Data security is inarguably important – and with the drive for today’s government agencies and organizations to evaluate and migrate to a centralized cloud-based infrastructure, it’s more important than ever. But while virtual environments hold plenty of benefits, they also impact your direct control over your security environment. Yes, you can mitigate some of the pain that comes with relinquishing direct control through your choice of a public, private, or hybrid cloud (each has its benefits) – but each still takes your data virtual. Thankfully, there are ways to reclaim that security, protect your data, and reap the rewards of the cloud. Here’s my four-step approach:
1. Use tech to remain vigilant – There are plenty of technologies available to help you protect your data. Be proactive and put in place the right firewalls and virus protections, secure controls around your data, and make sure that you have a secure infrastructure and software around your application(s). Use what you have – and constantly remain on the lookout for new, successful technologies that can improve upon your systems and processes. Firewalls and intrusion detection systems are good protection against external attack, however, firewalls do not protect data where legitimate users have access and could constitute an insider threat. Emerging technologies are developing everyday such that data on the wire can be protected through encryption and data signature schemes. New threats are always emerging, so you must continue to evaluate new data defense systems as they mature and become available.
2. Continuously monitor – New threats emerge every day. Whether your data is on-site or in the cloud, it’s important to continuously monitor for intrusions, hacking attempts, and insider threats to your data.
The recent attacks against the U.S. government, believed to originate in China, are clear examples of why continuous monitoring is critical. Sensitive data is what you want to protect – and what the other guy wants. Technical tools for prevention are essential, but the monitoring component of Cyber Defense is critical for situational awareness, insider threat, and intrusion response.
Of course, some agencies already have set systems in place, such as EINSTEIN 3 or OPM’s continuous monitoring tools; but beyond baseline intrusion software, you still need to keep eyes out and remain vigilant through add-on technologies, and protocols and Cyber Defense teams (such as individualized intrusion-detection systems, event monitoring, positive identification response, and ongoing testing).
3. Education is key – A staggering 78 percent of companies have had a data breach as a result of employee negligence or malicious action.1 Needless to say, an educated team is your best defense and offense. Make sure your people are aware of proper procedures and protocols for everyday activities, such as how to work online, how to secure sensitive data, or even securely access and send email. For example, training everyone on how to properly secure information sent via email is key – because, regardless of whether it’s secure/secret, personal/private, or company private, once it’s out there, it’s out there … Don’t assume that anything is a given; take the time to educate at every level.
4. Back up your data – It should go without saying, but you’d be surprised how often data backups are overlooked or skipped. According to the 2015 Cost of Data Breach Study, the average cost of each stolen record is $154 ($68 in the public sector) 2; those costs add up quickly (to an average consolidated total cost of $3.8 million). Completing simple backups can be a lifeline if defenses fail. Do it – no excuses.
They say practice what you preach … and we do. In the education arena, all Suntiva employees with clearances attend annual security training, part of which includes data protection training and testing. As for backups, we take data security and recovery extremely seriously – which is why we back up immense amounts of government data around Army procurement – and test to ensure recoverability against a stringent disaster recovery plan – four times each year. We also help clients to either create or facilitate full cybersecurity and cyber analytics plans and strategies, leveraging our experience to ensure comprehensiveness at all stages.
Keeping data secure is more than a full-time job – but following the four-step approach outlined above will help your organization take great steps toward success.
1 Data Recovery Center, http://www.datarecovercenter.pt/en/services/dlp-data-loss-prevention/
2 IBM and Ponemon Institute 2015 Cost of Data Breach study, http://www-03.ibm.com/security/data-breach/?cm_mc_uid=36145611266314428491256&cm_mc_sid_50200000=1442849125
Chris Turpin, Suntiva Director, has more than 25 years’ experience in IT, management, and consulting. He has been a key leader in developing Suntiva’s IT capabilities and service lines, and prior to joining Suntiva, he held senior IT director, infrastructure, and application development positions. Chris is a certified Project Management Professional (PMP) and holds a Bachelor of Science in Public Administration from George Mason University, a Masters Certificate in Project Management from George Washington University, and a Certificate for Computer Programming.
Suntiva is a management and performance consulting company located in Falls Church, VA that focuses on supporting federal government agencies. Suntiva provides services that enable agencies to plan, deliver and oversee IT programs, improve organization performance, develop their employees, validate program results, and manage the acquisition lifecycle. Suntiva makes organizations, programs, and employees measurably successful—by solving critical challenges with great minds and great hearts.