5 New Rules For Keeping Your Company's Data Safe

By Matthew Erickson, director of technology, SpiderOak

Today’s field service industry depends more than ever on connected devices, and managing human communications is just the tip of the iceberg. While machines and Internet of Things (IoT) devices are empowering new insights and control for companies managing field operations, the accompanying risks are escalating. Today’s adversaries are much more advanced and persistent in their efforts to break into networks than before, and advanced nation-state actors are increasingly leading the attacks on key industrial sectors, utilities, and governments. When combined with the explosion of connected devices, the opportunities for becoming compromised become dizzying. The entire landscape of security has changed.

How To Keep Your Company Healthy

In order for companies to successfully keep their field operations healthy in what will become an even higher threat environment in the months and years ahead, there must be a complete shift in thinking about data and systems security. This foundational shift in how to approach cybersecurity relies on five core elements that company leadership must adopt in the new reality of cyberattacks.

By embracing these steps, and driving these actions and behaviors down into the organization, CEOs and their executive teams, as well as their boards of directors, can turn what could have been a multi-billion-dollar problem into one that barely affects the balance sheet.

Rule #1: Have A Clear Inventory Of What Data Is Critical To Your Organization

If you suffered a breach today, what would cause you to be out of business tomorrow? Most organizations lack a clear understanding of what data and data flows exist within their systems, making it impossible to know what to secure, and if breached, how extensive the impact actually is.

The era of Big Data has driven organizations to collect as much information as possible. This amassing of data presents opportunities for greater insights and actionable data, but it also presents a higher risk. Data is a liability that can be measured in dollars, and most organizations hoard it without a second thought.

In creating an inventory of all the data retained and its purpose, an organization can then identify which pieces are necessary to its ongoing operations and which are not. Organizations need to be able to triage-  to invest immediately in the high-value and easiest-to-protect data. With a data audit, prioritization, and triage, organizations can focus on what needs to happen first and allocate resources accordingly.

Rule #2: Create A “Two-Person Rule” For Your Data And Processes

In every movie set in a Cold War submarine, there are two stern-faced naval officers looking at each other as they both turn the keys to fire missiles. Each officer has his own responsibilities in validating and carrying out orders, and, when they agree – IF they agree – they both turn the keys. Likewise, in your accounting department, you probably already have dual-signature checks and other oversight measures on your cashflow. Most organizations, however, lack the same level of accountability across the rest of their departments.

The common approach to securing data today implicitly trusts many people within your systems with varying amounts of independent authority. Likewise, the common approach to preventing abuse or misuse of authority amounts to monitoring in order to track issues as they happen, or, more commonly, simply providing forensic analysis after the damage is already done.

By making sure that critical operations and data access are guarded by multiple authorities, each checking the validity and work of the other, you minimize the risk that a compromise of any one part or person in the system compromises everything.

Rule #3: Compartmentalize Your Data

Corporate America has made oversharing a standard practice for decades: over 70 percent of employees have access to data they don’t need to do their jobs (Ponemon Institute).

Organizations keep multiple layers of data related to their operations – from financials and customer information to the organization’s intellectual property, employee Social Security numbers, and company emails. In the vast majority of cases, this data is concentrated in one or just a few servers, where the data for one purpose is connected to data for another. This creates a network of linked exposure; a breach in one area can domino quickly into a breach of another database.

Thus, if a field technician gets targeted and compromised, it is not only their job specific data that is compromised; the hacker can then access whatever is linked to the data, including highly confidential customer information. If a customer support system is attacked, your CEO’s communications with the board of may be at risk.

By making sure that the ability to view and work with data in an organization is aligned with job responsibilities and enforced technologically, you can make sure that any one failure of security is not a total failure of security for the organization.

Rule #4: Build Your Defense In Depth

Building effective security out to the endpoints of an organization is essential. Many systems use a centralized server with authenticated APIs for what amounts to little more than a thin client on a mobile device. In today’s threat climate, however, this presents more opportunities for breaking and capturing data. A server vulnerability becomes exploitable by every single device in the field, and every device is part of the attack surface. As various deep packet inspection technologies are deployed by more and more network operators, not only does your organization’s private data become readable to the operator, but now that operator becomes part of your security attack surface.

By fully utilizing end-to-end encrypted technologies, and with careful management of data access through cryptography, you can eliminate all of these problems from your attack surface. Don’t just rely on the encryption from SSL– ensure its part of your protocol.

Rule #5: Keep The Keys To Your Kingdom Offline

Modern security relies on minimizing the number of things you have to trust. If you are not encrypting your data, compartmentalizing it, and understanding to whom you are granting access, you are effectively creating an infinite number of things you have to trust to be secure. By employing the four rules above, companies will have a very limited number of things to have to trust: the secrets involved in decrypting your data. For there to be a complete and massive compromise of your business, a cybercriminal has to find and obtain those secrets.

Today’s computing environment, from the CPU to the web browser, contains millions of ways to compromise systems and enable attackers get those secrets. Organizations can use hardware tools that, based on cryptography, enable them to keep their closest secrets on special USB keys. When not in use and connected to a system, those devices can be kept in a safe. Thus, even if attackers get complete control over an organization’s computers, if the secrets are stored and secured in this way, it would be impossible to expose sensitive data.

As companies build their investments in new technologies and mobile apps for field operations, they will continue to face challenges around integrating new tech with old systems and standardizing their data access and flows. By employing these core principles of data and systems security as they implement new technology, companies will be able to scale operations much more securely and prevent new vulnerabilities from emerging as potential threats.