Basics for Improving the Safety of Your Organization's Data

The world is currently experiencing the Fourth Industrial Revolution (4IR),¹ a result of which has been the innovation of big data. The concept of big data encapsulates how enormous amounts of data can be gathered, analyzed and stored across many systems.² Most data collection is for typical business purposes, however, malicious cyberactors can access and leverage data to damage an organization’s reputation, gain unauthorized access to its systems to bring it down, endanger users, and cause other financial and regulatory impacts. Fortunately, organizations can protect their data by performing the basics of good cybersecurity hygiene.

Simple Is Better

Employees enterprisewide working toward a more secure state help defend against some of the most common attacks targeting organizations.³ To achieve this level of collaboration, enterprises can establish or enhance security awareness and education training programs. Topics such as safe browsing, social engineering and security policies are often good starting points because they can improve user behavior. Additionally, the organization needs to ensure that users know how and when to report issues or concerns. Overreporting is always better than underreporting, so the organization should conduct exercises that encourage users to report.⁴ If the organization allows remote or mobile work, it should instruct users on how to protect their own access points and data, thereby improving the security of the organization’s systems and data that are present on the user’s home network.

Knowing what vulnerabilities are on the network, how they translate to risk for the organization and how to reduce this risk are significant steps toward improving the security of an organization’s data.⁵ Once the basics are in place, the organization can also implement more advanced items such as browser add-ons, proxy services, data encryption, behavior monitoring, and web filtering to improve the protection of the organization’s data.

Making the Most of Cybersecurity Resources

There is no shortage of cybersecurity resources that are available and designed to help protect an organization’s data at risk. Getting organizational buy-in and changing an organization’s culture to securely manage data are often more challenging than utilizing the technical resources necessary for data security.⁶ As soon as organizational support is in place, practitioners and their enterprises should take advantage of the following resources:

• Secure password strategies—Implement an organizational strategy that aids users in selecting a strong password, using multifactor authentication (MFA) during login and understanding how weak passwords can be used to compromise the organization.
• Safe web browsing—Instruct employees to use common precautions when browsing the Internet, including checking for the lock symbol on their browser (i.e., a Uniform Resource Locator [URL] displaying Hypertext Transfer Protocol Secure [HTTPS]) and monitoring for fake websites that may be attempting to impersonate a brand.
• Mobile device updates and security tools—If an organization provides mobile devices or enforces a bring your-own-device (BYOD) policy, it should aid users in safely using their devices on the network (e.g., offer update reminders, secure configuration assistance).
• Dark web monitoring—This service can be an organization’s first warning that an attacker is planning to attack a system or that a system has been compromised and data are for sale.
• Basic security training—A basic security training program helps educate users on how to be an organization’s first line of defense. Users must understand what to look for and how to report any activity when they have discovered an issue.
• Inventory management—One cannot protect, patch or control something that one does not know exists. Performing a complete inventory is the first step in identifying what must be protected.

By arming itself with these tools, an enterprise is better able to protect its data.

Best Practices for Patching, Configurations and Passwords

Enterprises can further improve data security by following best practices for patching, configuration and passwords. A number of strategies can help organizations improve the safety of their data:

• Implement a patch management program to ensure that all devices have the latest patches.
• Implement a configuration management program to ensure that all devices meet the organization’s baseline security standards.
• Ensure that least-access privilege safeguards are in place by implementing an access management program.
• Ensure that there is a strong password strategy in place using the access management program. Most security tools monitor for weak or repeat passwords because weak and repeat passwords are the first and second things, respectively, that most attackers guess to try to gain access to an organization.⁷ For this reason, enterprises should frequently review whether their network users are using weak or repeat passwords. Organizations may also consider adopting an enterprise password management solution. This tool aids in ensuring that users practice safe password and Internet browsing practices through built-in password checking and URL safety checking tools.⁸
• Whether an organization’s employees use personal or enterprise-owned mobile devices, the organization should have a mobile device management program in place to take inventory of all mobile devices connected to the network and ensure that they meet minimum security standards.⁹

Following these guidelines helps organizations protect themselves against malicious cyberactors attempting to access data.

Dark Web Monitoring for Leaked Information

How can a security team discover if an attacker is planning an attack against an organization—or if it has already been compromised? Security-as-a-Service providers often offer dark web activity monitoring to search the dark web for any of an organization’s private information or any information that might be harmful to the organization. If areas of concern are discovered, the service provider informs the affected organization and provides guidelines for what action should be taken.¹⁰

Conclusion

Data collection, big data and hackers are here to stay, so organizations must secure their data starting with the basics. The basic steps are the easiest and least costly to implement and will help the most with reducing overall risk to the organization’s data. From there, the organization can identify any additional steps that can be taken to further improve the safety of its data, such as incident response training, periodic policy reviews and/or data loss prevention (DLP) safeguards.¹¹ These efforts, in conjunction with the associated cybersecurity culture change in the organization, enable organizations to proactively protect data instead of reacting to each incident as it occurs.

Endnotes

¹ Schwab, K.; “The Fourth Industrial Revolution: What it Means, How to Respond,” World Economic Forum, 14 January 2016
² Shaw, J.; “Exposed: The Erosion of Privacy in the Internet Era,” Harvard Magazine, September 2009
³ Soare, B.; “What Are the Main Attack Vectors in Cybersecurity?” Heimdal Security, 12 February 2022
⁴ CybSafe, “7 Reasons Why Security Awareness Training Is Important,” 26 January 2021
⁵ Fellinge, J.; “How Device Inventory and Dependency Management Help Secure Larger Systems,” Mouser Electronics Blog, 31 January 2019
⁶ Romeo, C.; “6 Ways to Develop a Security Culture from Top to Bottom,” TechBeacon
⁷ Website Security Store, “Password Based Attacks to be Aware of and How to Prevent Them,” 6 October 2021
⁸ Orange County’s Credit Union, “Pros and Cons of Using a Password Manager,” 5 April 2021
⁹ Freedman, M.; “18 Ways to Secure Your Devices From Hackers,” Business News Daily, 25 January 2022
¹⁰ Rapid7, “Dark Web Monitoring”
¹¹ Staff, “Eight Simple But Effective Ways to Improve Your Company’s Data Security,” Forbes, 20 October 2021

Brian Fletcher, CISSP, OSCP

Is a senior cybersecurity research advisor for ISACA's Content Development and Services department and a subject matter expert for cybersecurity best practices, governance, controls and standards. He also supports the development and expansion of ISACA's CMMI Cybermaturity Platform (CMMI-CP). Fletcher is a highly accomplished US Navy veteran with 25 years of experience in multidisciplinary security that includes system development, cyberoperations, crisis response and cybersecurity training.