Information security is more important than ever today, especially with the increasing number of cyberattacks and the expanding target they aim for. You can no longer consider yourself not a target because you think your data isn’t valuable enough for attackers; all data is valuable, and everyone is a target.
In a corporate environment and for government agencies, information security awareness is starting to become a priority. However, the increasing awareness doesn’t mean the right security measures are immediately put in place. In fact, there are several data security measures that often get neglected, even when they are crucial to the safety of your information.
Managing access is just as important as managing data. Access to data needs to be managed meticulously as a way to protect sensitive information. Offering access at different levels (i.e. admin, user, etc.) is no longer enough. Compartmentalisation is the way forward.
Compartmentalisation and advanced access management are actually accessible; at the very least, the tools for performing these tasks and adding access management as a security layer are widely available. Even Amazon’s AWS comes with built-in Identity and Access Management (IAM) as a standard feature.
Compartmentalisation is also something that requires planning. You need to think about access to files and folders based on role and necessity rather than levels. This way, you can define access levels in a more comprehensive way.
Ask yourself one question: what do you do with old hard drives or damaged disks? Do you destroy them properly? Are you taking the necessary steps to make sure that sensitive information is not recoverable from those old drives?
Data destruction needs to be a part of the information security workflow. It is an important measure to add, especially in an agile environment where hardware gets substituted frequently. There are proper ways to do data destruction too, including with sufficient audit trails.
If you are not sure about how to properly destroy devices like hard drives and mobile phones, working with an experienced company is highly recommended. Service providers like EOL are much more experienced in handling sensitive information stored on old devices.
There is a big misconception that an antivirus is enough for securing sensitive information. Yes, antivirus software helps prevent viruses and malware from damaging (or even stealing) your data, but it is far from being the only measure to use in this instance.
A firewall is also necessary for preventing information theft and minimising other security risks. A firewall acts as the first layer of defence and separates your intranet with the World Wide Web. A well-implemented firewall also makes it more difficult for attackers to gain access to your system.
A firewall can be added to the outmost endpoint of your corporate network and individual machines inside that network. As long as the two firewalls are configured correctly and made to work with each other, you will have added security measures protecting your sensitive information.
Next, we have updates, which is the most neglected information security measure today. Over 40% of cases of information theft and data breach are the results of badly updated systems and infrastructure. When solutions don’t get updated regularly, the security holes and vulnerabilities they carry are more likely to be exploited by attackers.
Regular updates should not be missing from your information security strategy. Operating systems must receive the latest updates, with security patches being the basic requirement. The same is true with apps and systems. Failure to update these components could lead to catastrophic issues.
It doesn’t stop there either. You need to make sure that all attack surfaces are kept up to date. If your corporate website is made using WordPress, for instance, using the latest version of WordPress and keeping the site updated is considered mission-critical.
Attack Surface Management
The last item on this list is attack surface management. Attack surface represents your information security risk profile. When there are a lot of endpoints exposed to attackers, your attack surface is large. On the other hand, you can say that your attack surface is small when there are only limited entry points for a cyberattack.
Actively managing your attack surface is more of a necessity than an option. You want to take active steps towards minimising ways through which attackers can gain access to your systems as frequently (and continuously) as possible. Assets like your corporate website, the cloud environment you use, and hundreds of users in the system need to be actively maintained and assessed.
That last part is also important. Risk assessment is a part of managing your attack surface. In fact, it is an element that cannot be neglected and needs to be performed regularly. Combined with improving the handling of other elements that we reviewed in this article, you can boost your information security level substantially through regular assessment and constant improvement.