Data security is always important and never more so than during these uncertain and chaotic times. Huge amounts of information circulate all around cyberspace, said Angee Streeter, information security and privacy officer at Pon North America, in a recent VMA webinar.
Daily statistics from 2020 count almost 300 billion emails sent, more than 500 tweets posted and more than a trillion sensors making and outputting measurements, Streeter said.
These transactions, plus all the other internet activity, provide a staggering amount of data. Savvy companies make use of the data by mining it. “The goal is to turn data into information and [turn] information into insight,” said Carly Fiorina, former CEO of Hewlett-Packard Company, quoted by Streeter.
WHAT IS DATA MINING?
“Data mining is the process of analyzing hidden patterns of data according to different perspectives for categorization into useful information. . . Data mining is also known as data discovery and knowledge discovery,” according to the Techopedia website.
Streeter described the process, “Take data, process it, analyze it, and determine what patterns you can use.” She offered some examples of applications for data mining:
- Using eye-tracking to evaluate children’s problems with reading
- Optimizing logistics for delivering goods to consumers
- For the military, locating improvised explosive devices by use of available data
As more computing power becomes more available, data mining and related processes are becoming more widely used, especially in the last five to seven years, Streeter said. As more data becomes more useful, protecting it becomes increasingly important.
Contrary to some beliefs, most data breaches are due to external attacks. The 2020 Verizon’s Data Breach Investigations Report noted that 70% of security breaches are caused by outside actors, commonly thought of as hackers. The other 30% are due to internal action, such as mistakes made or intentional misconduct.
Many breaches are due to employees’ falling prey to phishing emails. For example, an employee might believe an email that looks like it comes from the company’s chief financial officer requesting that a large amount of money be wire transferred to an offshore “supplier.”
BEST PRACTICES FOR CYBER SECURITY
Various organizations and agencies provide guidelines and standards for developing cyber security systems. Streeter discussed three different approaches. The goal for each is the same—safety of data and systems—and many of the guidelines are similar.
The Center for Internet Security (CIS) is a community-driven nonprofit, responsible for a set of best practices for securing IT systems and data. The guidelines start out with inventory and control of both hardware and software assets.
The National Institute of Standards and Technology (NIST) has established the Cybersecurity Framework. Government contractors need to follow this approach, Streeter said, and other companies can also use it. The Cybersecurity Framework consists of five functions:
- Identify the important data. Data risk will depend on factors such as what the data is, how is it accessed and where it is stored.
- Protect by designing safeguards to protect vital data. For example, network segmentation can prevent intrusion beyond the entry segment, Streeter said. A ransomware attack can take over only part of the network. Use secure access VPNs, etc., so that no one can see the data packets exchanged between you and the web. Provide email security with Domain-based Message Authentication, Reporting & Conformance (DMARC), which authenticates messages and prevents recipients from opening potentially fraudulent or harmful emails.
- Detect incidents in a timely fashion. Logging access helps track down what happened. Who accessed or changed data? How was the data changed? How did this occur?
- Respond to the incident or breach according to plan and take steps to remediate the situation and train staff going forward. Ask “How are we prepared to respond to an occurrence?” In the response plan it is particularly important to make sure people know the roles they need to take, Streeter said. Some plans name individuals but are not updated when they change position or leave the company, so it makes sense to specify the position, not the person, responsible for a given task or decision.
- Recover. Do you have a recovery plan to manage the damage resulting from an incident? Recovery plans can apply and be tested when non-cyber things happen, as well as data breaches. Testing can happen spontaneously when something like the current pandemic or a weather event such as a hurricane happens. These events offer opportunities to see how well a recovery plan works, Streeter said. “Use these experiences to edit the plan,” she suggested.
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. OWASP offers principles for writing secure code including building security into the design of an app or other software, rather than trying to patch it afterward. Another principle is to keep user responsibilities and privileges separate and compartmentalized to minimize areas of vulnerability.
AN ADDITIONAL WAY TO FIND CYBER VULNERABILITIES
Streeter also shared the concept of responsible disclosure. In this approach to finding a website’s vulnerabilities, the company includes on the site a request for the public at large—bounty bug hunters, essentially—to find problems on the site. This can be quite effective in revealing problems. However, if you decide to do this, she said, be prepared to make fixes promptly after vulnerabilities are reported to prevent these same vulnerabilities from being exploited.
HOPE FOR THE BEST, PREPARE FOR THE WORST
Prepare for when problems occur, not if they will occur, Streeter said. “Don’t think it will never happen.”
In addition to the hardware and software guards put in place, Streeter said, implementing a security awareness and training program is of great importance. Employees may not enjoy the process of taking training classes periodically, but this education in how to avoid pitfalls is a critical part of an overall cybersecurity strategy. To keep it relevant, Streeter suggests training should include real-life examples, such as samples of actual phishing emails.
Every company needs to come up with its own unique cybersecurity strategy; one size does not fit all. The different approaches to securing your data have the same goal: protection from data breaches. “Everyone is exposed on the internet,” Streeter said. “This we have in common.”