By Julia Sowells Senior Information Security Specialist at Hacker Combat,
Customer data is the lifeblood of any business entity; they are driven towards the increasing obligation of securing it as they possibly can. In the wake of implementation of customer data protection legislation such as GDPR, data loss prevention techniques, policies and rules are setup in an organization to comply with what the law demands. Cyber risk is now a huge corporate concern, and IT security budgets have risen in connection with it. Despite the increased attention, it is not clear whether companies have become more dependent on unnecessary policy in how they manage cybersecurity risks. Historically, most firms have made cybersecurity investment decisions, especially implementation of data loss mechanisms by adhering to industry best practices, without necessarily developing a detailed understanding of their overall cyber risk first.
Senior-level management, including the board-of-directors needs to be supportive of any change in policy, direction and rules. Define it in such a way that everyone in the company, from its officers to rank & files have roles to play and its employees conduct themselves in full accordance to data loss prevention procedures imposed across the board by the company.
Hiring of CISO (Chief Information Security Officer) has a large role to play with the planning and enforcement of the data loss prevention program. This includes the CISO is responsible for pushing for higher budgets for cybersecurity products and services that will help the company from losing valuable data, from both employees and customers alike. Some senior management managers may have concerns about the ability of the cybersecurity team to absorb a larger budget in terms of execution and increased headcount, the only alternative is a clever combination of hardware, software, and few personnel to enforce data loss prevention in a custom methodology. Internally there may be agreements on how to support for a particular cybersecurity project plan, but the execution concerns may end up in efforts not being funded.
Such require the intervention of a smart CISO, as that person will be responsible for making sure that data loss prevention policies are in-place, in order for the company to prevent becoming the next victim of a cyber attack, virus infection or phishing expedition which can make the company loss customer data or it becoming exposed to unauthorized people.
The only solution is to define boundaries, lockdown access to a particular system to only a few people. This can be done through effective use of encryption, access control and hardware policies. Encryption is very standard in any devices today, which includes smartphone. iOS devices have encryption turned-on default, while Android device encryption has been available since Android 4.0 Ice Cream Sandwich. On the desktop/laptop, Windows under the “Professional” or “Enterprise” SKU offers an optional Bitlocker encryption system.
Access controls are provided using a combination of NTFS file system and a Domain Controller server which provides the authentication of users to the system, enabling them to log in and use the computer. Domain controller software may range from a licensed-based Windows Server to an open-source alternative such as Samba software. Hardware policies lock down hardware access, as it blocks unauthorized devices from being connected to the computer, one such technique is locking down the USB-stor service in Windows. USB-stor is a service that restricts use of USB flash drives on a computer, which can be configured by the system administrator using the Group Policy section of the Active Directory in the Windows Server or Samba domain controller.
The bottom line, the security of a company belongs to the obligation of sum of its parts. An under-educated user causes trouble to show-up, regardless of the policies implemented.
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine.