Ensuring data security becomes harder every day. Firstly, sensitive data is often spread across on-premises and cloud-based storage locations, which makes it more difficult to maintain security controls. Secondly, the volume of data, including sensitive information, continues to grow, which means that more data requires protection. Finally, cybercriminals get more innovative all the time. As a result, securing data in compliance with increasingly complex regulations is a challenge.
By Ilia Sotnikov, Vice President, Product Management, Netwrix
A Netwrix IT Risks Report explored how organizations were working to ensure compliance and beat cyber threats. Unfortunately, the results indicated that organizations weren’t doing enough to defeat the bad guys. Here are the 10 most neglected security best practices:
1Classify data based on its sensitivity
Security experts recommend that organizations classify data at least twice a year, so they can reset access rights and ensure that only the right people have access to data.
Reality check: 64% of organizations admit that they classify data based on its level of sensitivity just once per year or even less frequently.
Pro tip: Many organizations rely on users to classify data, which rarely works well. Look for data discovery and classification products that automate the classification process.
2Update data access rights
To prevent unauthorized access to data, security experts recommend strictly enforcing the least privilege principle, as well as reviewing access rights every six months and after important events like an employee termination.
Reality check: 51% of organizations do not update data access rights even once a year.
Pro tip: Look for governance solutions that can assess and control access rights, both as part of an ongoing process as well as ad hoc. Also, look for reporting and alerting tools that can ensure it’s all being done correctly and securely.
3Review data available to everyone
To reduce the risk to sensitive data, security experts say that at least every three months, organizations should check that folders and shares available to everyone don’t contain sensitive data.
Reality check: 76% of organizations are not doing this frequently enough, and some never do it at all.
Pro tip: Look for solutions that can automate a continuous program to discover, classify and secure content regardless of where it resides, so you can reduce your attack surface.
4Get rid of stale data
When you no longer need data for daily operations, it should be archived or deleted. To mitigate security risks, experts recommend doing this every 90 days.
Reality check: Only 18% of organizations delete unnecessary data once a quarter, meaning that 82% of organizations are needlessly increasing their threat exposure.
Pro tip: Deploy an automated solution that can find stale data and collaborate with the data owners to determine which data can be archived or permanently deleted.
5Conduct asset inventory regularly
Security experts encourage you to identify all your assets (e.g. databases, software, and computer equipment) and determine who is responsible for them at least once a quarter.
Reality check: Just 29% of organizations stick to the recommended schedule.
Pro tip: Choose an asset tracking solution that streamlines data collection and analysis to locate every asset within your company. Make sure it is easy to use and fits your needs.
6Update and patch software promptly
Installing security updates to your software in a timely manner enables you to mitigate vulnerabilities. The recommended frequency depends on patch and system importance and other factors; it varies from weekly for critical security patches to quarterly for less urgent patches, such as maintenance patches.
Reality check: 33% of organizations do not update their software even once in 90 days.
Pro tip: Establish a dedicated testing environment or at least a segment for patch testing to avoid incompatibility or performance issues.
7Perform vulnerability assessments
Regular vulnerability assessments help you locate security gaps and reduce your exposure to attacks. Security experts recommend running these assessments at least once a month.
Reality check: 82% of organizations do this only twice a year or don’t do it at all.
Pro tip: Find products that can continuously evaluate threats to your data and make sure you know which threat actors do the most harm to your business. Even better, find tools that provide alerts to reduce the number of false alarms.
8Create and maintain an incident response plan
There are several parts to a resilient security response plan: Draft a plan, get it approved, regularly train employees, and do test runs.
Reality check: 83% of organizations admit to failing to execute all these stages.
Pro tip: Conduct random tests to see how admins and regular users react to security threats and evaluate how your plan is working in real life.
9Update admin passwords regularly
If an administrator’s credentials are compromised by attackers, whether the credential is shared or not, the entire IT infrastructure is at risk. Security experts recommend changing admin passwords at least every quarter.
Reality check: Only 38% of organizations change their admin passwords at least once every 90 days.
Pro tip: Don’t use shared admin passwords, even if you update them every week. Each privileged user should have their own admin credentials and the passwords should be changed regularly.
10Update user passwords regularly
While the goal of threat actors is to get administrative credentials, the gateway to that information is oftentimes accessing a user’s credentials. A security best practice is to require users to change their passwords at least every 90 days.
Reality check: 42% of organizations mandate a password change less frequently than once a quarter.
Pro tip: Require users to choose strong passwords (with a minimum number of characters and symbols) and change them once every 90 days. Also, consider deploying multifactor authentication and single sign-on.
Following these security best practices can help you reduce your attack surface and minimize the risk of security and compliance issues. Rigorously implementing security basics such as finding, classifying, and securing your data is essential to preventing attackers from stealing your sensitive data and ruining your company’s reputation.
About the Author
Ilia Sotnikov is responsible for Netwrix product vision and strategy. He has over 15 years of experience in IT management software market. Prior to joining Netwrix in 2013, he was managing SharePoint solutions at Quest Software (later acquired by Dell).
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.