Remain several steps ahead to prevent a data breach before it hits

July 30, 2018
In the world of cyber and information security, the changing nature of attacks is the only thing that’s certain

It’s no secret—to protect your organization from a data breach, it’s essential to think like a hacker and stay several steps ahead at all times. Staying up on the latest safeguards is key to securing information and assets. The onus is on IT executives to create a winning cybersecurity strategy, long before a data breach hits.

First and foremost, develop a strong network infrastructure based on known security attacks, and keep it updated by revisiting new and emerging threats on a regular basis. Ensure your organization has solid governing policies and procedures in place to keep your data safe. Not sure where to begin? Many templates and best practices exist for standard policies and procedures—identify a good template and customize it to ensure it’s a good fit for your organization.

Familiarize with the different varieties of security attacks, which change by the minute. Develop a plan for collecting information relevant to your industry and stay attuned to the new attacks you need to watch out for. The U.S. Department of Commerce’s National Institute of Standards and Technology offers cybersecurity email updates you can subscribe to in order to stay in the know. Another resource, the United States Computer Emergency Readiness Team, offers security alerts, tips and other important updates. Others, like Rehmann, offer risk reports you can sign up for to stay in the know. While it’s easy to become quickly overwhelmed by emails and subscriptions, being well-read on new and emerging issues is essential to our profession.

You should also make sure to implement all of the necessary security controls on devices used by employees. Utilize a strong firewall and intrusion detection and prevention system to prevent hackers from intruding. Avoid cutting corners—implement antispyware to prevent cookies and antivirus software to identify viruses that make their way through.

Keep these programs updated to make sure your company’s infrastructure stays up and running safely. Even the greatest programs available will fail to be effective if not kept up-to-date. To keep abreast of the latest patches, ensure you have an established patch process in place. Utilize available tools and resources to define your process, prioritize patches, implement your process and deep clean your IT environment.  

Finally, while we’ve all experienced the frustration of trying to create a complex yet easy-to-remember, password, strong passwords truly are the first line of the defense in the fight against data breaches. All employees should create passwords that combine letters, numbers, uppercase, lowercase and special characters—the importance of these elements cannot be underscored enough. It seems obvious, but passwords should never be shared or displayed. The fact remains, a vast percentage of security breaches have nothing to do with network flaws or vulnerabilities, but instead, social engineering and our tendency to be all-too-trusting of others.

Employers should also ensure employees only have access to the data needed to perform their job function. In any business, even a small one, it’s important to have a user access strategy in place, outlining each job function and the levels of access needed to execute those functions—nothing more. Whether you have an internal IT department or outsource to a vendor, your team should make sure these user access levels are built in from day one to keep user access at appropriate levels.

In the world of cyber and information security, the changing nature of attacks is the only thing that’s certain. As security technology professionals, we must both plan ahead and stay in tune with emerging trends to prevent a data breach before it strikes.

About the author: Jessica Dore leads Rehmann’s Technology Risk Management Group, overseeing cyber security assessments, information security assessments, vulnerability and penetration testing, social engineering testing, information security training and Sarbanes-Oxley Act (SOX) 404 consulting engagements for publicly-traded companies. Jessica provides information technology (IT) consulting and security services to a wide range of clients.