What are the biggest mistakes companies make with data security?

First of all, the failure of seeing data security as an organization-wide “business problem” and instead considering data security as an “IT problem”. Many organizations have launched data security projects fully within the IT department. This will probably lead to a strong implementation of data security controls, but will have the downside of not paying enough attention (if any) to more business oriented security controls such as physical security, policies and procedures, trainings, and other administrative and environmental controls.

Second, the mistake of neglecting data governance and security throughout the data life-cycle. Data life-cycle is an important concept to comprehend. Many companies are still lacking the elementary processes, policies and standards for protecting data throughout its lifecycle.
While we are discussing the data security throughout its life-cycle issue, let’s agree that the emerging technologies made it one of the biggest issue today. Data life-cycle protection is becoming just as important in new data center architectures as network security. We can even see a gradual movement in security from perimeter protection to data protection.

Trust is being pushed back into the machines rather than staying at a network level. As technology matured through the years, the trust in security perimeters decayed. In the early mid-nineties, the typical security perimeter was composed of a static closed network with restricted connectivity for business-related applications. A trusted model as IT was mainly concerned with email services and web access. Nevertheless, in the late nineties, the trust in security perimeters began to be questioned as VPN technology started allowing remotely connected employees to access internal resources from physically different locations outside the companies. Years going by, trust in security perimeter is put under pressure as increasing internet traffic and connectivity set the stage for more security threats to appear, such as web page hosting malware.

In recent years, advanced persistent threats and connected devices are nullifying trust in security perimeter. Enterprises are increasingly moving critical processes and data towards the Cloud, and as the Cloud provider network environment allows connectivity and access to a myriad of applications, services and tenants, confidence in perimeter security started to pose a serious threat. The myriad of issues related to data storage, computation and access to cloud instances are rendering null the trust model based on perimeter security. Hence, the gradual movement from perimeter protection to data protection. Trust is being pushed back into the machines, rather than staying at a holistic network level perspective. This phenomenon can also be observed as the Virtual Security Appliances are placed within the Virtual Machine Monitoring.

This challenge of data life cycle protection is also becoming more complex than ever as no holistic approach exists for protecting information from cradle to grave. Organizations have to look at who is using what data, what they are doing with it, when and how they are accessing it, how it is being used, and how it is securely stored, archived and destroyed. It is difficult to balance the needs of employees, who need access to the data to do their jobs, and the necessity of making sure data access is controlled enough to prevent accidental loss or intentional access by cyber attackers.

Third, and one of the biggest issues as of today is in terms of resource allocation. This notion of resource allocation could be seen from various perspectives, but the points that I want to raise here is, on one hand, the resources that are typically weighted disproportionately towards defense and prevention; and on the other hand, the lack of attention that is paid in response and recovery. This is an issue of organizational awareness and considerations, however, no matter what precautions organizations take, a data breach is going to happen sooner or later, and a planned and coordinated response is more than fundamental.

In light of this resource allocation issue, we can highlight a second shift in information security, a shift from prevention to resilience. Years ago, Robert S. Mueller, former FBI Director, stated “There are only two types of companies: Those that have been hacked and those that will be hacked”. It is not a matter of “if” an enterprise will be the victim of an information security attack, but rather a “when”. Highly virtualized distributed computing architectures, cloud-based applications, the increasing network programmability and the estimated 50 billon connected devices opened new attack surfaces and vectors.

This shift from prevention to resilience is explained by the fact that enterprises should emphasize on adapting to and recovering from shocks rather than focusing on avoiding them. In place exclusively focusing on creating the “best security infrastructure”, enterprises should concentrate their efforts on continuous assessment, i.e. prepare for and respond to cyber incidents. In other words, instead of solely focusing on creating the “best security infrastructure”, they should identify risks, establish best practice Information Security protections, and create effective response plans. Through resilience, there are concepts of not only preventing a risk, but equally important prepare for it, detecting, responding and recovering from it.

Fourth, the mistake of settling with the minimum securities that will probably do the job but could be stronger. I believe organizations should consider, whenever possible, supplementary internal encryption, multi-factor authentication, or operating at a higher level of compliance even if it is not technically required. Why is this not considered in all organizations? Again, this is a matter of time and resource allocation. This is the eternal trade-off between investing heavily now or having a minimally viable security which can certainly be costly later on.

Fifth, the mistake of not training employees on cyber security best practices and offering them ongoing support. Furthermore, holding them accountable is also a complementary necessity as it is crucial in making sure all employees understand how important it is to use effective cyber security practices.

A big mistake relating to the issue of user base knowledge is to assume that your employees know internal security policies, and to also assume that employees care enough to follow policies. Most of the data breaches that we hear about occur due to attackers being able to take advantage of employees who either do not know security policies, or do not understand why they should care about their company’s security well-being.

Do you want to learn more about GDPR, data protection & more? Participate in the DPO Circle Annual Conference on Friday the 13th of December and get a signed certficate!

More info & registering: https://academy.atayapartners.com/index.php/upcoming/event/dpocannualevent

Bibliography
Ameye, N. (2018, January 9). News / articles. Retrieved from DPO Circle: https://dpocircle.eu/content.aspx?page_id=5&club_id=341464&item_id=39020