Five Epic Fails in Data Security: Do You Know How to Avoid Them?
Data security is on everyone’s mind these days, and for good reason. The number of successful data breaches is growing thanks to the increased attack surfaces created by more complex IT environments, widespread adoption of cloud services and the increasingly sophisticated nature of cybercriminals.
One part of this story that has remained consistent over the years, however, is that most security breaches are preventable. Although every organization’s security challenges and goals are different, there are certain mistakes that many companies make as they begin to tackle data security. What’s worse, these mistakes are often accepted as the norm, hiding in plain sight under the guise of common practice.
Should you be concerned about the potential for a data breach? Let’s see if you can fill in the blanks:
- Compliance does not equal ______.
- Recognize the need for _____ data security.
- Establish who _____ the data.
- Fix known ______.
- Prioritize and ______ data activity monitoring.
Five Common Data Security Failures
Below are five common data security failures that, if left unchecked, could lead to unforced errors and contribute to the next major data breach.
1. Failure to Move Beyond Compliance
It is often said that compliance does not equal security, and most security professionals would agree with that statement. However, organizations often focus their limited security resources on achieving compliance and, once they receive their certifications, become complacent. As a result, many of the largest data breaches in recent years have happened in organizations that may have been fully compliant on paper.
2. Failure to Recognize the Need for Centralized Data Security
Compliance can help raise awareness of the need for data security, but without broader mandates that cover data privacy and security, companies forget to move past compliance and actually focus on consistent, enterprisewide data security. A typical organization today has a heterogeneous IT environment that is constantly changing and growing. New types of data sources pop up weekly, if not daily, and sensitive data is dispersed across all of these sources.
3. Failure to Assign Responsibility for the Data Itself
Even if stakeholders are aware of the need for data security, in many companies no one specifically owns responsibility for the sensitive data that’s being collected, shared and leveraged to perform business operations. This becomes obvious once you try to find out who is actually responsible.
4. Failure to Fix Known Vulnerabilities
According to Gartner, 99 percent of all exploits use known vulnerabilities, while malware and ransomware attacks typically leverage vulnerabilities that are at least six months old. Recent high-profile breaches have resulted from known flaws that went unpatched even after fixes were released. Cybercriminals actively seek unpatched vulnerabilities because they are easy points of entry.
5. Failure to Prioritize and Leverage Data Activity Monitoring
In addition to moving past compliance, spreading security awareness, establishing data ownership and addressing vulnerabilities, monitoring data access and use is an essential part of any data security strategy. Organizations need to know who, how and when people are accessing data, whether they should be, whether that access is normal and whether it represents elevated risk.
Taking Steps to Close Data Security Gaps
There is nothing easy about securing sensitive data to combat today’s threat landscape, but companies can take steps to ensure that they are devoting the right resources to their data protection strategy. Few organizations, however, can afford all the security measures they would like to have. When resources and budgets are limited, it is of paramount importance to prioritize and leverage the resources they do have.
To learn more about common data security missteps, read the white paper, “Five Epic Fails in Data Security: Common Data Security Pitfalls and How to Avoid Them.”