sign in sign up
<<
Home , Data security

Five common security pitfalls to avoid

Learn how to improve your security posture Contents

Introduction Five common data security pitfalls Conclusion

03 05 07 09 11 13 16 17 Data security should Failure to Failure to Failure to Failure to Failure to prioritize What’s next? Why IBM be a top priority for move beyond recognize the need define who owns address known and leverage data Security? enterprises, and for compliance for centralized responsibility for vulnerabilities activity monitoring good reason data security the data

Solution Solution Solution Solution Solution Recognize and Know where your Hire a CDO or DPO Establish an effective Develop a accept that sensitive data dedicated to the vulnerability comprehensive compliance is resides, including well-being and management program data detection and a starting point, on-premises and security of sensitive with the appropriate protection strategy not the goal cloud-hosted and critical data technology to support repositories assets its growth

‹ 2 › Even as the IT landscape becomes increas- There are several internal and external ingly decentralized and complex, it’s important factors that can lead to successful Data security to understand that many security breaches are , including: preventable. While individual security chal- lenges and goals may differ from company to – Erosion of network perimeters company, often organizations make the same – Increased attack surfaces offered should be widespread mistakes as they begin to tackle by more complex IT environments data security. What’s more, many enterprise leaders often accept these errors as normal – Growing demands that cloud services business practice. place on security practices a top priority – Increasingly sophisticated nature of cyber crimes – Persistent cybersecurity skills shortage – Lack of employee awareness for enterprises, surrounding data security risks and for good reason.

$8.64 million 237 days Average cost of a Average time to identity and contain in the United States in 20201 a data breach in the United States1

Introduction Five missteps Conclusion ‹ 3 › Let’s look at five of the most How strong prevalent—and avoidable—data security missteps that make organizations vulnerable to is your data potential attacks, and how you can avoid them. security practice?

Accelerate Centralize Establish Assess Prioritize compliance security ownership vulnerabilities activities

‹ 4 › Compliance doesn’t necessarily equal security. Pitfall 1 Organizations that focus their limited security resources to comply with an audit or certifica- tion can become complacent. Many large data $7.13 breaches have happened in organizations that Failure to were fully compliant on paper. The following examples show how focusing solely on compli- ance can diminish effective security: million Healthcare industry saw data breach costs Incomplete coverage increase 10% since 2019. Regulated move beyond Enterprises often scramble to address data- industries overall experienced significantly base misconfigurations and outdated access higher costs than less regulated industries.1 polices prior to an annual audit. Vulnerability and risk assessments should be ongoing compliance activities. Minimal effort Omission of unregulated data Many businesses adopt data security solutions Assets, such as intellectual property, just to fulfill legal or business partner require- can put your organization at risk if lost ments. This mindset of “let’s implement a or shared with unauthorized personnel. minimum standard and get back to business” Focusing solely on compliance can result can work against good security practices. in security organizations overlooking and Effective data security is a marathon not under protecting valuable data. a sprint.

Fading urgency Businesses can become complacent towards managing controls when regulations, such as the Sarbanes-Oxley Act (SOX), the General Data Protection Regulation (GDPR), and California Consumer Act (CCPA), mature. While, over time, leaders can be less considerate about the privacy, security and protection of regulated data, the risks and costs associated with noncompliance remain.

Introduction Five missteps 1 2 3 4 5 Conclusion ‹ 5 › Data security organizations must establish View compliance as an strategic programs that consistently protect their business’ critical data, as opposed to opportunity to innovate Solution simply responding to compliance requirements. and raise your security Data security and protection programs should standards to support Recognize and accept that include these core practices: your business. – Discover and classify your sensitive data compliance is a starting across on-premises and cloud data stores. – Assess risk with contextual insights point, not the goal and analytics. – Protect sensitive data through and flexible access policies. – Monitor data access and usage patterns to quickly uncover suspicious activity. – Respond to threats in real time. – Simplify compliance and its reporting.

The final element can include legal liabilities related to regulatory compliance, possible losses a business can suffer and the potential costs of those losses beyond noncompliance fines.

Ultimately, you should think holistically about the risk and value of the data you seek to secure.

Introduction Five missteps 1 2 3 4 5 Conclusion ‹ 6 › Without broader compliance mandates that Along with security Pitfall 2 cover data privacy and security, organization leaders can lose sight of the need for consistent, automation and adopting enterprise-wide data security. a zero trust strategy, Failure to For enterprises with hybrid multicloud environ- utilizing security tools ments, which constantly change and grow, new types of data sources can appear weekly or daily with the ability to share and greatly disperse sensitive data. data between disparate recognize Leaders of companies that are growing and systems can help security expanding their IT infrastructures can fail to recognize the risk that their changing attack teams detect incidents surface poses. They can lack adequate visibility across complex hybrid and control as their sensitive data moves around the need for 1 an increasingly complex and disparate IT multicloud environments. environment. Failure to adopt end-to-end data privacy, security and protection controls—espe- cially within complex environments—can prove centralized to be a very costly oversight.

Operating security solutions in silos can cause additional problems. For example, organizations data security with a security operations center (SOC) and security information and event management (SIEM) solution can neglect to feed those systems with insights gleaned from their data security solution. Likewise, a lack of interoperability between security people, processes and tools can hinder the success of any security program.

Introduction Five missteps 1 2 3 4 5 Conclusion ‹ 7 › Securing sensitive data should occur in Securing sensitive conjunction with your broader security efforts. Solution In addition to understanding where your data should occur sensitive data is stored, you need to know when and how it’s being accessed, as well—even as in conjunction this information rapidly changes. Additionally, with your broader Know where your sensitive you should work to integrate data security and protection insights and policies with security efforts. data resides, including your overall security program to enable tightly aligned communication between technologies. A data security solution that operates across on-premises and cloud- disparate environments and platforms can help Lack of security oversight in this process. Your organization has grown to a point hosted repositories where it’s difficult to track and secure all So, when is the right time to integrate data the network endpoints, including cloud security with other security controls as part instances. For example, do you have a clear of a more holistic security practice? Here are idea of where, when and how data is being a few signs that suggest your organization stored, shared and accessed across your may be ready to take this next step: on-premises and cloud data stores?

Risk of losing valuable data Inadequate assessment The value of your organization’s personal, Your organization has adopted a fragmented sensitive and proprietary data is so significant approach where no clear understanding that its loss would cause significant damage exists of exactly what’s being spent across to the viability of your business. all your security activities. For example, do you have processes in place to measure Regulatory implications accurately your return on investment (ROI) Your organization collects and stores data in terms of the resources being allocated to with legal requirements, such as reduce data security risk? numbers, other payment information or . If any of these situations apply to your organization, you should consider acquiring the security skills and solutions needed to integrate data security into your broader existing security practice.

Introduction Five missteps 1 2 3 4 5 Conclusion ‹ 8 › Even when aware of the need for data security, Pitfall 3 many companies have no one specifically respon- sible for protecting sensitive data. This situation often becomes apparent during a data security or 74% audit incident when the organization is under of organizations surveyed Failure to pressure to find out who is actually responsible. say that cybersecurity skills shortage has impacted Top executives may turn to the chief information their organization.2 officer (CIO), who might say, “Our job is to keep key systems running. Go talk to someone in my IT define who owns staff.” Those IT employees may be responsible for several in which sensitive data resides and yet lack a security budget. As Gartner states “Data is spreading across hybrid IT infrastructure on-premises and Typically, members of the chief information multicloud services; but businesses are failing responsibility security officer (CISO) organization aren’t directly to develop consistent and holistic data security responsible for the data that’s flowing through the and privacy policies that keep pace.3 overall business. They may give advice to the different line-of-business (LOB) managers within Use the Data Security Governance Framework an enterprise, but, in many companies, nobody is for the data to Balance Business explicitly responsible for the data itself. For an Needs and Risks organization, data Gartner, 2020, is one of its most valuable assets. Yet, without ownership responsibility, properly securing

sensitive data becomes a challenge. Read the study →

Top executives may turn to the chief (CIO), who might say, “Our job is to keep key systems running. Go talk to someone in my IT staff.” Those IT employees may be responsible for several databases in which sensitive data resides and yet lack a security budget.

Typically, members of the chief officer (CISO) organization aren’t directly responsible for the data that’s flowing through the overall business. They may give advice to the different line-of-business (LOB) managers within an enterprise, but, in many companies, nobody is explicitly responsible for the data itself. For an organization, data is one of its most valuable assets. Yet, without ownership responsibility, properly securing sensitive data becomes a challenge. Introduction Five missteps 1 2 3 4 5 Conclusion ‹ 9 › In complex IT environments, it’s critical to Compliance leadership account for data in the following locations: Understand compliance requirements and Solution know how to map those requirements to data security controls so that your business is compliant.

Hire a CDO or DPO Monitoring and assessment Shared Located Stored Monitor the threat landscape and measure the dedicated to the well-being across in hybrid on mobile effectiveness of your data security program. business multicloud devices units infrastructures Flexibility and scaling and security of sensitive Know when and how to adjust the data security strategy, such as expanding data and critical data assets A chief data officer (CDO) or data protection access and usage policies across new environ- officer (DPO) can handle these duties. In fact, ments by integrating more advanced tools. companies based in Europe or doing business with European Union data subjects face GDPR Division of labor mandates that require them to have a DPO. This Set expectations with cloud service providers prerequisite recognizes that sensitive data—in regarding service-level agreements (SLAs) this case personal information—has value that and the responsibilities associated with data extends beyond the LOB that uses that data. security risk and remediation. Additionally, the requirement emphasizes that enterprises have a role specifically designed Data breach response plan to be responsible for data assets.Consider the Finally, be ready to play a key role to devise a following objectives and responsibilities for strategic breach mitigation and response plan. choosing a CDO or DPO: Ultimately, the CDO or DPO should lead in Technical knowledge and business sense fostering data security collaboration across Assess risk and make a practical business case teams and throughout your enterprise, as that nontechnical business leaders can under- everyone needs to work together to effec- stand regarding appropriate security investments. tively secure corporate data. This collabora- tion can help the CDO or DPO oversee the Strategic implementation programs and protections your organization Direct a plan at a technical level that applies needs to help secure its sensitive data. detection, response and data security controls to provide protections. Introduction Five missteps 1 2 3 4 5 Conclusion ‹ 10 › High-profile breaches in enterprises have often Pitfall 4 resulted from known vulnerabilities that went unpatched even after the release of patches. Failure to quickly patch known vulnerabilities 52% puts your organization’s data at risk because of breaches recorded in 2020 Failure to cybercriminals actively seek these easy were caused by malicious points of entry. attacks, the most common and expensive cause of However, many businesses find it challenging breaches. This is a 1% to quickly implement patches because of the increase over 2019.1 address known level of coordination needed between IT, security and operational groups. Furthermore, patches often require testing to see if they don’t break a process or introduce vulnerabilities a new vulnerability. In cloud environments, sometimes it’s difficult to know if a contracted service or application component should be patched. Even if a vulnerability is found in a service, its users often lack control over the service provider’s remediation process.

Introduction Five missteps 1 2 3 4 5 Conclusion ‹ 11 › Vulnerability management typically involves Solution some of the following levels of activity: – Maintain an accurate inventory and baseline state for your data assets. Establish an effective – Conduct frequent vulnerability scans and assessments across your entire vulnerability management infrastructure, including cloud assets. – Prioritize vulnerability remediation that considers the likelihood of the vulnerability program with the being exploited and the impact that event would have on your business. appropriate technology – Include vulnerability management and responsiveness as part of the SLA with to support its growth third-party service providers. – Obfuscate sensitive or personal data whenever possible. Encryption, tokenization Even within a mature vulnerability and redaction are three options for achieving management program, no system can this end. be made perfect. Assuming intrusions can happen even in the best protected – Employ proper encryption key management, environments, your data requires another ensuring that encryption keys are stored level of protection. The right set of data securely and cycled properly to keep your encryption techniques and capabilities encrypted data safe. can help protect your data against new and emerging threats.

Introduction Five missteps 1 2 3 4 5 Conclusion ‹ 12 › Monitoring data access and use is an essential The global average cost Pitfall 5 part of any data security strategy. An organiza- of an insider threat is tion leader needs to know who, how and when people are accessing data. This monitoring should encompass whether these people should $11.45 Failure to have access, if that access level is correct and if 5 it represents an elevated risk for the enterprise. million.

Privileged user identifications are common culprits in insider threats.5 A data protection prioritize and plan should include real-time monitoring to Accounting for data security and compli- detect privileged user accounts being used for ance-related information and knowing when suspicious or unauthorized activities. To prevent and how to respond to potential threats can possible malicious activity, a solution must be difficult. With authorized users accessing leverage modern perform the following tasks: multiple data sources, including databases, file systems, mainframe environments and – Block and quarantine suspicious activity cloud environments, monitoring and saving based on policy violations. data from all these interactions can seem overwhelming. The challenge lies in effec- – Suspend or shut down sessions based data activity tively monitoring, capturing, filtering, on anomalous behavior. processing and responding to a huge – Use predefined regulation-specific workflows volume of data activity. Without a proper across data environments. plan in place, your organization can have monitoring – Send actionable alerts to IT security more activity information than it can and operations systems. reasonably process and, in turn, diminish methods the value of data activity monitoring.

Introduction Five missteps 1 2 3 4 5 Conclusion ‹ 13 › To that end, when starting on a data security The average total With IBM journey, you need to size and scope your moni- cost of a data Security Solution toring efforts to properly address the require- breach was Guardium to ments and risks. This activity often involves automate data adopting a phased approach that enables devel- and file activity opment and scaling best practices across your 59% monitoring, Develop a comprehensive enterprise. Moreover, it’s critical to have conver- supplemented sations with key business and IT stakeholders higher with analytics, early in the process to understand short-term and data detection and in organizations the likelihood of long-term business objectives. without security a breach was automation reduced by 40% protection strategy These conversations should also capture the deployed in 2020.1 — a risk-adjusted technology that will be required to support their savings of $990k key initiatives. For instance, if the business is over three years.6 planning to set up offices in a new geography using a mix of on-premises and cloud-hosted data repositories, your data security strategy should assess how that plan will impact the organization’s data security and compliance posture. If, for example, the company-owned data will now be subject to new data security and You should look for an automated data or compliance requirements, such as the GDPR, file activity monitoring solution with rich California Consumer (CCPA), Brazil's analytics that can focus on key risks and Lei Geral de Proteção de Dados (LGPD) and so on. unusual behaviors by privileged users. Although it’s essential to receive automated You should also prioritize and focus on one or two alerts when a data or file activity monitoring sources that likely have the most sensitive data. solution detects abnormal behavior, you Make sure your data security policies are clear must also be able to take fast action when and detailed for these sources before extending anomalies or deviations from your data these practices to the rest of your infrastructure. access policies are discovered. Protection actions should include dynamic data masking or blocking.

Introduction Five missteps 1 2 3 4 5 Conclusion ‹ 14 › As you develop your data activity monitoring – Is real-time monitoring in place to track and protection plans, it’s often helpful to data in files residing in data stores, such consider the following questions: as Structured Query Lanuage (SQL) databases, Hadoop distributions, Not – What are my top two most sensitive only SQL (NoSQL) platforms and so on. data sources? – Does my monitoring solution account for – Which five to ten data sources should I data stores spanning hybrid multicloud prioritize next, based on their volume of environments and allow me to generate sensitive data? customized reports that go to the right – Are certain endpoints or cloud assets people at the right time? associated with higher-risk data? – Do I have the risk analytics and filtered – Is sensitive data freely moving to and monitoring capabilities needed to from on-premises, hybrid and cloud effectively prioritize risk, vulnerabilities environments? and remediation efforts? – Which users should be granted access to The more specific you can be about moni- the data source and under what conditions? toring priorities and protection require- – What high-risk users or privileged accounts ments, the more effective the solution will need to be turned off or require closer be for you to apply its available detection scrutiny? and response resources. – Does my data security solution support real-time activity monitoring and automated data protection capabilities?

Introduction Five missteps 1 2 3 4 5 Conclusion ‹ 15 › How can you avoid these common data secu- Immediate next steps you can take to protect IBM® Security Guardium® data protection rity pitfalls, especially as more companies are your organization’s valuable data include: platform is designed to help organizations What’s pursuing hybrid multicloud environments? It take a smarter and more adaptive approach begins with recognizing the issue and preparing – Building a data security strategy that to protecting critical data wherever it your organization to take a proactive and supports your organization’s short-term resides. See why it can be a good fit for holistic approach to securing data, regardless and long-term business and technology your organization. of where it resides. objectives next? Learn more at ibm.com/guardium. – Implementing that strategy with the If your business has a complex and hybrid proper people, processes and tools IT environment, you can’t afford a siloed approach to data security. You need to add – Planning your resources to ensure your data protection strategies that span across data security and compliance program your entire data infrastructure and support can effectively scale as your organization all your data types. embraces modern technologies

>4 weeks

Most organizations recognize value from Guardium in less than one month.6

Introduction Five missteps Conclusion ‹ 16 › IBM Security offers one of the most advanced IBM operates one of the and integrated portfolios of enterprise security IBM holds more world’s broadest security Why IBM products and services. The portfolio, supported by world-renowned IBM X-Force® research and research, development than 3,700 development, provides security intelligence to and delivery organizations, help organizations holistically protect their security patents Security? people, infrastructures, data and applications. monitoring more than It offers solutions for identity and access management, security, application development, risk management, endpoint management, network security and more. 60 billion These solutions enable organizations to effectively manage risk and implement inte- grated security for mobile, cloud, social media security events per day and other enterprise business architectures. in more than 130 countries.

Introduction Five missteps Conclusion ‹ 17 › © Copyright IBM Corporation 2021

IBM Corporation New Orchard Road Armonk, NY 10504

Produced in the United States of America April 2021

The client is responsible for ensuring compliance with laws and IBM, the IBM logo, ibm.com, Guardium, and X-Force are trademarks of 1. “Cost of a Data Breach report 2020.” IBM Security. regulations applicable to it. IBM does not provide legal advice or International Business Machines Corp., registered in many jurisdictions ibm.biz/BdfX2y worldwide. Other product and service names might be trademarks of represent or warrant that its services or products will ensure that the IBM or other companies. A current list of IBM trademarks is available on client is in compliance with any law or regulation. 2. Jon Oltsik. “The Life and Times of Cybersecurity Professionals 2018.” Enterprise Strategy Group and Information Systems the web at “Copyright and trademark information” at www.ibm.com/ Security Association International, April 2019. Statement of Good Security Practices: IT system security involves legal/copytrade.shtml. ibm.biz/BdfYxv protecting systems and information through prevention, detection and This document is current as of the initial date of publication and may be response to improper access from within and outside your enterprise. 3. “Use the Data Security Governance Framework to Balance Business Risks and Needs ” Gartner, November 17th, 2020. changed by IBM at any time. Not all offerings are available in every Improper access can result in information being altered, destroyed, ibm.biz/BdfzsC country in which IBM operates. misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product 4. Mark Samuels. “Big Data: Three ways Chief Data Officers can change the agenda” ZDnet, August 12th, 2020. The performance data and client examples cited are presented for should be considered completely secure and no single product, service ibm.biz/BdfYxG illustrative purposes only. Actual performance results may vary or security measure can be completely effective in preventing improper 5. “Cost of Insider Threats: Global Report 2020.” Study conducted by Ponemon Institute, sponsored by IBM Security and depending on specific configurations and operating conditions. It is the use or access. IBM systems, products and services are designed to be Observe IT. user’s responsibility to evaluate and verify the operation of any other part of a lawful, comprehensive security approach, which will ibm.biz/BdfYxn products or programs with IBM products and programs. THE necessarily involve additional operational procedures, and may require INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT other systems, products or services to be most effective. IBM DOES NOT 6. “The Total Economic of IBM Security Guardium.” Study conducted by Forrester Research, sponsored by IBM Security. ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE ibm.biz/BdfEVJ WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE PURPOSE AND ANY WARRANTY OR CONDITION OF NON- MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. 60031860USEN-00