New year, new data security resolutions

And the top four to-do’s you should address today.

data security
Thinkstock

Every new year we're presented with a metaphorical blank slate; an opportunity to start anew, so we may begin thinking about resolutions for the New Year.

While I’d usually start with the standard advice (investigate a more rigorous fitness or health regime), I should defer to important, and sometimes easier-to-implement, corporate Infosec resolutions that can carry us into the New Year.  Let's look at it like an annual dental checkup: even if you've not had problems this year, it’s wise and recommended that you take the time to take a deeper look. But instead of visiting the dentist chair, let’s start with First Principles. 

2FA

There is no acceptable reason to use static passwords for corporate systems.  It has never been easier to incorporate multi-factor authentication into your infrastructure, with a wide variety of products and methods available to help you do so.  It's also critical to perform an external scan analysis to confirm that there aren't any other externally-facing systems running in parallel that DON'T require multi-factor authentication.  Often times we’ve seen primary systems configured with mandatory multi-factor authentication, only to find that adjacent systems (with external-facing access) are susceptible to brute force attacks.  My primary recommendation is to review your externally-facing infrastructure to make sure you haven’t inadvertently fallen victim to this scenario.

Backup checkup

In the New Year, it's a good idea to take a look at your backup solution to confirm that it's appropriate for the systems you've deployed to support your business.  This is particularly important if you've deployed new systems or if you're increasing your cloud footprint (even in a hybrid model).  

It's useful to review the critical systems and business processes within your organization and for each, identify these four primary variables: 

  1. Recovery Point Objective (RPO). The point in time in the past to which you will recover data from affected systems.  For example, if the RPO is one hour, backups must be made at least once per hour. In this situation, the most data you would have to worry about losing is anything from the last hour.
  2. Recovery Time Objective (RTO). The point in time in the future at which your organization will be completely restored and up and running again.
  3. Interruption Window. The maximum time allowed for restoration of critical systems or services so that business goals are not negatively affected.
  4. Maximum Tolerable Period of Disruption (MTPOD). The maximum amount of time that critical systems or services can be unavailable or undeliverable after a disruption before its impact is deemed unacceptable.

As backup systems age, you may find that they're not capable of responding to the needs of new systems.  It's important that on a regular basis you review each critical system and confirm that your backup methodology is sufficient. ​

Data privacy rules 

After a year of truly spectacular breaches (including Equifax, Paradise Papers, and SEC Edgar), 2018 will bring a healthy measure of regulatory remedy.  The General Data Protection Regulation (GDPR) will come into full effect at the end of May 2018, affecting all companies that have either employees or clients within the EU.  This still includes the United Kingdom (Brexit notwithstanding).  

Along with this substantial body of regulation, several Attorney Generals are reviewing their own state's privacy legislation, following the lead of New York State.  It is critical that all CISOs keep abreast of upcoming privacy legislation worldwide; even if your company doesn't have facilities within affected domiciles, it's quite possible that your company's clients live within them.  As such, the legislation may indeed affect your company. 

Framework of preparedness and incident response planning

This is a good time to review your framework of Threat Preparedness and your Incident Response capabilities.   Review your incident response playbook for each of the following potential information security event (that I call the Dirty "Baker's" Dozen): 

  1. Malware compromise
    1. Ransomware attack
  2. Social engineering
    1. Business email compromise
  3. Third-party breach
  4. Infrastructure outage (internal)
  5. Local access without authorization (non-malware)
  6. Remote access without authorization
  7. Lost/stolen devices
  8. Inappropriate behavior (internal)
  9. Cloud service access without authorization
  10. Data loss/extrusion 
  11. Direct financial loss 
  12. Denial of service (External)
  13. Physical breach

Running a tabletop of a subset of the above possible scenarios, combined with reviewing your team's capabilities, will help you to prepare for the upcoming year.  You might also discover that there's a gap you didn't realize you had allowing you to budget for the New Year. 

Take a deep breath and embrace the New Year.  Infosec challenges aren't going to go away; we can expect more of the same: data breaches and high-profile vulnerabilities. Don't be seduced by blinking lights and flashy marketing: go back to the first principles that’ll ensure healthy security resolve!

This article is published as part of the IDG Contributor Network. Want to Join?

New! Download the State of Cybercrime 2017 report