Data security, are we doing enough?

Data is one of the biggest commodities in this day and age. There are roughly 2000 data breaches reported each year, with this number expected to rise due to changes to laws on reporting data breaches.

In this ever-evolving world of cybersecurity, are we growing our defences as quickly as the hackers are adapting? I would say, there is never enough that can be done, we need to ensure we are always adapting what we do.

To achieve this, there are three pillars we need to constantly be thinking of:

1. Secure coding
2. Secure infrastructure
3. Security awareness

Secure Coding:

Software development teams should always keep abreast of their role in securing access and the data behind their applications. With cloud first businesses and applications starting to become the norm, it is now more than ever critical to ensure you have teams that build security in from the bringing and have a strong focus on secure coding.

As with most things in life, there are no shortcuts. You need to ensure you have regular security training for your teams. This applies to your entire cross functional team (including any DevOps or Infrastructure teams). You will also need to adopt secure coding practices like OWASP. These policies need to be embedded in your architecture and design processes.

To ensure you are following the practices, you should perform regular security code reviews and have external security audits done. This should ensure the results are not skewed as you have an independent party reviewing what you have done.

Secure Infrastructure:

As good as your developers might be, you should always make sure that you have put your infrastructure through its security paces. This includes everything from hardening based on current security standards, which should be updated and reviewed regular. You should have a good patching policy in place to ensure all vulnerabilities are patched as soon as they are available.

As much as we trust the people who work with us, we should also make sure we only grant access to employees based on their level of need. 

Then there are the obvious things (I say obvious, but they are often overlooked), like ensuring regular antivirus scanning is in place and that you have firewall and DDoS protections in place with up to date backups of all critical systems and data. These backups should be secured, and you should keep a copy offsite. Monitoring for intrusion attempts is also a must.

You should perform regular penetration tests and external scans like Qualys to ensure you are proactively looking for gaps in your applications and infrastructure.

Security Awareness:

The final and probably most important pillar, is awareness. You can have the best applications and most secure environments in the world, but if someone walks in the front door, they become irrelevant.

As a business, you need to be serious about security, you need to educate your people about the threats out there and the risks that come with them. It’s not good enough to just have a small piece dedicated to security awareness in your induction program and then never speak of it again. You need to have regular awareness training about the different threats that are out there today and what could be coming tomorrow.

Again, the basics like strong password controls and how to respond when someone is trying to elicit information about others or the business need to be part of your awareness programs. 

To cater for this ever-changing threat, you should look at having a response team and plan in place for when an intrusion is detected or a threat is identified.

Security is not one person’s job or responsibility. We all have a role to play.