Proactive Ways to Protect Your Organization

Here are seven strategies to prevent a security breach:

1) Taking an Inventory of Your Risks

Conducting a complete audit of the systems, including on-premises, cloud, and third-party IT
assets that could have contact with the organization’s network.
Keeping active checks on endpoint security as well if you frequently have guests or clients
accessing your network. Once you’ve taken stock of your infrastructure, prioritize and address
any issues you find from most pressing to preventative.

2) Control User Access

Whenever possible, employees should only have access to the data they need for their positions,
and sensitive data should only be accessible to authorized users. By limiting access to sensitive
data, you’ll be able to limit the traffic within that area of your data and spot unusual activity with
greater ease.

3) Keep Software Updated

We get it – updates can feel never ending and less than convenient. However, with hackers’
abilities to exploit weaknesses or find backdoors into systems, they’re a necessary evil to
maintain security of not only your organization, but all users of the applications and software.
Scheduling updates for after-hours is an easy way to remedy midday disruptions and maintain
data protection.

4) Enforce Bring Your Own Device (BYOD) Policies

Organizations thrive thanks to the use of smart devices like laptops, tablets, and smartphones.
And while it’s tempting to let them use their own devices, it creates a wide variety of data and
network security complications. If not simply to ensure employees don’t leave your organization
with data you wouldn’t want walking out with them, you want to make sure all devices have
proper encryption and endpoint security measures in place to prevent hackers from finding a
backdoor past your otherwise sound security systems.

5) Strengthen Credentials
More than a handful of us will add the dreaded exclamation point to the end of a password to
make it “unique” upon prompting to change it. However, this is a costly mistake that countless
organizations have paid the price for. Unique passwords that are changed at frequent intervals
are best practice and with encrypted password managers and data protection software available,
it’s far more secure and feasible to enforce these policies with minimal pushback from
employees.

6) Educate Employees
Ninety-five percent of cybersecurity breaches are due to human error, according to IBM. That’s
why it’s vital to train your employees on the action plan surrounding identification of and
reporting signs of a data leak or breach. When your employees fully understand and support
initiatives such as email best practices, BYOD, password policies, and disaster recovery plans,
your security will be stronger across the board.

7) Back Up Files
Regardless of how secure your data is, Mother Nature or ordinary accidents that damage
hardware can pose a huge risk to your organization if you are not regularly backing up your data
in separate locations, as well as in the cloud. But don’t just trust that they’ll be ready for you.
You’ll want a specific, prioritized plan for rebuilding your infrastructure. Practice a specific plan
to re-implement your system so you can dry run any errors or missing components you need to
be aware of prior to the real deal.

Data protection—sometimes referred to as information privacy or data security—is the process

of protecting the privacy, integrity, and data availability of important information. Any
organization that handles sensitive data must implement a data protection strategy to prevent the
theft, corruption, or loss of their data and mitigate against the damage in the case of a security
breach or disaster.

Recovery from a data breach or data loss is time-sensitive, and any delay can affect business
continuity. There are also legal requirements for many industries, which apply to organizations
that handle or store personal information such as names, addresses, passwords, credit card
details, and medical records.

What Is GDPR?

The General Data Protection Regulation (GDPR) was adopted on April 2016 and came into
effect on May 2018 with the goal of providing a unified standard for data protection across the
European Union (EU) and European Economic Area (EAA). It stipulates that any organization,
public or private, that processes personal data must commit to maintaining a high level of data
security.

The GDPR emphasizes the rights of EU residents relating to personal data, including the right to
access, modify, transfer, or erase their data. Personal data as defined in the GDPR refers to any
information that relates to an individual. This encompasses Personally Identifying Information
(PII), such as names; addresses; physical traits, including weight, height, and ethnic or racial
characteristics; biometric data such as DNA and fingerprints; and health data.

The GDPR stipulates that organizations must provide transparency regarding their use of
personal data, requiring them to disclose any data processing activity, demonstrate the lawful
basis for using this data, and report any data breach within 72 hours.

Data protection is an essential part of GDPR, and almost all online businesses must comply with
these or similar standards. GDPR compliance requires the implementation of a data privacy
policy that ensures that only the necessary data is collected; that individuals have a say about
which data can be collected and how it can be used; and that all sensitive data is deleted as soon
as it has served its purpose. The penalty for non-compliance is a fine of up to €20,000,000 or
four percent of the global revenues of an organization.

To help organizations meet the compliance requirements, the GDPR outlines responsibilities for
roles such as Data Protection Officers (DPOs) and data controllers. Data controller
responsibilities include implementing measures to ensure that personal data cannot be misused
and that it remains confidential. The GDPR grants the data controller flexibility to implement
additional data protection measures but requires the data controller to evaluate the risk and cost
associated with them.

Read the Complete Guide to GDPR Compliance for Data Storage9

Data Protection Technologies and Practices

There are a number of data management and storage solutions that can help you protect your
data. There are several types of data security measures intended to restrict access to data, monitor
activity in the network, and deploy a response to a suspected or confirmed breach. Some
common technologies and preventative security measures include:

Data Backup—storing regularly updated duplicates of your data. This often involves
“mirroring” your data in its entirety so you can access it from more than one place. You can
utilize an on-premises disk-based storage system for a secure, local backup with quick access,
tape as either local or remote backup, or cloud backup.

Data Loss Prevention (DLP)—a solution that utilizes several tools to help mitigate against data
loss.

Firewalls—help you monitor network traffic so you can detect and block malware.

Authentication and authorization—confirming the identity of a user and validating the access
privileges of the user. A combination of credentials (i.e. passwords), access tokens, and
authentication keys help provide an added layer of security. This can be part of a larger Identity
and Access Management (IAM) solution, along with measures like Role-Based Access Control
(RBAC).

Encryption—converts the data into a non-readable format so that only an encryption key can
convert it back to simple text. Data security solutions typically offer encryption as an important
component of their data protection strategy.

Endpoint protection—software that monitors activity on your endpoints, alerting you if

someone transfers data in or out of your network.

Data erasure—deleting sensitive data once it has been processed to reduce the risk of exposure.
This is an important requirement of regulations like the GDPR.
Disaster Recovery Plan (DRP)—enables you to restore your data after an event that has
damaged the data center. Organizations should always have a plan in place so they can recover
lost data quickly and easily.

Read On-Prem vs. Public Cloud for Data Protection TCO report.

How To Achieve Data Privacy Compliance

To help your organization fulfill the requirements of data protection regulations like the GDPR,
you should build a comprehensive data protection strategy and implement it throughout the
organization. Your compliance strategy should include:

Enterprise-wide understanding of obligations—everyone in your organization should know

what their responsibilities include. You may also need to comply with additional, local
regulations in your country of operation, or affecting your industry. Ensure that every employee
knows how to respond to data security events, and is at least familiar with the seven key
principles of the GDPR.

Identify risk areas—you should assess the risks involved with any activity that uses personal
data. This can help you identify gaps in your existing security policies, so you can update your
compliance measures.

Maintain visibility and transparency—use measures such as data mapping to keep track of all
personal data that your organization processes. This should include documenting what types of
data you collect, where you store it, and why you need to process it.

Appoint a Data Protection Officer (DPO)—this is mandatory for organizations processing

personal data for high-risk activities, such as large-scale profiling of sensitive data. The DPO is
responsible for monitoring and providing advice on compliance with the GDPR. You can also
benefit from a DPO even if not legally required to employ one.

Plan for privacy—the GDPR advocates a “privacy by default and by design” approach, which
involves implementing data protection measures throughout the lifecycle of your data processing
activities. Organizations must be able to demonstrate that they have an adequate plan in place, or
else risk exposing themselves to enforcement action. For this reason, you should incorporate
Privacy Impact Assessments (PIAs) into your privacy protection strategy.

1. Train Your Team

With so many breaches involving a human element, it’s the logical place to start improving your
defenses. Security awareness training teaches your team members—including contractors,
partners, and anyone else with access to your applications and systems—to spot malicious
emails, attachments, and websites and understand their role in cybercrime prevention. A
practical, ongoing security awareness program should include testing by sending phishing
simulations to employees to identify problem areas and knowledge gaps.
 2. Establish a Layered Security Strategy

While technology comes into play in a layered security strategy—see #3 below—an effective
approach addresses other gaps that can leave your organization open to an attack, including:

 Security policies

Robust security policies can systematically prevent data breaches while increasing security
awareness within your organization. These policies also serve as guidelines for your employee
cybersecurity training program.

 Physical security

Data is at the heart of almost every organization. That's why hackers now often resort to breaking
into facilities to gain access. Strong premises security that monitors activity and limits access is
crucial for keeping your sensitive systems safe.

 Access control

Role-based systems access helps ensure that applications and data are always available to those
who need them while limiting privileges for specific systems to those that must have them. So, if
a hacker does gain access to one of your systems, they won’t be able to exploit your other
systems.

3. Deploy Layered Cybersecurity Tools

From a technology standpoint, layered security focuses on keeping any single security
vulnerability from compromising your entire system. That starts with assessing your current
security posture. The next step is to put prevention tools in place—or bring in a technology
partner—to close any security gaps. These tools include:

 Network security monitoring

 Encryption tools

 Web vulnerability scanning

 Packet sniffers

 Antivirus software

 Firewall
 Public Key Encryption (PKE) services

 Managed monitoring and detection services

 Penetration testing

4. Implement An Effective Data Protection Solution

When your every effort at prevention fails—it could be something as simple as someone clicking
on a malicious link without thinking—a sound data backup and recovery solution is your last line
of defense. Ensuring you can recover your data and get back up and running following an attack
starts by following the 3-2-1-1 rule. Keep three copies of your data, one primary and two
backups, with two copies stored locally on two formats and one stored offsite in the cloud or
secure storage. While you may be familiar with the old 3-2-1 backup rule, the added “1” in 3-2-
1-1—which stands for immutable—makes all the difference in the world. Immutability is when
data is converted to a write-once, read-many-times format that can’t be altered. Choosing a
backup and disaster recovery solution that features immutability, like StorageCraft OneXafe,
ensures your data will be there when you need it. Storage Craft is an Arc serve company.
Regardless of your organization’s size or the complexity of your IT infrastructure, Arc serve
offers you the broadest portfolio of data protection, management, and recovery solutions
available under one roof.

Malicious or criminal attacks are a leading cause of data breaches notified to the OAIC.

Strong password protection strategies, including raising staff awareness about the importance of
protecting credentials, can greatly reduce the risk of this type of data breach.

Australia’s leading agency on national cyber security, the Australian Cyber Security Centre (AC
SC), says credentials (usernames and passwords) are typically stolen when:

 a user is tricked into entering their credentials into a page that mimics the legitimate site
 a brute-force (automated trial-and-error) attack on username and password combinations is per
formed against a service, if it doesn’t prevent such activity
 a service is compromised, and credentials are stolen and used to access the system or tested ag
ainst other sites such as social media and email
 a user’s system is compromised by malware designed to steal credentials.

Tips to prevent and mitigate data spills or breaches

Improving staff awareness of cyber security issues and threats, including the cyber risk environm
ent in which an organization operates, needs to be a priority for all businesses.

Cybercriminals use common tricks to get employees to reveal their organizational credentials, en
abling the exploitation of sensitive information including data protected under the Privacy Act 1
988. These include:
 phishing, where confidential information is stolen by sending fraudulent messages to victims
 spear phishing, a dangerous class of phishing where criminals use social engineering to target
companies and individuals using very realistic bait or messages, based on company informatio
n sourced from publicly available information such as annual reports, shareholder updates and
media releases.

The ACSC recommends prevention techniques such as clearly documenting and training employ
ees in cyber security systems and plans, and designing and implementing cyber security awarene
ss programs for all employees.

Passwords

To mitigate data spills and breaches and other cyber security incidents, the ACSC advises the foll
owing:

 require all users to periodically reset passwords to reduce the ongoing risk of credential compr
omises
 consider increasing password length and complexity requirements to mitigate the risk of brute-
force attacks being successful
 implement a lockout for multiple failed login attempts
 if credentials have been compromised, reset passwords as soon as possible
 discourage users from reusing the same password across critical services such as banking and
social media sites, or sharing passwords for a critical service with a non-critical service
 recommend the use of passphrases that are not based on simple dictionary words or a combina
tion of personal information: this reduces the risk of password guessing and simple brute-
forcing
 advise users to ensure new passwords do not follow a recognisable pattern: this reduces the ris
k of intelligent brute-forcing based on previously stolen credentials.

Software systems

To mitigate data spills and breaches and other cyber security incidents, the ACSC advises the foll
owing:

 use multi-factor authentication for all remote access to business systems and for all users when
they perform a privileged action or access an important (sensitive/high-availability) data repos
itory
 look out for unusual account activity or suspicious logins: this may help detect when a service
such as email has been compromised and needs a password reset
 encourage users to think carefully before entering credentials e.g;
o ask if this is normal
o don’t enter credentials into a form loaded from a link sent in email, chat ,
or other means open to receiving communications from an unknown party
o even if the page looks like the service being reset, think twice
o do not click the link; instead, browse to the website and reset the password from there
 o be aware that friends or other contacts’ accounts could be compromised and controlled by a
third party to also send a link
 keep operating systems, browsers and plugins up-to-date with patches and fixes
 enable anti-virus protections to help guard against malware that steals credentials.