It's not difficult to convince business leaders that a data breach can cause tremendous pain. Lost proprietary knowledge, reputational damage and remediation expenses can add up to disastrous, if not catastrophic, fallout.
Ponemon Institute's 2021 "Cost of a Data Breach" report, sponsored by IBM, estimated a single breach costs $4.24 million on average. From a business continuity standpoint, however, the true impact is often far higher.
In short, the risks associated with a data breach are nearly incalculable. Not every organization can survive the financial, legal and reputational ramifications of a significant breach.
Business and IT leaders are, therefore, seeking ways to stop these attacks from occurring in the first place.
Building a data breach prevention strategy
Because data breaches occur for many reasons, it is critical to use multiple technologies and processes to mitigate them. Below are 10 key best practices for preventing data breaches.
Editor's note: While incident response policies, tools and practices should also be part of an enterprise's overall security posture, the following tips focus on data breach prevention.
1. Inventory all data sets and identify locations of sensitive information
To protect its data, a business must first understand what and where it is -- necessitating a thorough inventory of all data sets and sensitive information locations. This inventory should be subject to regular updates and reviews to keep pace with the addition, removal and movement of data.
2. Strictly limit privileged access
Even when done with the best intentions, granting privileged access to employees and contractors can get out of hand in a hurry and put data at unnecessary risk. Establish and enforce policies surrounding elevated levels of access, with regular oversight. Privileged access management tools can help facilitate and enforce these policies.
3. Patch infrastructure
The patching of networks and systems should be a top priority for any IT security team. The number of newly discovered zero-day exploits continues to rise, and attackers commonly take advantage of unpatched software to gain access to critical data.
4. Secure the network perimeter
Traditionally, the first line of defense against external threats is network perimeter security. This includes the use of firewalls, intrusion prevention and intrusion detection systems, access control lists and other tools designed to allow unfettered business data flows internally, while helping identify and stop known threat attempts coming from outside the organization.
5. Secure endpoints
The implementation of endpoint security controls, such as malware detection software, has never been more important. Users and workloads have become highly distributed and often fall outside the protection of traditional perimeter security tools. With proper implementation and management, endpoint security can deliver exceptional safeguarding against common internet-based threats, such as web-based malware.
6. Limit lateral movement
If nefarious actors can successfully penetrate an organization's perimeter security, their next logical step in the intrusion process is to figure out what other systems they can access and potentially infiltrate. Thwart their efforts, and limit unsanctioned lateral movement with microsegmentation, which creates isolated network zones.
7. Encrypt data at rest and in transit
No matter where sensitive data is at any given moment, it should be encrypted to prevent anyone capable of accessing the data from reading it. Not only does this include encrypting data where it resides, but also when it is moving from one point to another within a corporate network.
8. Implement proper password policies
Modern password policies should be an absolute requirement for all applications and services running on an enterprise network. Examples of password requirements and restrictions are the following:
- minimum password lengths;
- mandatory use of uppercase letters, lowercase letters, numerical digits and special characters;
- maximum number of password attempts before an automatic lockout occurs;
- mandatory password changes every 60 to 90 days; and
- multifactor authentication.
9. Monitor infrastructure using advanced security tools
Advanced network monitoring and threat detection tools help detect and block intrusions and prevent data breaches from occurring or spreading. Behavior-based tools that use AI, such as network detection and response platforms, detect user, network and data flow anomalies that might indicate a breach is underway. These tools alert the appropriate IT security staff, who can then conduct further investigation and mitigation.
10. Conduct cybersecurity training for employees, contractors and partners
No cybersecurity strategy is complete without ample security awareness training for all who access and interact with sensitive corporate data. It should come as no surprise that intentional and unintentional mistakes of staff, contractors and partners represent the biggest threat to data security and the most significant challenge in data breach prevention. Proper training that covers data usage guidelines, password policies and common threats, such as social engineering and phishing scams, should happen regularly.
It's important to note that, while data breach prevention should be a top concern, organizations must balance it against other, sometimes competing, priorities. Each enterprise must, therefore, find the right, tailored mixture of cybersecurity policies and tools to align with its organizational risk appetite, minimizing the likelihood of a security incident, while maximizing business productivity -- only then will the organization have a data breach prevention strategy that delivers proper levels of protection, speed and agility.