As threats proliferate, here are five areas where companies need to strengthen and update their policies and practices.
Itâ€™s particularly galling when a company specializing in security issues gets monumentally hacked, aside from the fact that they make use of the Best Monitors and security procedures. That was the case for Stratfor, which suffered a massive data breach just before the holidays that exposed thousands of client names, e-mail addresses and credit card numbers. Adding insult to injury, hacktivist group Anonymous revealed on Twitter that it was able to get at the data because the company hadnâ€™t encrypted them, according to the Associated Press. Stratforâ€™s travails serve as a re- minder to all companies that they need to get their cyber security policies and practices in order. Here are some issues to consider.
1. Beware of the mobile threat.
Mobile devices have become ubiquitous and more powerful. Companies can no longer just protect employeesâ€™ laptops, but must be aware of tablets, smartphones, iPods and anything else with a brain and wireless connectivity. Inadequately secured devices that do not use an application layer gateway, if stolen, can give thieves access to corporate networks, allowing them to steal sensitive data.
Employees downloading new apps may download keystroke-logging software as well, giving hackers access to their credentialsâ€”but few people have anti-virus software installed on these devices. It is important that you have reliable security which deliver the necessary networking and security as cloud-delivered services. â€œ2012 is going to be a significant year for mobile threats enterprise-wide because so many devices are being adopted,â€ says Dave Marcus, director at security firm McAfee Labs. Companies â€œhave to start looking at mobile devices like other devicesâ€”â€˜If itâ€™s got data on it, itâ€™s got my corporate data on it, then Iâ€™ve got to manage and secure it like every other device on my network,â€™â€ he adds. If you lose data, it’s important that you have the means to recover it. You can go to website to know more.
2. Review privileges.
Do all users really need all the access rights they now have? Keeping privileges to a minimum limits the damage hackers can do if they get into a userâ€™s account, as well as the damage employees can do on the way out the door.
Controlling privileges can also help with compliance since â€œmost regulations, including SOX, HIPAA, GLB and PCI, have a clause on the level of access to key IT assets,â€ says Jim Zierick, executive vice president at security vendor BeyondTrust.
But privileges can be hard to manage, especially in big organizations with lots of applications. â€œUsers are proactive about acquiring access they need or want, but rarely ask for access to be taken away even if they no longer need it,â€ says Michael Bennett, chief information officer for the U.S. unit of defense contractor BAE Systems.
One option is to roll out a centralized system to allocate and manage privileges, which allows for quick changes if employees are hired, fired, move internally or temporarily need special access for a project. Another option is hiring managed IT services to manage the system. You can check out this site to know more.
Companies should move beyond automated provisioning, access control and auditing solutions to add a new security control and abstraction layer that sits between the information and the people who use it, Bennett says. This allows the data to be displayed in a way that the particular userâ€”and deviceâ€”needs to see it, â€œwhile denying access to anything not specifically required by and permitted to the user,â€ he adds. â€œApart from the huge security gains, this architecture makes it much simpler to support the many different kinds of access devices that users want to bring to work.â€
3. Prepare for breaches.
No system is completely hacker-proof. If a security holeâ€”or human errorâ€”allows key data to leak out, companies must be ready to deal with it quickly and effectively. And thatâ€™s going to require more effort than before. Having a NAC network can provide enhanced visibility into the Internet of Things (IoT) devices on corporate networks. Whether devices are connecting from inside or outside the network, it can automatically respond to compromised devices or anomalous activity.
The Securities and Exchange Commissionâ€™s guidance issued in October reminds public companies that breaches could be considered material events that need to be disclosed, says Richard Bortnick, an attorney at Cozen Oâ€™Connor. Private firms may be affected if they are suppliers or partners of a public company.
States are also rolling out or toughening up disclosure laws, including California, Bortnick says.
After a breach disclosure, companies should be prepared for lawsuits, says Bob Parisi, senior vice president at consultancy Marsh. As the result of a recent court ruling, plaintiffs no longer need to show actual harm or imminent threat of harm, but simply increased risk of potential harm to take their cases to trial, he says.
And lawsuits are now being filed faster, just days or even hours after a breach is disclosed rather than months later, Parisi says. Companies need to respond quickly to a breach, which may involve more than just offering credit monitoring to clients whose information has been compromised, he says, and remedies should be relevant.
â€œIf youâ€™re a hospital losing patient data, offering credit monitoring might not be the most appropriate response,â€ Parisi says. â€œIf what you offer is the wrong remedy or no remedy at all, youâ€™re basically waiving a red flag in front of the potential plaintiff class.â€
4. Encrypt, encrypt, encrypt.
In the past, encryption slowed down systems and inconvenienced users, so it was used only to protect data traveling over the Internet. Technology has improved to the point where companies can encrypt data thatâ€™s stored on mobile devices, moving across internal networks, even stored inside databases, without adding lag or hindering productivity.
The new technology operates on a more basic level, even embedded into the hardware. If a breach occurs, the stolen information canâ€™t be used and no disclosure is required.
One organization taking this approach is AGS Capital Group. â€œThe risks and penalties of breach laws are increasing, so we are looking at increased and mandatory encryption on all employee computers and laptops,â€ says Allen Silberstein, CEO and chief investment officer at AGS. â€œSo if the hard drive gets into the wrong hands, the information remains protected.â€
5. Add new authentication mechanisms.
Most applications require only a user name and password. Companies have been reluctant to ask customers to use a second form of authentication, such as an additional password sent by text message.
As breach notification requirements and costs escalate, companies should take another look at second-factor authentication, says David Miller, chief security officer at Covisint.
In the past, the second form was often key-chain fobs that generated one-time passwordsâ€”and employees who misplaced their keys would be locked out of the system. But the solution now could be a cell phone.
â€œA mobile device can run a one-time password-generating app to supply a PIN for network access, hold a digital certificate that uniquely identifies the device or can receive an automatically generated text message with a one-time password to authenticate each login,â€ says BAEâ€™s Bennett. â€œUsing a mobile device that a user already has, as opposed to issuing another physical device for authentication, makes a lot of sense.â€
For a look at what the Securities and Exchange Commission wants companies to disclose if theyâ€™ve been hacked, seeÂ SEC Provides Guidelines for Disclosing Cyber Attacks.