A big part of data security is the proactive prevention of data loss, theft, and security breach, and it is always better to prevent these from happening instead of mitigating attacks.
So, we have come up with an IT checklist for organizations to go over to prevent breaches from happening. This checklist does not only cover the roles and responsibilities of IT personnel but more importantly, should be known by all employees or team members that have access to critical and confidential data of the company.
Examples of these data include intellectual property such as source codes, product design documents, internal price lists, corporate data such as financial and strategic planning documents, research for mergers and acquisitions, employee information, and customer data—social security numbers, credit card information or financial statements.
Best Practices to Prevent A Data Breach
1. Ensure strict documentation on changes.
Seventy percent of companies undermine the importance of documenting changes, putting most critical IT systems at risk of security violations and downtime according to the 2015 State of IT Changes survey.
This practice ensures that visibility across the entire IT infrastructure is kept and provides a complete audit trail of system activities and changes made.
The human factor is always the most vulnerable area in security and considering thorough documentation of user activity as a solution, reduces the risk of employees’ inadvertence or negligence.
2. Identify threats.
A part of your data security’s responsibility is to be updated with the latest threats to security. This can be done by correlating application security quality with global security intelligence.
Ensure that your users are alerted for potential breach methods along with updating your software and infrastructure accordingly.
The gateway to your data is through your applications. Attackers know these are a weak link, making them look for vulnerabilities in applications that provide access to sensitive data. Testing applications for security vulnerabilities reduces the risk of a data breach.
3. Be proactive when it comes to information protection.
The main point of data security is to protect company information while the main component of data security is knowing your data and who has access to it.
Privilege abuse is hard to detect, so restricting access to the company’s most confidential and sensitive data to those who need it and monitoring those with privileges will greatly help in ensuring that data stays protected.
Data minimization and access control is also a powerful element. Users shouldn’t collect or have information that they don’t need. IT security, as part of database management, should also reduce the number of places users can retain data in the network.
Access to sensitive data can also be on an “as needed” basis, with strict documentation of access control.
4. Implement security policies strictly and consistently.
Continuous auditing of data changes, user activities, system configurations, and security policies helps ensure critical mistakes don’t happen and areas don’t become vulnerable for breaches.
5. Audit and evaluate your environment and network security policies continuously.
Analytics that is generated from audits help detect security incidents and find the cause of each violation. It also provides proof when a company needs to pass compliance audits.
Treat IT Security as a Priority
We performed an eight-months project starting from a top to bottom assessment of all affected areas in one of biggest power generating companies in the Philippines. We embarked on tasks that not only enabled them to acquire their ISO certification in 2016, but also boost their IT security. These include:
1. Assessment of servers, SCADA infrastructures, Programmable Logic Controller (PLC) infrastructures, network infrastructure, access to information, data process procedures, and physical sites. We also included non-IT related processes like disposal, risk management, HR programs, communication process, contingency procedures and Information Security Management Systems (ISMS).
2. Deployment of an ISO-based Information Security Management Systems (ISMS) that provided a hard guide on the Policies and Procedures to be followed by the company in terms of information handling and access. ISMS training was given to their staff to ensure proper literacy and compliance.
3. Provided solutions on how to address their patching requirements and data loss protection requirements, which were on the items for remediation in the risk assessment activities.
These activities resulted in the stakeholders and management to be aware of the specific risks that may affect their business and operations. They’re new found knowledge on internal and external threats as well as remediation procedures and plans, enabled them to reduce threats.
Companies who want to bolster their IT security strategy should also implement these steps not only for certification but also for risk management.
Look Beyond Your IT Security Department
To help ensure breaches are prevented, one must look beyond the IT security department by going beyond and evaluating other departments.
Evaluate employee exit strategies (HR department), remote project protocol (Operations), on and off-site data storage practices such as BYOB devices, among other things. Once you have evaluated policies, establish new or better policies and procedures and set up safeguards.
You should also hold vendors and partners to the same standards. Third-party service providers need to maintain the same level of security standards and deploy the same measures in compliance with your federal regulations.
As hackers get more and more sophisticated, the best thing that companies – no matter the size – can do is mitigate risks and set-up control measures. In a virtual world where it’s possible to be untraceable, the best protection is preparation.