Data security: 6 steps to take right now Posted on February 8, 2016 by Tim Burke Ensuring data security can be tough, since attacks and breaches and plain old mistakes have so many sources. Often the real cause of a technology risk is deeply buried. Consider this example: Payment card data was captured from an e-commerce web application … Why? Because the threat actor made changes in the payment application code to capture and send data when processed. Why? Because the threat actor bypassed authentication to upload a backdoor to the server via Remote File Inclusion (RFI). Why? Because the e-commerce firm’s version of JBoss middleware was outdated and vulnerable to a widely known attack. Why? Because their server software hadn’t been updated in years. Why? Because they thought their third-party vendor would do it? Because they didn’t know they had to? Because they thought they had — but failed to check implementation? Because they had insufficient processes in place to manage their technology risk? The technology risk hydra Many versions of this scenario play out daily — because wherever information technology is at work in your organization, your operations and the data they depend on are potentially vulnerable to some sort of technology risk. When it comes to data security, there’s much you can do to protect your enterprise. Here’s my shortlist: Discover and classify all your data so you know where sensitive information resides within your organization and among your service providers (clouds, managed services). This tells you what needs protection, backup, etc. Inventory all components of your enterprise’s technology infrastructure — including your web presence — and make sure they’re patched and updated regularly. It’s important that your security tools and solutions match your infrastructure. For instance, proper implementation of technologies like encryption, access controls, tokenization, data masking, and data access monitoring can go a long way to securing cloud, big data, and IoT capabilities. Deploy a single data security platform capable of delivering a broad swath of security solutions. It should include a suspicious-behavior early warning system that feeds into security analytics capable of recognizing threat activity patterns by integrating data access monitoring with other threat indicators. This will improve your security posture while reducing costs. Commit to two-factor authentication, data encryption, and access control (for more than merely meeting compliance requirements). And ask: should we encrypt everything? Train your employees. Upwards of one in five recipients of phishing emails open them, and half of those click on the email’s attachments, because they do not know any better. Training and awareness can change that and a lot of other bad behavior. And #6: Get expert help before you’re in crisis I have one more addition to this list: Get expert help — preferably before your enterprise is in crisis. The data security your enterprise requires does not come in a neat, generic box. It must be customized to the particulars of your business and its technology infrastructure. And, of course, your security posture must be continuously monitored and managed. An experienced technology consultant can assess your current security posture broadly, in terms of overall risk management, and then specifically customize the services you need — whether it’s managed security services, backup and disaster recovery capabilities to protect your data, or secure cloud services for such tasks as application testing.