For decades, the hot topic in business security has been the reduction of shrinkage. Today, the threat is less tangible. Security focus has shifted to enterprise data as an increasing number of consumers and businesses exchange vital information on digital platforms. As the Internet of Things (IoT) is accessed on various networks and devices, security risks have also increased for both companies and their valued clientele.
Enterprise data security risks were often realized in 2015, sometimes by big-name corporations like Dow Jones and Anthem Health Insurer, both of which suffered enterprise data attacks. As a result of such visible incidents, many businesses are re-evaluating their data security measures. Seven critical steps should be involved in the revamping of enterprise data security to meet 2016 expectations, predictions, and suspected risk factors.
Classify Access Levels
The concept of "perimeter defense" has defined IT and data security protocols for many years. This made sense when the major threats to enterprise security operated from external attack positions. Today, inside is the new outside. Many threats are first identified when operating as fake internal users.
As Managed Security Service Provider Masergy highlights, 53% of organizations do not have the controls appropriate for preventing an inside attack, even though threats now tend to occur within enterprise data perimeters. One simple measure security experts at IT Business Edge recommend is to classify access levels to data.
Classifying access levels typically involve creating secure digital data storage for different databases and types of information. Employees only have access the databases and information their clearance level allows for. A salesperson, for instance, does not need access to a database containing detailed information about clients. Sales staff may, however, need access to a less sensitive database containing clients' basic account information. Encrypt all databases and only access to those who need it.
Use Multi-Step Authentication Wisely
A classic phrase, “work smarter, not harder,” applies in enterprise security as well. Adding additional authentication steps is important for some corporations, especially when creating classifications for access. In other instances, multi-step authentication can be a hindrance to workflow.
Sales personnel, for instance, may be less efficient if they must enter a password five times and wait for several encrypted pages to load to enter a simple, non-sensitive database. Just as access should be allowed by classification levels, classifications should have proportionate security authentication measures. Multi-step authentication best practices include using only as many security measures as necessary and offering such security to both employees and clients if applicable.
Set, Maintain, and Educate About Security Policies
Given the shift in enterprise data security breaches to internal mechanisms, it is essential for those who work on internal systems as company staff to have an understanding of what enterprise security is all about. According to Security Week, “78 percent of the 703 people surveyed consider negligent or careless employees who do not follow security policies to be the biggest threat to endpoint security.” Effective employee training can counteract the threat employees accidentally impose.
The National Cyber Security Alliance recommends educating employees on the value of cyber and data security. Additionally, employees should be taught about specific policies regarding the use of data and digital devices for work purposes. Policies should be both enforced and restated often in reminders to keep enterprise security at the forefront of the everyday digital decisions made by end users.
Consider Extensive Device Diversity a Vulnerability
Employees in successful companies often make use of a diverse array of devices to perform job duties. Everything from point of sale devices to smartphones to laptops is both brought to the workplace by employees and distributed by the employer. Many professionals expect to be able to use their personal devices on company networks, sometimes for both personal and business-related reasons.
With so many endpoints accessible, hackers and others who intend to breach enterprise security often have diverse options for opening the virtual door. Even something as simple as requiring company devices to operate using a specific version of Windows can offer enterprise security personnel the ability to better control and mitigate risk factors.
Emphasize Importance of Security Measures to Leaders
Another risk factor enterprise data security personnel must oversee is the new risk that arises with each new product, service, and platform the company utilizes or provides to clients. Since project management personnel rarely communicate with IT security unless a problem arises, it is essential for enterprise security to be emphasized to all leaders within a corporation.
Include a champion of enterprise security in all final approval process and all major meetings. They may have little input to offer at most meetings, but by having enterprise security leaders present, the risk of processes being finalized while posing security threats will be minimized. Ensure CEOS and other major leaders are regularly educated on enterprise security trends and threats to best appropriate funds and policies to keep essential data safe.
Employ Multi-Layer Encryption
A common theme among experts in enterprise data security is encryption at multiple layers. The more encrypted data is, the more work it takes for hackers to breach and obtain the data mine. Recommended layers of encryption include:
- Individual information packets on databases
- Server systems
- Secure network folders
- Vital information that can be emailed or shared via the cloud
Although extensive encryption may seem like overkill or a waste of time, the practice of encrypting enterprise data can deter criminal activity. Encrypting layers of data is something security expert Russell Glass recommends in light of often under-enforced and under-punished regulation violations carried out by companies who fail to protect their enterprise data according to the minimal legislated standards.
Monitor Automatically, But Use a Flagging System
Regardless of the amount or variety of security measures a corporation takes as a part of enterprise data security protocol, breaches are likely to occur. Having an established incident response protocol to appropriately handle threats and risks becoming manifest involves data security monitoring. A variety of automated programs can be implemented to offer monitoring services to aid in the active defense of enterprise data.
Additional support can be found through an established flagging system. Algorithms can be developed to track patterns and thus identify abnormalities in how end users access and utilize enterprise data. Program automation systems to send alerts to appropriate personnel for threats like failed password attempts, log in instances at atypical locations, or requests to access classified information. Assign personnel to address flagged instances to ensure security measures, though automated, are active and effective.