2015 was an exciting year for those of us in the cybersecurity industry. We met with new, increasingly complex threats, but also have new tools to combat them. The workplace continued to change as more and more employees work remotely and the adoption of cloud apps, collaboration tools, and Mobile/BYOD continues to grow. As we look forward at the year ahead, we wanted to share some cybersecurity New Year’s resolutions that can apply to every industry and organization to help significantly increase the protection of your critical information.
- Resolve to better protect both sensitive and critical information. This includes training staff on what qualifies as critical and sensitive information, ranging from planning documents, unpatented technologies, proprietary information and code to employee or customer data and more. Once this information is identified, it’s crucial to review who should have access to this information and enforce policies to make certain it doesn’t make it into the hands of employees without clearance. Our Clearswift Insider Threat Index found that 37 percent of employees have access to information above their pay grade within their organization; by evaluating access to information, this can be dramatically reduced. With proper training, policies and technology in place, your company dramatically lowers the risk of a breach.
- Resolve to enable employees to have the flexibility to safely use more cloud collaboration tools and work remotely with confidence. By using tools such as Adaptive Data Loss Prevention, we can ensure that the information uploaded to and downloaded from cloud tools (such as Box, DropBox, Google Docs, OneDrive, etc.) does not contain restricted or sensitive information outside of that employee’s purview. The basic access and security features in these programs does protect data to some extent, but it does not prevent your employees from accidentally uploading files with sensitive information or sharing it with the wrong people. In addition to HR policies and training, organizations need a DLP system in place that understands what data is sensitive and confidential, as well as who should or shouldn’t have access to that data. A DLP solution addresses the inadvertent threats that can occur from metadata and hidden information.
- Resolve to empower employees to use social media for business, securely. According to Pew Research, 58 percent of adults use Facebook and many use the site during work hours. This increase in social media adoption increases business risk and rather than simply shutting down access to these heavily leveraged communication and collaboration tools such as the US Office of Personal Management (OPM) did in response to a breach, it’s imperative for organizations to ensure that no confidential data or critical information is distributed via these channels, inadvertently or otherwise. HR can create policies around social media as part of acceptable usage and provide training on what information can and can’t be disclosed. Organizations must also utilize technology to enforce policy and prevent any data loss that could occur despite the best efforts of employees. Technology provides the last line of defense, removing hidden metadata and any other critical information which would break policy.
- Resolve to give staff better security training from their first day as an employee. According to our Clearswift Insider Threat Index, 72 percent of IT professionals say that employers need to educate employees on how to safeguard critical/sensitive information. By allowing HR and IT to work together to educate employees, organizations can help reduce threats and mitigate risk. Remember this isn’t just about day one, there needs to be an ongoing program of education and awareness for all employees to keep them up to speed with the new threats and how they can be mitigated.
- Resolve NOT to let security slow employees down. Older Data Loss Prevention (DLP) technologies use only “stop and block” methods to contain sensitive information, holding emails hostage in quarantine, hindering business and often causing enough trouble that companies disable the system meant to protect them. New Adaptive DLP technologies, such as those with Adaptive Redaction, are savvier and can recognize and redact ONLY the critical/sensitive information and allow the rest to continue unhindered. These newer advanced information technologies give organizations the assurance that their information and their employees’ information is protected, without causing excess work or slowing the pace of business.
- Resolve to include cyber-threats in disaster recovery and business continuity (DR/BC) plans. Today a cyber-security incident can have just as much impact as a physical disaster. Planning ensures that the organization is ready and the impact can be minimized. Practicing DR/BC plans can be very useful to spot any gaps in the plan in advance. This can be done by using examples from the media, which helps to create realism.
- Resolve to be more proactive and stay ahead of new threats. The only constant in the cybersecurity world is change. Threats continue to become more sophisticated and continuously adjust in their attack methods to bypass traditional security solutions and go undetected. Recent examples have include more complex embedded malware in emails that have gone undetected by major AV scan solutions. Organizations must look to enhance their existing security infrastructures with a much deeper level of inspection and sanitization without having to rip and replace their existing technologies.
Today, it’s possible to pair higher security with an environment that enables business and empowers employees. We feel these resolutions are not just attainable today, but should be on the list of every organization.
What are your New Year’s security resolutions?
- Dr. Guy Bunker, SVP Products, Clearswift