Enterprise Organizations Must go Back to Cybersecurity Basics
With more than $170 billion spent on cybersecurity in 2022 (Gartner), enterprise organizations are still struggling to adequately protect their data. From the medical sector to the financial industry, education sector and beyond, data breaches are still alarmingly commonplace. Why is this still happening, in light of all the knowledge we have? And what can enterprise organizations do to reduce the likelihood of data compromise, once and for all? It turns out, going back to basics is the best place to begin.
Start With Your People
An organization’s workforce is its biggest vulnerability, as untrained folks are far more susceptible to phishing attempts, compromising logins and making other mistakes. The mind-boggling part about this is that raising employees’ cyber awareness and training them on the most common pitfalls is relatively easy to do if an organization is willing to put in the time and investment. Why, then, don’t more companies make cyber awareness training a priority?
Part of the issue is that many people have an “it won’t happen to us” mentality. For example, 67.19% (more than two-thirds) of survey respondents from the education sector say employees at their institutions don’t think of themselves as targets that attackers can use to access data. This varies between industries, as only 37.5% of cyber-savvy professionals – like those in the IT field – report the same sentiment.
This speaks to a discrepancy between industries and, more importantly, a lack of real understanding about the fact that cybercriminals do not discriminate. All industries are targeted and all employees can be, too. Every organization must make training a regular requirement, teaching employees about their specific role in data protection, creating a company-wide culture of security and instructing their team members on how to protect themselves from the most common threats.
Practice the 3-2-1 Rule
The next step in building true cyber resilience is to recognize that cloud-based storage is not the be-all and end-all. Yes, it’s useful and important. But your data should never be stored in the cloud alone. Similarly, tapes or encrypted hard drives are not enough on their own. Instead, a longstanding best practice is the 3-2-1 rule: Keep three total copies of data on two different mediums, with one copy stored off-site.
Ransomware continues to be a significant threat to enterprise data that the 3-2-1 rule can help fight, but many organizations are not utilizing this best practice. The Apricorn 2022 IT Security Survey revealed that most respondents (93%) say they have a ransomware readiness plan, but significant knowledge gaps exist with regard to adequate backup and cyber resilience practices. A full 26% view the cloud as too risky for data backup, but only one in three back up to both the cloud and to encrypted hardware storage devices. 82% want their organizations to require encrypted hardware USB usage, but only 34% have mandated such a policy. Additionally, only 20% back up in real-time, and only 18% employ the long-established best practice for backup: The 3-2-1 method.
Good choices for your backup mediums include cloud backups, on-premise storage, and portable, encrypted and removable storage devices like USBs or hard drives. An encrypted hardware storage device can guarantee your ability to resume operations after a natural disaster or breach wipes out some of your other backups. This might seem incredibly simple, but many businesses are still missing the mark here. Oftentimes, even if an organization has multiple backups, they’re stored in the same place – making them practically useless.
Encrypt Data
If your data happens to fall into the wrong hands, what happens next? If you’ve encrypted that data, as recommended above, you should be safe. If not, you could be greatly at risk. It really is this simple, and yet encryption is another step that some organizations don’t take the time to mandate.
The survey referenced above, for instance, noted that the risk of moving data between work locations was highlighted by the fact that the majority of respondents (82%) said that encryption should be required to secure USB storage devices, but only 34% say encryption is mandated within their organizations to protect data on the move.
Disconnects like this need to be addressed immediately. By making sure all of your data is encrypted, you’ll make it harder for bad actors to secure anything of real value should they access your systems and networks.
Ensure Your Data is Clean
You can back up your data all day long, but if it’s already corrupted, what good would reclaiming it later do? This is an area that some organizations skip over because, similar to the steps before this, it’s not particularly compelling. In fact, it’s often tedious. Even so, it’s crucial to practice proper data hygiene.
Start by performing a comprehensive data management audit. Through this process, you can identify subtle vulnerabilities, insufficient safeguarding practices and unforeseen attack vectors. By understanding what gaps exist, you can better build plans to restore operations after an incident.
It might seem like these steps are rather elementary, but approaching the basics with such a mindset is what has caused many organizations to fail to enact these important foundational measures. When it comes to security vulnerabilities, you don’t want to find yourself on the wrong side of such a bet. Take the time to cover yourself from the ground up, and you’ll be able to recover that much faster – and more smoothly – if (or when) disaster strikes.
