat intelligence solutions to stay informed of the latest threats. While all these activities are needed, they’re not insurmountable to patient hackers. Internal threats are exceedingly difficult to protect against - whether human error that leads to successful phishing attacks, ransomware launch or user-installed but unauthorized software that allows network access. Once the hacker has a presence on the network, finding and downloading sensitive data is the next step.
If that data is insecure and the company is relying on infrastructure security alone, then accessing that data is child’s play to a savvy hacker. It’s also worth noting that hackers often sit on discovered vulnerabilities, waiting for the right time to use them rather than collecting a bug bounty or indeed allowing their discovery to be detected elsewhere by zealous security companies. It’s one big cat and mouse game between the security industry and hackers. Sure, security may well be evolving in sophistication, but hackers respond in kind with even more complex attacks.
Given this environment where a breach is likely, not a matter of if but when, why not take the additional step of securing the data? It’s logical to do so, especially when data protections laws and other obligatory standards such as PCI-DSS and HIPAA require mandatory compliance. It is not a suggestion; offenders that suffer breaches are penalized with costs often running into the millions, not to mention the reputational damage involved. Well, it’s important so best mention it.
My advice is to enhance data protection. Using a bank robbery analogy, name any bank that leaves the bank vault wide open and instead posts armed security guards at every entrance. If one guard leaves his post or is overpowered, then there is little to prevent a successful heist.
Admittedly, there have been many successful data breaches in the financial services industry but at least in terms of physical security, the vault is secure. The analogy holds true: we want hackers that breach the network to be stuck in front of a vault, without access to the sensitive data within.
It’s not a difficult concept.
Making data security an important part of your overall security plan is not that difficult. Simply ask yourself a few searching questions, including but not limited to the following:
Once you know where your data is stored, you can work on protecting it. Centralized data management is the goal, with authorized personnel assigned the permissions to access it securely.
Most companies do, even if that data is related only to employees. If data can be used by hackers for identity theft or financial gain, consider it sensitive.
Again, given the propensity for data sharing, you most likely share data between departments, physical sites or with approved suppliers and partners in a manner necessary to do business. Bear in mind that those you share data with must also comply with governing regulations for data privacy. As the source, your organization is still responsible if a data breach occurs.
A minimum requirement, if you want to protect data.
Depending on the volume of file transfers and security awareness of staff, it is certainly possible. Your aim is to reduce the potential for human error by automating file transfers as much as possible, whether through scheduling, workflow optimization or permission management.
Consider this an opportunity to optimize processes for maximum efficiency, by streamlining workflows and ensuring that file transfers take place in an authorized manner–not via VoIP, memory stick or other method that cannot be logged. We’re not even considering e-discovery at this point, but it’s worth mentioning.
A primary consideration for many, standard file transfer will not allow an audit trail, cannot prove your compliance if a breach occurs and will not encrypt data in motion, with delivery receipts, authorization and timestamps.
Selection of an MFT solution can only benefit data security and can save time and money, freeing up staff for tasks that relate to core business activities. If data security is in fact an integral part of the overall cybersecurity plan, sensitive data is handled confidently and most importantly, the risk of fata loss is reduced.
In conclusion, the use of managed file transfers can only enhance your overall security posture, given that benefits such as permission management, data encryption, workflow optimization and audit trails are readily available. In the event of a network breach, at least your sensitive data is safe while your IT team scrambles to combat the intruder.
What do you think? Is it better to focus on protecting the infrastructure or the important data that resides on it? Ideally, both… and don’t forget a disaster recovery plan and business continuity plan if the unexpected occurs. Your clients and contacts will thank you.
An Irishman based in Hong Kong, Michael O’Dwyer is a business & technology journalist, independent consultant and writer who specializes in writing for enterprise, small business and IT audiences. With 20+ years of experience in everything from IT and electronic component-level failure analysis to process improvement and supply chains (and an in-depth knowledge of Klingon,) Michael is a sought-after writer whose quality sources, deep research and quirky sense of humor ensures he’s welcome in high-profile publications such as The Street and Fortune 100 IT portals.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.
Learn MoreSubscribe to get all the news, info and tutorials you need to build better business apps and sites