How You’re Affected by Data Breaches
Data breach; it’s something we hear in headlines all the time. Cybercriminals expose the sensitive information organizations obtain from individuals. But, just how real is this threat, and what can your organization do about it?
In the first six months of 2019, there were over 4.1 billion compromised records resulting from 3,800 publicly disclosed breaches (Forbes). These records include email addresses, passwords, and other sensitive data. And, while the numbers are staggering, the techniques cybercriminals use to gain access to this data are often basic. By following a few simple best practices, your organization can avoid becoming the next victim of a data breach.
Data breaches hurt both individuals and organizations by compromising sensitive information. For the individual who is a victim of stolen data, this can often lead to headaches: changing passwords frequently, enacting credit freezes or identity monitoring, and so on. Depending on their due diligence efforts to protect the data in the first place, the organization which was compromised may be on the hook for the cost of monitoring services for victims after a breach. They will also be responsible for notifying victims about what information was stolen during the breach.
Altogether, it can be an expensive lesson in data security – IBM reports that the average cost of a data breach is almost $4 million USD. And, there’s the non-monetary cost of a tarnished reputation. Certainly, data breaches are one case where “an ounce of prevention is worth a pound of cure.” So what does prevention look like? Let’s explore.
Awareness training is paramount
The number of data breach victims rises every day. Prevent them by starting at the individual level with security awareness training. Cybercriminals continuously leverage phishing and other social engineering techniques to gain unauthorized access to systems and data. By teaching yourself and others in your organization how to spot and avoid a phishing email, you can go a long way towards preventing a successful breach.
Organizations should also implement a policy for suspicious emails so employees know what to do. For example, they may be instructed to contact the Chief Information Security Officer (CISO) or IT security team.
Prioritize security actions
It’s easy to get overwhelmed by the cybersecurity programs available today. AI-powered, Machine Learning-enabled, Blockchain-ready; add in the security regulations required by many industries, and it can seem like too much. But don’t despair – or worse, give up on security altogether. You can build a cyber defense program from the ground up by following prioritized security best practices such as the CIS Controls.
The CIS Controls provide step-by-step prioritized security actions to help organizations defend against cyber threats. They walk an organization through security concepts like asset management, application whitelisting, and penetration testing. The best part? They’re free to download and implement to secure your organization.
For organizations implementing multiple frameworks, the CIS Controls are mapped to popular security programs including NIST CSF and ISO 27001. In fact, many organizations use the CIS Controls as an on-ramp to additional security programs.
Closing configuration gaps
According to Forbes, over 3.2 billion records were exposed as a result of “misconfigured databases and services.” What does that mean? Configuration security can seem complicated, but it really just comes down to the settings of a particular application or operating system. It’s a fact: systems don’t ship securely. They are configured with default settings for convenience or maximizing in-application sales over security. That’s why it’s up to you, the end-user, to examine the settings and implement secure configurations.
So what are the best settings to implement? The experts are on it; cyber defense communities organized by the Center for Internet Security (CIS) regularly develop secure configuration guides called the CIS Benchmarks. The CIS Benchmarks are available for operating systems, cloud infrastructure, mail servers, web browsers, and more. They’re developed through a consensus-based process involving a global network of cybersecurity professionals. Like the CIS Controls, they’re free to download and implement.
Automate, automate, automate
If your organization has multiple endpoints to secure, you should look at automating cybersecurity processes. This can save time on manual assessments while still allowing your organization to build a robust cyber defense program to prevent data breaches. Look for tools that will help you implement a secure baseline – that is, one which is determined by consensus over a single vendor’s perspective.
Organizations implementing the CIS Controls and CIS Benchmarks security best practices can take the next step by leveraging CIS SecureSuite Membership. Over 2,000 businesses and organizations have joined already to improve their cyber defenses. CIS SecureSuite Membership provides:
- CIS-CAT Pro, an automated configuration assessment tool that measures endpoint compliance to the CIS Benchmarks and CIS Controls
- CIS-CAT Pro Dashboard, a companion to the Assessor which shows compliance to the CIS Benchmarks over time
- Build Kits: shell scripts and Group Policy Objects for quickly implementing secure configurations
- Access to CIS WorkBench, a Membership resource with features like custom configuration policy creation