We’re living in a new era when it comes to the protection of personal data. Rapid technological developments, which have seen tremendous shifts, even in the past year alone, mean organisations now need to take a new outlook. This means they must take a comprehensive approach to all privacy.
Even with Notifiable Data Breach (NDB) legislation recently coming into effect, many organisations still fall short on the security fundamentals. And with new regulations, including the General Data Protection Regulation (GDPR), Payment Card Industry (PCI) Data Security Standard, Health Insurance Portability and Accountability Act (HIPAA) and ISO 27001, the cost of failure is higher now than ever.
Regulations and directives are unavoidable and with non-compliance, fines and audits are sure to follow. While regulations often feel like a burden, they can be turned into an opportunity by simply employing basic security measures.
Many of the risks are in the data itself and the processes used to manage it. Here are seven essential parts of a good Data Security strategy to turn this around:
1. Maintain an accurate inventory of software assets
A complete view of installed software can reduce security risks by driving consolidation of the software portfolio. Overall, this lowers the attack surface for software vulnerabilities. Identify and remove freeware and unauthorised software which could pose a security risk. Undertake a full audit to collect comprehensive hardware and software inventory data as well as identify which applications are using personal data and the people that are using those applications. This will enable the organisation to ensure that data that doesn’t comply with the Data Protection standards in use is reviewed.
2. Know what Open Source Software (OSS) is used in internally developed apps
Typically, organisations know less than 10 per cent of the software that’s actually used. Software engineers use open source components to expedite their work but often don’t understand the software vulnerability risks they may contain. Take control of and manage use of OSS and third-party components by using automation to create a formal OSS inventory and policy that balances business benefits and risk management.
3. Be vigilant about tracking and responding to alerts
Keep on top of known software vulnerabilities and their criticality. Ensure there’s a list of software installed that needs to be monitored for vulnerabilities. Then understand the OSS components that have been used in internally developed apps, so that alerts to vulnerabilities can be acted on.
4. Run vulnerability assessment against all systems frequently
Identify vulnerable, unpatched software on desktops, laptops and servers. This will cut through the noise to focus the research and alerts on the software assets identified in the organisation’s inventory. This will help you detect and assess the security state of applications to react faster.
5. Remove local administrator rights from employee devices
Removing local administrator rights will limit the organisation’s exposure to risk as the use of administrative rights is a primary means for hackers to spread malware inside an enterprise. If an employee has local administrator rights on their device, they can be tricked into opening malicious email attachments or downloading apps from malicious websites. If a victim user’s account has administrative rights, the attacker can take over the device completely, install software and search for sensitive personal data.
6. Enforce corporate policies using an enterprise app store
Prevent users from downloading apps from unknown sources, where possible. To do this, deploy authorised software and enforce corporate policies using an enterprise app store. An enterprise app store can ensure that governance is in place to install only authorized applications. An app store can also check software license availability and obtain proper approvals. In addition to installing new applications, an app store can be used to remove unlicensed and black-listed applications from employee devices.
7. Uninstall software that is end of life (EOL), before the vendor stops support
When software reaches its ‘End of Life’ (EOL), vendors stop patching security holes. Detect software that is EOL and upgrade to a supported version or remove it entirely from the device. Because EOL programmes are no longer maintained and supported by the vendor, there are no security updates, and are insecure.
By following the fundamental best practices, organisations can put themselves in the best position to tackle data privacy and improve security compliance. With the implications for mismanagement of vulnerabilities increasing, thanks to new legislation and enforcements, proactive management is the key to taking the front foot and tackling issues before they become major problems.