![EMC logo]() |
In my last blog we created a security baseline to help organizations adequately protect sensitive data. While this series has been focused on guidance for smaller companies, the basic principles can be applied to any organizations. The key difference is that smaller companies will be under pressure to spend on compliance and their secrets which hold the ‘real’ value remain unprotected. Keeping proprietary knowledge away from competitors is essential to maintaining market advantage, but the challenge of how all these secrets are stored within an organization tends to be one of the reasons smaller companies shy away from protecting them.
Based on the results of the three principles here are three (I likes three’s) actions to execute;
- Re-prioritize Enterprise Security Investments — Programs where control strategies are “overweighted” toward compliance and preventing employee accidents should consider data-centric technologies like enterprise rights management (ERM), fine-grained access controls, and DLP. To increase acceptance by the employees who must protect the information, use a simple data classification strategy with just three levels: public, internal use only, and need-to-know. For reducing theft of secrets by privileged insiders, build core competencies in network security monitoring SIEM, for small companies it may mean buying in this expertise.
- Increase Vigilance of External and Third-party Business Relationships — Enterprises with significant exposure to third parties should take steps to monitor and restrict information flows. If possible, mandate the installation of technical controls on third-party devices that store significant quantities of secrets or custodial data. Additionally, you could consider data sharing strategies that don’t require third parties to store data on their devices, such as client virtualization.
- Measure Effectiveness of Your Data Security Program — Security managers should rely on facts, rather than faith, for proof of effectiveness of their data security programs. Develop a process for tracking key performance indicators that measure the effectiveness of data protection efforts, such as frequency and cost of incidents. Wherever possible, benchmark against comparable firms using data from studies like this one or using public data sources like DataLossDB. Use knowledge gained from these resources to develop effective programs to protect corporate secrets.
All these steps are by no means a one-time only proposition. Our businesses and priorities tend to change daily and that coupled with the constantly changing threat landscape leaves smaller companies at higher risk for cybercriminals who can gain financially from stealing their secrets. Only if we continue to follow some of these basic principles and be vigilant about our business can we keep our data safe.
|
