The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2024
30 Best Practices for Preventing a Data Breach
Data breaches continue to plague businesses across all industries. According to a December 2020 Security Magazine article, 36 billion records were exposed in 2020’s first three fiscal quarters, from 2,935 breaches. In a hyper-connected business world, organizational leaders understand that data breaches are a fact of life. However, these 30 best practices for preventing a data breach can reduce the risk and respond to an attack more effectively.
1. Identity sensitive data collected, stored, transmitted, or processes
Before you can prevent a data breach, you need to know the sensitive data you collect, store, transmit, or process. Cybercriminals target non-public personal information (NPI) and personally identifiable information (PII) because they can sell it on the Dark Web. They also target intellectual property, like patent documents or trade secrets.
Although often used interchangeably, NPI and PII overlap in some categories and refer to additional non-overlapping data types.
NPI includes:
- Name
- Address
- Income
- Social Security Number
- Driver’s License Number
- Account Numbers
- Payment History
- Loan or Deposit Balances
- Credit or Debit Card Purchases
- Court Records
- Non-Public Consumer Reports
PII includes all of that data plus the following:
- Aliases/Nicknames
- Unique Personal Identifiers
- IP Address
- Email Address
- Account Name
- Non-Public Personal Property Records
- Purchase History
- Biometric Information
- Internet Activity, like Browsing History
- Geolocation
- Audio, Electronic, Visual, Thermal, Olfactory, or Similar Data
- Employment-Related Data
- Education Data Covered Under the Family and Educational Rights and Privacy Act (FERPA)
- Inferences Made by Using Combinations of Anonymized Data from the Above List
In short, much of the information that an organization collects needs to be protected or, at the very least, disaggregated.
2. Identify areas that store, transmit, collect, or process sensitive data
Security professionals argue that you can’t secure what you don’t know you have. Any data breach prevention strategy needs to include learning where you store, transmit, collect, or process sensitive data. As part of the identification process, you might want to consider using an asset detection technology that can help you locate and catalog:
- On-Premises Servers
- Virtual Machines (VMs)
- Hosts
- Agents
- Workloads
- Instances
- Networks
- Applications
- Social Media
- Files
- Folders
- Logs
- Identity and Access Management Platforms
- Corporate Website Download Forms
As your digital footprint grows, you add additional locations that store, transmit, process, and collect data. To effectively prevent or mitigate the risk of a data breach, you should be continually monitoring your assets.
3. Identify users with access to sensitive data
Although identifying users may seem easy, many companies struggle because “users” can incorporate multiple types of identities. As you build out your data breach prevention practices, you should think about the following “users,”
- Standard Users
- Privileged Users
- Contractors
- Application Programming Interfaces (APIs)
- Robotic Processing Automation (RPAs/bots)
- Software Update Agents
- SSL/TLS Certificates
- SSH Keys
- Microservices/Containers
Each of these human and machine identities acts as an access point within your ecosystem, making it a potential data breach risk.
4. Identify devices that store, transmit, collect, or process sensitive data
One of the biggest problems organizations face is managing all the different devices that interact with sensitive information. As part of the asset detection process, you should make sure that you’re capturing all devices, including:
- Workstations
- Smartphones
- Laptops
- Tablets
- Telephones
- Printers
- Modems/Gateways
- Switches/Hubs
- Firewall/Security Appliances
- Routers
- Network Adapters
- Network Attached Storage (NAS)
- Internet of Things (IoT) devices
- Security cameras
Each device connects to your network using a communication endpoint called a port. Cybercriminals look for risky ports so that they can gain access to your network so you need to know what ports your devices use so that you can secure them.
5. Assess risk
For every identified person, device, and location that stores, transmits, collects, and stores sensitive data, you need to assess the level of risk posed. While this may seem easy at first glance, many organizations struggle because as you add more locations, devices, and users to your ecosystem, you also create new risks.
For example, a standard user who only accesses one on-premise application that contains no sensitive data while in an office might be low risk. Meanwhile, a privileged user with elevated access to a cloud-based database storing PII who connects from home with a personal device is a high risk.
The more identities, devices, and locations that store, collect, transmit, or process sensitive information that your organization uses, the more difficult assessing risk becomes.
6. Analyze risk
Although analyzing and assessing risk might appear to be the same thing at first, they are distinct processes that provide different information.
The risk analysis process means you’re looking at types of risks that exist within your organization. With a risk analysis, you take each risk assessment metric and incorporate a data breach’s potential impact.
Traditionally, organizations use a combination of qualitative and quantitative approaches. A qualitative approach might consider the productivity impact a data breach would have, while a quantitative approach would consider the money a data breach costs.
Often, organizations use a risk assessment equation that looks like this:
Risk = Criticality (probability of a data breach x vulnerability score) x Impact
Ultimately, the more important an asset is to your business operations and stability, the more significant impact a data breach has.
7. Determine risk tolerance
The whole purpose of the risk assessment and analysis process is to help you determine your risk tolerance. Risk tolerance is essentially a cost-benefit analysis that compares how important a technology is to your organization’s business goals when compared to the impact a data breach would have.
When determining risk tolerance, you can take one of four actions:
- Accept: You might accept a risk without transferring or mitigating it when the business impact is low.
- Refuse: Risks might be refused if the potential impact is too great even if you were to transfer or mitigate them.
- Transfer: You can have someone else, take on the burden of the risk at a reasonable cost, such as with cyber insurance.
- Mitigate: The risk’s impact can be reduced by putting controls in place to prevent a data breach and the technology is critical to your business goals.
8. Set controls
For any risks that you choose to mitigate, you need to establish a set of controls. These controls show that you understand how a potential cybercriminal might gain unauthorized access to the sensitive data, but you have ways to reduce the likelihood of that happening.
Some security controls include:
- Firewalls
- Encryption
- Identity and Access Management
- Vulnerability Monitoring
- Installing Security Patch Updates
9. Establish an IT security policy
A cybersecurity policy is a written document that incorporates your risk analysis and risk tolerance. It documents the processes and procedures in place that mitigate data breach risks.
Every IT security policy should, at minimum, include:
- Objectives: what the policy seeks to accomplish
- Scope: what data, systems, and networks the policy covers
- Specific goals: regulatory and industry standards’ compliance requirements as well as controls
- Responsibilities: who is in charge of the day-to-day activities
10. Establish a privacy policy
Although security and privacy go hand-in-hand, they also have differences. Traditionally, a security policy looks to prevent external unauthorized access to sensitive data. Privacy policies include internal unauthorized access as well as external.
Some key things a privacy policy should include are:
- Definition of Sensitive Data
- Data Collection Purpose
- Data Use
- Data Sharing
- Log Data Management
- Corporate Communications
- Cookie Collection and Use
- Data Protection and Security
- List of Applicable Regulations
- Limitation of User Access
- Employee Privacy Practices
- Data Retention
- Communications and Marketing
11. Establish identity and access management policies
As organizations increasingly adopt cloud-based applications, they need to monitor external access to their systems and networks but also focus on the Identity perimeter. Since users don’t always sit behind corporate firewalls and other traditional security protections, creating Identity and Access Management (IAM) policies becomes more important than ever.
Some things that companies need to consider are:
- What jobs users have
- What information they need
- What applications and resources they need to access
- What devices they use to connect to corporate networks and systems
- Where they are located geographically
12. Limit access according to the principle of least privilege
A fundamental IAM control is to limit user access according to the principle of least privilege, which means ensuring that users can only access information necessary to do their jobs. In a lot of ways, the focus of least privilege follows the old spy movie adage of taking a “need to know basis.”
Many organizations struggle with this because complex, cloud-based ecosystems connect many different business-critical applications like enterprise resource planning (ERP) or electronic health record (EHR) platforms. Often, these applications use different definitions of user roles, which makes limiting access difficult.
Large enterprises face an extra problem. Often, employees change roles within the organization. While they still access certain enterprise resources, they may need access to new ones, depending on their business line. This creates an excess access risk that cybercriminals can use to gain unauthorized access to systems, networks, and applications. Then they move within the IT stack to steal data.
13. Enable multi-factor authentication
Multi-factor authentication helps mitigate the risks associated with excess user access. Authentication is the process of proving that you are who your login credential says you are. If a cybercriminal steals a password and tries to log into a cloud resource, multi-factor authentication requires them to use more than just the stolen password.
When users log into a web application, they should be using at least two of the following:
- Something they know (password)
- Something that they have (a smartphone or token)
- Something that they are (a fingerprint, facial identification, or other biometric)
Malicious actors can’t easily fake a push notification code sent to a device or a biometric. Thus, when they try to log in and can’t meet this second layer of authentication, they fail.
14. Establish a strong password policy
Moving to a cloud-first or cloud-only IT stack means incorporating more web-based applications into business processes. To thwart attempted cybersecurity threats, like dictionary attacks, you need to create a password policy and define a strong passphrase.
When establishing your password policy, you should incorporate some of the following best practices:
- More than 10 characters
- At least one upper-case letter
- At least one number
- At least one special character
You may also want to consider providing employees with a password management program account so that they are more likely to create unique passwords.
15. Monitor privileged access
The riskiest identities in an organization are the ones that have privileged access. These can be human users, like system administrators, or machine identities, like software update agents. For example, system administrators have “superuser” access because they need to make critical changes to systems and networks. These activities can include creating new user accounts or updating RPA scripts. Meanwhile, software update agents might need to access critical resources such as operating systems, servers, and databases.
Often, malicious actors gain access to an IT stack by finding a weak login and password combination for either a standard or privileged user. If they get the standard user credentials, they work to gain more access within the system until that account has privileged access. If they gain access with a privileged user account, they automatically have all the access they need.
Monitoring for anomalous privileged access requests and use can help you more rapidly detect a compromised account and reduce your data breach risk.
16. Change default passwords
Most devices, cloud resources, and software come with default passwords. These passwords are often posted on the manufacturer or service provider’s website so that an organization can make changes. For example, to update your computer’s software, the device often prompts for a user or administrator password. In some cases, such as routers or other enterprise devices, the login ID and password may be something as common as:
UserID: Admin
Password: Admin
To update the firmware or set up the device, you may need an administrative password. Most default passwords are the same for all devices within a given product or software line. Companies do this to make it easier to set up the devices, but it also creates a security weakness. If you can look the default password up on the internet, so can a malicious actor. Since these default UserID and passwords often give you privileged access, this gives cybercriminals easy access to your most sensitive networks and systems.
17. Install anti-virus software
Cybercriminals continue to engage in ransomware attacks. Research from 2020 showed a 715% year-over-year increase in detected and blocked ransomware attacks. Not all malware is ransomware. Often, cybercriminals will include malicious code in social engineering attacks as a way to steal login credentials. Once they steal the credentials, they gain access to systems, software, and networks where they continue to escalate privileges undetected.
One way to mitigate the risks that malware poses is to install an antivirus solution and keep it updated. Most anti-virus software providers regularly update the malware signatures or use advanced analytics to predict new signatures. If a user attempts to access a malicious website or download a risky file, the anti-virus detects the code and quarantines it to protect the device.
18. Establish a data governance policy
Data governance is an offshoot of IAM with distinct functions. Your data governance policy sets out processes and procedures for safe data handling and protection.
At a minimum, it should include processes and procedures for ensuring data:
- Quality
- Access
- Security
- Privacy
- Usage
You also need to think about assigning responsible parties who enforce these policies.
19. Establish a vendor risk management policy and program
Today’s hyper-connected ecosystem means that third and fourth-party business partners are essential to business operations. While your vendors enable successful digital transformation strategies, they also create new risks because you lack visibility into their security posture.
To protect yourself from a data breach, you need a vendor risk management policy and program that addresses the following risks:
- Compliance
- Cybersecurity
- Privacy
- Reputation
- Legal
- Financial
To measure your vendors’ compliance against your policy, you should incorporate clauses in your service level agreements that address:
- Network Security
- IP Reputation
- DNS Health
- Patching Cadence
- Web Application Security
- Endpoint Security
- Employee Security Awareness Training
Additionally, you should establish meaningful key performance indicators for your vendor risk management program.
20. Establish a 3-2-1 data backup and recovery process
While backup and recovery may not necessarily look like a preventative measure, it does mitigate many of the data loss and productivity risks associated with ransomware attacks.
Your backup and recovery program should be part of your disaster recovery and business continuity plans. You should make sure that you have three backups on two different media with at least one stored off-site.
21. Establish and test an incident detection and incident response program
Data breach prevention also means having the right teams in place to detect and rapidly respond to potential data incidents. Not every security incident turns into a full-blown breach. In the same way that all squares are rectangles while not all rectangles are squares, all data breaches are security incidents, but not all security incidents are data breaches.
A security incident can include:
- Malware Infections
- Distributed Denial of Service (DDoS) attacks
- Unauthorized Access
- Insider Access Misuse
- Unauthorized Privilege Escalation
- Device Loss or Theft
Meanwhile, a data breach usually means that a data security incident led to exposing sensitive information. Having an incident detection and response program that you test regularly gives you a way to prevent a security incident from becoming a breach. The more rapidly your incident response team can detect and respond to a security alert, the less likely you are to suffer a breach.
22. Establish a Bring-Your-Own-Device (BYOD) policy
Often, employees want to use their own devices to work remotely or otherwise connect to your corporate network. Unfortunately, you can’t always push the same protections to your employees’ personal devices that you can to your owned ones. Your BYOD policy sets out the rules they need to follow when connecting their devices to your systems and networks.
The BYOD policy should include:
- Clear, non-legalese explanation of compliance
- Definition of personal and work use
- Reimbursement policies
- Acceptable use standards
- Impact on employee privacy
- Reporting lost, stolen, hacked, or damaged equipment
23. Establish a secure data retention and disposal policy
All sensitive data is a risk, even when you dispose of it. Most regulatory and industry standards require organizations to maintain records for a period of time and then safely dispose of them. However, archived information becomes a data breach risk because people rarely access and monitor the location. Meanwhile, disposing of data creates additional risks. Simply deleting electronic data may not remove it from all places you stored it, while physical copies of information need to be shredded.
From a data security perspective, your retention and disposal policy should incorporate:
- Purpose
- Scope
- Responsible Parties
- Data Categories Covered
- Record Retention Schedule for Each Category
- Types of Electronic Data Covered including Email, PDF Documents, Text/Formatted Files, and Web Page Files
- Relevant Regulations and Industry Standards
- Destruction and Disposal Processes
Depending on the regulations governing your organization, you may need to address how you document disposal and confirm successful data destruction or deletion.
24. Encrypt data-at-rest and in-transit
When you encrypt data, you take a format that people can read and scramble it to make it unreadable. Think of it like the math homework assignments you did in elementary school where you had to solve a series of problems and each answer correlated to a letter. You then used those answers to decode a message. Encrypting data works similarly. Even if a malicious actor gains access to your IT stack, the encryption will leave it unintelligible.
When setting best encryption practices for preventing a data breach, you should use Advanced Encryption Standard (AES) cryptography in 128, 192, or 256 bits. Additionally, you need to make sure that you’re encrypting both data-at-rest (saved on a hard drive or disk) and data-in-transit (traveling from one device to another).
Encrypting data-in-transit protects you from cybercriminals who gain unauthorized access to your IT stack. Encrypting data-in-transit protects from attacks that focus on wireless networks, such as man-in-the-middle attacks.
25. Regularly apply security patch updates to software and firmware
Many cyber attacks start with malicious actors looking for common vulnerabilities and exposures (CVEs). The CVE list is a dictionary of known code vulnerabilities that attackers can exploit. After security analysts discover a vulnerability, they report it to the software or device manufacturer. The manufacturer then generates a software update that “patches” the hole in the code, removing the weakness. Since the list is publicly available, cybercriminals are well-versed in the different security weaknesses and actively look to exploit them.
Often, organizations fail to push security patch updates through to all devices that connect to their systems and networks, especially employee-owned devices. Even one device left unpatched can lead to a successful data breach.
As a best practice, organizations should apply security patch updates within 30 days of the release.
26. Monitor for misconfigured cloud assets
As companies move to the cloud, storage and processing locations become more abstract. For example, your on-premises server was often located in a building with security guards and physical locks. Today, cloud storage and processing locations consist of code. For example, according to one 2020 InfoSecurity Magazine article, 73% of surveyed cloud engineering and security teams said that they had more than ten cloud misconfiguration incidents per day, while one third experienced over 100 and another 10% over 500 incidents per day.
Some common misconfigurations include:
- AWS Security Groups
- Access Restrictions
- Permission Controls
You might think it sounds hyperbolic to say that misconfigurations lasting only a few seconds or less can be a data breach issue. However, just as your company’s security team scans your cloud services continuously, so do malicious actors.
To reduce the risks associated with misconfigured cloud resources, you should make sure that you’re scanning all of the following:
- Workloads
- Containers
- Databases
- Storage Buckets
- Virtual Machines
- Instances
27. Use a centralized log management solution
Every cloud resource, endpoint, access point, and user generates event log data. This data gives you visibility into all activity across your IT stack, but it can often become overwhelming. However, each cloud resource, application, and endpoint submits event log data differently. They may use different formats or report different types of information which makes comparing them as part of your threat hunting and alert response process time-consuming.
Centralized log management solutions enable a more robust cybersecurity posture because they give you a way to collect, aggregate, and correlate log data efficiently. In doing so, they make it easier to locate and remediate weaknesses. The more rapidly you can remediate risks, the more likely you are to prevent a data breach.
28. Create an employee training program
Employee cybersecurity awareness training needs to be meaningful and useful to protect against social engineering attacks. As part of your data breach prevention practices, you need to provide training, assess user knowledge, and ensure minimum baselines.
Cybercriminals often engage in social engineering attacks to obtain otherwise-unauthorized access to systems, applications, and networks. Your training materials should include:
- Phishing, vishing, and smishing attacks
- Strong password creation
- Recognizing malicious websites
- Issues with unsafe media, like USB drives
As part of your employee security awareness training program, you should document assessment outcomes and periodically provide additional training modules.
29. Continuously monitor security controls’ effectiveness
The only consistent thing in cybersecurity is the fact that it’s not consistent. Malicious actors continuously evolve their threat methodologies which means that the controls that protect today may not be adequate tomorrow.
Regulations and industry standards increasingly recognize that point-in-time control reviews no longer secure data. To prevent a data breach, you need continuous, real-time visibility into your controls’ effectiveness.
When establishing best practices, you want to set up alerts for several areas that cybercriminals target, including:
- Malware Detected on Endpoints
- Failed Login Attempts
- Unusual Traffic Volumes
- Slow Network Speed
- Outdated Software
- Open, Unused Ports
While these are only a few issues that impact enterprise systems, networks, and devices, they provide visibility that can mitigate some common attack vectors.
30. Create an audit trail to prove governance
Nearly every organization must meet one or more compliance requirements. While compliance is not equal to security, it often gives visibility into how well your organization enforces security controls and practices.
Point-in-time audits are no longer effective measures of security robustness. However, the documentation that shows your ability to monitor your control environment continuously and mitigate ransomware attacks proves governance over your security posture. By documenting your activities, you gain insight into your cybersecurity program’s maturity and continuously improve your program.
Establish best practices for preventing a data breach
Establishing best practices for preventing a data breach can be difficult but enforcing those best practices feels overwhelming in complex, interconnected IT ecosystems. SecurityScorecard’s security ratings platform continuously monitors security controls’ effectiveness across ten categories of risk and alerts you to new threats.
With our at-a-glance A-F security ratings, you can gain visibility into your IT stack security and monitor your third-party vendors for enhanced security. Customers have aligned their security programs and vendor risk management programs with our platform’s ten risk categories. This alignment gives them a way to establish meaningful, objective cybersecurity key performance indicators to create a quantitative approach to managing risk.
Enterprise security teams receive high volumes of alerts every day, making prioritization and remediation difficult. SecurityScorecard’s alerts incorporate a risk review and actionable remediation steps so that you can prioritize your daily activities.
Establishing best practices for preventing a data breach is the first step to security. Continuously monitoring controls and enforcing policies with SecurityScorecard’s platform allows you to mature your security posture.