I often question the validity of the term Information Security. While it has “information” in the name, I feel we spend more time protecting our technologies and devices than we do figuring out what information is most critical to our businesses, and catering our protections to that data. As information security professionals, we need to focus more on directly defending data.
That was the premise for my presentation at Gartner’s ITxpo Symposium on October 7, 2013, in Orlando, titled, “SPS17: WatchGuard Technologies, Inc.: Cover Your Assets; Protecting Your Company’s Most Important Possession.”
Right now data thieves are doing a good job stealing our sensitive information. Since 2005, more than 600 million records have been breached, and the stakes continue to rise as companies struggle to protect data in the face of increasingly complicated regulatory requirements.
At ITxpo I shared some revelations from WatchGuard’s recent data loss research. For instance, though 64 percent of respondents report having data sharing and usage policies, only 30 percent have Data Loss Prevention solutions in place. And, while the top data loss threats include malicious insiders and criminal hackers, the number one threat is accidental data loss.
To help illustrate this data security problem, I also demonstrated how unskilled attackers could easily leverage SQL injection flaws to siphon off critical information from our backend databases. Using freely available tools like SQLmap, almost anyone can steal email addresses, credentials, and even credit card numbers from badly programmed e-commerce sites.
Of course, the point of the presentation wasn’t to alarm, but to remedy. To that end, I proposed five simple steps CIOs and IT managers can take to protect their organization’s critical data assets. You can read more about those tips below, or, you can watch the session recording by clicking here.
Let’s jump into the five tips:
- Do a Data Inventory – What sensitive data does your organization have? Where do you store this data? Why does the organization need this data? Who needs access to it? How do they use the data? You need to find out in order to protect it.
- Create a Data Policy – Good information security always starts with a well-thought out policy. Even the best security technologies cannot replace good planning.
- Leverage Access Control – You may already have many good tools to help, such as OS authentication, identity access management, firewalls, network ACL and other security controls. But, are you using them? The simple step of segmenting your trusted users from one another based on their roles can help.
- Use Encryption – Encryption can be expensive, but for data at rest and in motion, it is vital for sensitive documents. However, you don’t have to encrypt everything. If you learn where your organization stores its most vital data, you can concentrate on just encrypting that.
- Adopt DLP Technology – Vendors are offering cost-effective and easy-to-use solutions that can help organizations detect and block sensitive data at rest, in use and in motion. Consider Unified Threat Management (UTM) solutions that integrate DLP technology and allow it to be centrally managed through a single console. Gateway-based DLP technologies found on UTM devices can solve a big portion of the problem for a fraction of the cost and complexity of other solutions.
With the proper precautions in place, there’s little real excuse for accidental data loss today. There are strategies you can employ that help you identify your company’s most critical data, techniques you can use to limit access to it, and solutions available that will recognize violations and keep your data safe; thus meeting today’s compliance standards and regulation.
Furthermore, WatchGuard’s unified threat management (UTM) platform can help, providing you with both defense-in-depth and the latest gateway DLP technology that prevents most common data leaks.
Corey Nachreiner, Director of Security Strategy:
Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys “modding” any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.