The following strategies are significant shifts you can use to improve your data security. They'll take time and resources to implement.
However, they all contribute to significantly better cybersecurity in the end.
Make these improvements now and you'll avoid many attacks and minimize the impact of attacks that come your way.
Strategy One: Reduce Your Organization’s Attack Surface
In data security, your cost and ability to defend yourself scale depending on your attack surface.
How can you reduce the attack surface from a cybersecurity perspective?
Here are two methods that many organizations use.
1. Reduce privileged user access: Every user that has privileged access is another "gate" to defend. Review your list of privileged users and look for ways to reduce access privileges.
2. Implement container technology: Instead of setting up multiple operating systems with the accompanying administrative burden to keep them updated and secure, containers let you use fewer operating systems.
That means you'll have more time and capacity to defend your most valuable assets: access credentials, customer payment data and more. What does this have to do with attack surface?
When you use containers, you reduce the amount of territory you need to defend. Instead of defending 10 gates, you might only need to defend five gates.
Strategy Two: Cut Down Your Organization’s Technical Black Boxes With Increased Transparency
Awareness and transparency are critical to adequate data security.
Unfortunately, many modern systems are hard to understand. Let’s return to the operating system example. As a manager, how do you know if your staff is correctly configuring the organization’s operating systems?
If you have hundreds or thousands of operating systems in production, manually inspecting and testing all of them isn't realistic.
How To Eliminate Technical Black Boxes
1. Examine critical outsourcing arrangements: Outsourcing to a third party is a good way to save money and leverage outside expertise. When you outsource technology, you may be taking on a vendor’s cybersecurity weaknesses.
To better understand your risk exposure, we recommend creating a list of critical outsourcing providers and assessing them annually.
Poor security at a third party was a contributing factor to Target’s hacking incident in 2013. Don’t let that happen to your organization.
2. Reduce "black boxes" in your operating systems: Use containers to improve operating system transparency. In the past, the approach to configuring and deploying operating systems was difficult to inspect.
By using a Docker container, it's easy to tell what's running inside each container.
On a practical level, your staff will be able to quickly assess your systems and make changes if they find new data security problems.
Speaking of becoming nimble in data security, there’s another way you can improve your data security agility using containers.
Strategy Three: Optimize Your Access Credentials And Management
How many passwords and user accounts do you manage?
Recently, a finance manager at a bank walked us through his situation. He and his team had more than two dozen separate user IDs to manage.
Each quarter, the manager had to sit with the team and verify that the access credentials were still needed.
Now, multiply that activity across a thousand managers. It's a major burden.
There are a few ways to address this issue:
1. Adopt a single sign-on solution: Rather than ask employees to memorize a dozen passwords, a single sign-on approach makes life more straightforward because you have just one to keep in mind.
2. Use multifactor authentication (MFA): Companies such as Amazon, Facebook and banks use MFA to improve security. With this process, you use two methods to authenticate yourself.
Before long, I expect MFA to become a "business as usual" cybersecurity practice.
3. Use containers: By using containers, each employee will have fewer systems to manage.
That means a reduced burden for managers to oversee. Of course, you still have to track and monitor the entire identity and access management process.
Strategy Four: Make Secure Coding Easier To Manage For Your Developers
Responding to hacking incidents is stressful. You might have to answer calls late at night and organize your staff to respond. You might also have to answer tough questions from the media and customers about data loss. How can you avoid this data security nightmare?
Use these methods to support secure coding:
1. Use a security first approach: Encourage your staff to adopt secure coding from day one so that security is baked directly into new features and products rather than being an afterthought.
Most effective developers know the importance of secure coding. For high-risk products, engage a third party to review the application’s security design.
2. Implement containers: Even when you start with security in mind, you'll still have gaps.
For example, developers usually create new features and products in a "test" environment isolated from customers and the public.
Later, your developers release those new features into a separate "production" environment where everybody can use the feature.
Unfortunately, these two environments are sometimes configured differently.
The test environment may have all the latest patches and protection, and the production environment may lag behind. How do you keep the two environments in sync?
Use containers and require that test and production environments use the same operating system configuration. When you have to update the operating system, that update will be pushed to both environments at the same time.
For the best results, use this secure coding strategy in coordination with the other strategies I’ve covered.
What’s Next In Data Security?
Everything old is new again. Social engineering — tricking employees into un-secure practices — remains a major problem.
To address that problem, you must keep up with security fundamentals, including recruiting cybersecurity specialists, providing training to all employees and following security news. As you embrace new ways to improve productivity, such as with like containers, make sure you pause and look for opportunities to improve security at the same time.