Your answer is probably “Yes,” and most likely the reality is “No.”
It’s not all your fault. You rely on a technical team to do the right things. And you even ask if they are doing the right things.
But, when hackers inevitably breach your system and steal your valuable business data, you go back to the same team and ask how this could have happened. The team insists that they are following industry best practices. They’re not lying.
Industry best practices are not focused on the data.
The most important part of your business is the data.
Yet, budgets are filled with allocations for firewalls, IDSes, virus scanners, penetration tests, and machine learning systems: perimeter defenses. All of these systems focus on keeping hackers off your network or alerting your team as soon as possible when a hacker does penetrate your network.
None of these systems actually protect your data.
Once a hacker gets into the network, the data is just sitting there waiting to be taken and exploited or sold.
The Europeans created the General Data Protection Regulation (GDPR). If you want to do business in Europe or sell to a European citizen, you will need to comply with the GDPR. It mandates that companies do protect customer data.
Ask your team again. You’ll hear terms like SSL, TLS, endpoint security, VPN. Those mechanisms aid in keeping your data protected from point to point as it moves across the Internet. But once the data arrives at the other end, it is again unprotected. Then the data is typically pushed into a database for storage and retrieval.
In the database, the data is not protected. It’s just sitting there, ripe for the taking.
If your team doesn’t also use terms like “hashing” and “key management” when talking about your security, odds are high that your data is not well protected (if at all).
Some engineering teams will attempt to protect data by adding a secret key into the application code and encrypting the data. But, when a key is included in the same location as the application to which it belongs, hackers can (and will) simply extract that key from the application itself and decrypt the data. Other engineers may rely on drive encryption or local database encryption, but, in those scenarios, the same problems arise: the keys are on the very servers being hacked, readily accessible to hackers.
Hackers will obtain your data. If that data is encrypted, it will have no value to these hackers. Once your data is properly encrypted, it’ll be a good time to revisit the policies that drive your firewall and IDS budgets.
Finally, perimeter defenses don’t address threats from within the company and the internal network. Proper implementation of data protection will guard against both internal and external threats.
Get in touch with our experts at firstname.lastname@example.org and get a free analysis of how safe is your business data from both internal and external data loss threats, review and advise on your Business Continuity plans in case a data loss disaster was to strike your business.
Your data is your greatest asset. Protect it.