In Today’s IT World, Data is Gold
Cybersecurity can be a dense subject. While our team here at Scarlett Cybersecurity wakes up to the smell of security, we find it difficult to express the reasons we are so enthusiastic about the subject. One way to make it easier is to use a relatable analogy to help ensure that our clients understand the importance of proper security practices. For the topic of data security, our go-to example is always the 19th century bank storing gold bars.
Just like the old-time bank robbers, modern cyber criminals have to choose their targets. Imagine two banks, each storing equal numbers of gold bars. Which bank would be targeted by the criminals?
Bank 1: Located in a town center, with continuous foot traffic moving into and out of a large room littered with gold bars. There’s a foot guard at the main door, but the vault isn’t locked – in fact there isn’t even a visitor log kept. All the visitors to the bank are allowed to carry rucksacks into the building to take their share of gold. There is a strict “do not search” policy for all visitors, so no guard is able to view their bags. Employees at the bank don’t know how much gold there is in the bank, they just know that there is usually gold somewhere when they need it.
Bank 2: Located in a standalone building, this bank has several guards covering the entrances. All customers must go to the front desk and ask for their gold, proving their identity with 2 separate forms of identification. Everyone is logged in a visitor book, and there are guards outside the vault to ensure all the gold stays where it’s needed. Every day, the amount of gold is carefully evaluated and any missing gold is immediately reported. Guards check everyone’s bags before letting them leave.
Obviously, the above examples feel a bit heavy-handed, but many prospects are surprised by just how similar their organization is to Bank 1. In fact, most of our team’s critical data assessments come back to show that sensitive data at organizations is treated just like Bank 1 treated their gold. Accounts can login to the same servers storing sensitive data. There are no internal guards, and internet traffic flows straight into the same environment as the most sensitive data. Many times, there isn’t even a “vault” to begin with and the data is simply scattered throughout the network without organization or auditing.
OK – we obviously want to protect our sensitive data. What are some tips to get started?
- Sensitive Data Assessment: As always, the best first step for any new initiative is to get a third-party assessment by the experts. Teams that deal with sensitive data security on a daily basis are always going to be the best bet for determining a viable roadmap and gap-analysis regarding your current state.
- Governance Evaluation: Just as important as the assessment, governance around the sensitive data in your network is a critical component of security. How are employees expected to properly secure data if there isn’t a policy and guidance on storing that data? Ensure that PII, HIPAA Data (ePHI), Financial Data, and any other sensitive data has clearly been defined and the boundaries of such data are known to all employees.
- Segregated, Encrypted Data Storage: “The Vault” – this is your ultimate storage location for sensitive data. Whether it be a separate enclave network designed to be isolated from the rest of your traffic or a cloud file sync and share solution with robust permission management and encryption – you need it. After the assessment and while developing your governance, speak to a consultant about the optimal solution for your organization’s needs.
- Secure Backups: OK – you have your policies, you have a vault, and you know where your data is currently residing. Backing up this critical data is the next step, but there’s a catch. Any backed-up data that is sensitive should be encrypted and secured. Otherwise, all the trouble of securing “the vault” is wasted since there is a glaring back-door to all your data. Ensure that you implement secure, encrypted backups.
- Enforced Endpoint Security: Just as the banks needed guards, networks need endpoint security. Regardless of the controls your have around the vaults, attackers will be trying to get in anyway. Implementing a modern Endpoint Detection and Response Solution, Application Whitelisting, and DNS security are all key items to tackle in the modern era. All these tools require management by experienced security analysts and engineers, but the cost can be substantially offset by partnering with a firm like Scarlett Cybersecurity.
- Multi-Factor Authentication: How do you really know who is accessing your firm’s data? Multi-factor authentication is analogous to the “two forms of ID” so common at many institutions. Essentially, you must provide a username, password, and token generated from a separate device such as a phone. This helps to ensure that weak or compromises passwords are still secured by the additional token required. Controlling data access is a key component of proper sensitive data management.
- Data Loss Prevention: Back to the bank analogy – remember in Bank 2 how the guards are checking everyone’s bags before letting them leave? This is how Data Loss Prevention (DLP) works in the cybersecurity world. DLP inspects outbound traffic for signs of data such as PII, ePHI, Financial Data, CUI, and any other sensitive information types. When this data is detected, an alert is fired to the security team and the traffic is blocked until it is either reviewed or approved.