7 steps to proactive security

Data breaches are increasingly becoming an expensive problem for more and more companies. According to the most recent Ponemon Institute Data Breach report, insecure data cost companies an average of $221 per compromised record in 2016, an increase of 7 percent from the previous year and an all-time high.

+ Also on Network World: A breach alone means liability +

The key to securing against this threat lies in a common metaphor—if a ship has a hole, it is better to patch the breach than bail the water. Effective cybersecurity means being proactive, getting ahead of the problem and addressing the issue at its core rather than operating in a reactive fashion, constantly fixing the symptoms.

With this in mind, it is crucial for security professionals to understand the seven components of “offensive security.” Doing so will give one the ability to get ahead of threats, keep networks running and allow employees to continue being productive. This easily understood framework also gives an outline of how to handle corporate politics, budget issues, resource issues and time constraints.

7 steps to offensive security

1. Get executive support

Establishing comprehensive security against data breaches require management’s full support, so it is necessary to get executives to understand the scale of the threat and the potential consequences of inaction.

The first step to gaining this support is to schedule a meeting with key executives, including the CEO, CFO, CIO and potentially members of the board. Executives are most interested in raw numbers, so when making the case, it is imperative to explain the potential costs involved and why the organization is at risk.

It is also important to establish that security is an ongoing process. It is not just “fixed” once and for all. With that in mind, lay out a documentation process and schedule follow-up meetings to discuss progress and continued efforts.

2. Deploy continuous backups and test them regularly

Crucial to securing against data breaches is the use of continuous data protection (CDP), also called continuous backup or real-time backup. In this model, a copy of computer data is automatically saved on every change, capturing every version.

To set this up, cybersecurity professionals should conduct an inventory of all network-attached assets throughout the organization, noting the operating system in particular. Armed with this information, a search can then be conducted to find a CDP product that runs on the operating systems that hold valuable data. Before it is implemented, this backup system should be tested to confirm that it can restore data properly. Once this is confirmed, it can be deployed throughout the organization.

3. Set up corporate-wide encryption

Encryption is one of the most powerful ways to keep data safe from prying eyes, protecting both networks and physical hardware that is regularly carried by traveling employees.

Conduct an inventory of all network-attached assets and find an encryption solution that will secure them. This most likely will necessitate the use of multiple solutions from a number of different sources and vendors. When testing, make sure the solution has the ability to recover keys or reset passwords without losing access to data.

4. Create a “living” corporate security document

The best way to coordinate various security efforts is to put together a policy in a “living” document. This document can be said to be “living” in that it is never final, is always being updated, and evolves and changes over time. Some of the issues covered in this document might include password management, network access control, encryption and enforcement procedures.

To create this document, it is necessary to review various corporate security models and explain how important this documentation is to both executives and employees. Once this has been established, make sure the document is updated regularly.

5. Train employees on best practices

With a corporate security document in place, it is crucial that employees from the reception desk to the C-suite understand its significance and are familiar with the guiding policies. This is particularly important in the area of Bring Your Own Device (BYOD) and in keeping antivirus protections up to date.

Further, employees should understand the risks inherent in sending and receiving unencrypted emails, clicking on email links and opening attachments. All of these activities leave organizations at risk for social engineering hacks. Schedule regular training to ensure employees are aware of current threats and risky behavior.

6. The BYOD dilemma

Perhaps nothing presents a bigger threat to organizational security than the proliferation of personal electronic devices and their increasing presence in corporate offices. Unfortunately, these devices often don’t follow strict security guidelines and may provide hackers with a path to sensitive data.

With this in mind, security professionals should create a “living” BYOD policy and make sure everyone understands and agrees to follow its dictates. It is also necessary to train employees about the potential security holes inherent in free apps on their personal electronic devices.

Step 7: Deploy breach prevention

The bad news is having a firewall and antivirus programs in place is only 5 percent of the battle. The other 95 percent can be covered with breach prevention tactics such as internal intrusion prevention devices, anti-malware gateways, anti-phishing email systems and others. The best breach prevention system will document and mitigate risk, especially serious vulnerabilities. It will also provide network access control and quarantine high-risk, rogue and infected devices.

Many thanks to my partner Gary Miliefsky, CEO of SnoopWall, for providing information shared in this blog.

For more details, see our white paper, 7 secrets to offensive security.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.