Home » Digital Security » Researching Data Security Tips and Tricks
Digital Security

Researching Data Security Tips and Tricks

Cybersecurity experts discuss how individuals and companies should help ensure their data is secure and what to look for in a security provider.

Chris Pogue

Chief Information Security Officer, Nuix

What steps do you personally take on a regular basis to secure sensitive data?

I use full-disk encryption on my laptop; if it’s ever stolen or lost, the data has a significantly less danger of disclosure. I encrypt all of my documents on a small USB drive and keep it separate from my laptop —usually on my person to safeguard it in case my laptop or luggage is ever lost. I also back up critical data encrypted in the cloud, use a password manager that is both local and cloud-based, and use multi-factor authentication whenever and wherever I can.

What is the biggest mistake you see companies make?

For starters, most companies don’t understand the threats and oversimplify countermeasures. They need to know what they’re up against by conducting regular penetration tests collaboratively with detection and investigations to see what the different stages of an attack look like and which areas pose the greatest risk. Many companies also dangerously rely on legacy security tools, often inefficiently cobbled together and presenting risky security gaps. They operate with a limited view of activity across the enterprise, not taking in the big picture, and mistakenly focus solely on external threats when insiders — inadvertently or otherwise — pose at least as much of a threat as hackers do. 

What should readers be looking for in a security provider?

The key is to find a security vendor that will listen to you about your needs, demonstrates expertise, that works with your existing IT and security investments, and is focused on your success. There are plenty of vendors trying to sell you their widget or solution, ranging from bad to good, but not all of them are focused on working together with you to safeguard your data, your systems and your customers.

Christine Marciano

CEO, Cyber Data Risk Managers

What steps do you personally take on a regular basis to secure sensitive data?

Whether I’m working remotely, in my office, or out of the country, I’m diligent in making sure my internet connection is secure. When on the road, I never connect to public Wi-Fi to check my email or transmit sensitive client information as that bears too much risk for both myself and my cyber insurance clients. In addition, I use different passwords for every application I use.

What is the biggest mistake you see companies make?

Many companies are chasing the latest and greatest security tools and systems. This leaves too many open endpoints, as most of these systems cannot be seamlessly integrated in a way the company requires. Today, all it takes is one unprotected endpoint in “people, process or technology” that leaves companies openly exposed as a target for a cyberattack or data breach.

What should readers be looking for in a security provider?

Too often, the conversation on cybersecurity is predicated on fear, uncertainty and doubt. Look for a cyber security provider that has a high level of integrity and don’t choose one at random. I’m often asked by clients for a referral to security providers, and have a trusted provider list that I use. With all of the cyber security technologies available today, companies should look beyond what technology to invest in and understand the positive effects of why they’re investing in it.

Josh Feinblum

Vice President of Information Security, Rapid7

What steps do you personally take on a regular basis to secure sensitive data?

Work to secure sensitive data never ceases. Our business moves at a breakneck pace and sensitive data scales at the same speed. Sensitive data is impacted when we build new products, improve existing products, communicate with our customers or support our employees. Every day I make sure that I touch on at least one major internal initiative to see how it’s progressing and ensure it’s getting the right level of support from the security organization. I also make sure to close the loop on at least one less significant issue every day. As practitioners, we are all frequently aware of various risks in our organizations. My key focus is making sure that we’re making continual progress and that we stay up-to-speed on high impact initiatives so we may avoid unpleasant surprises.

What is the biggest mistake you see companies make?

Many organizations work to build large, complex security programs and processes, and forget the basics. Getting back to the fundamentals is the single most valuable action many companies can take. If they’re investing large sums of money in a security program and don’t have a strong patching program or a widely-adopted approach to two-factor authentication, they’re doing things in the wrong order.

What should readers be looking for in a security provider?

A good security provider should lead by example and be capable of demonstrating the efficacy of their solutions. Along the journey, that provider should establish a relationship with you that feels like a great and transparent partnership. If it doesn’t feel like a product is fulfilling its promise, it’s probably the provider’s fault. Make sure that you are trusting vendors that secure your data the way you secure it yourself. It speaks volumes about an organization if they espouse one set of behaviors and then fail to follow their own guidance. 

James Carder

Chief Information Security Officer and Vice President, LogRhythm

What steps do you personally take on a regular basis to secure sensitive data?

When securing sensitive data, you really have to look at three particular aspects: data at rest, data in motion and the need to know. For data at rest, you want to make sure the data is encrypted. You can apply passwords or use keys to lock and unlock the data as necessary. This key or password should be unique and only given to people that need it. If you are sending or transmitting the data, you want to make sure it’s done using a secure transport mechanism that leverages encryption like SSH or SSL. Finally, you should only provide the data to people that have a need to access the data, and make sure to validate they are who they say they are when requesting access or granting access. All three of these aspects can be managed in many ways from automatic drive encryption to two-factor authentication. The steps I take daily depend very much on the type of data and the risk tied to the possible exposure of that data. 

What is the biggest mistake you see companies make?

The biggest mistake companies make is assuming they are not a target or at risk of a cyberattack. These companies tend to not invest in keeping their information technology infrastructure modern. They don’t enforce basic processes and principles such as patch management or backup and recovery. They also do not invest in the security controls necessary to protect, detect and respond to security events before they escalate into full-blown breaches.

What should readers be looking for in a security provider?

Readers should be looking for a security partner, not a provider. The relationship with the partner is equally as important as the technology or services provided. Readers should also be looking at security partners that are in alignment with their business needs. The best partners provide technology and services that have a substantial impact and value to the reader’s overall security mission. Security is fundamentally about risk management. Find the partner that understands your definition of risk and helps you manage that risk at the right level for your business.

Matt Morris

Vice President of Products and Strategy, NexDefense

What steps do you personally take on a regular basis to secure sensitive data?

Security is more of a verb than a noun. Yes, it’s an inconvenience, but just as #WannaCry illustrated, a little bit of pain daily can prevent major pain later on. The following list should go a long way in helping readers protect their sensitive data: always use passwords, preferably long ones, for everything (and don’t write them down beside the computer); leverage two-factor authentication; lock screen savers with passwords; always use secure virtual private networks (VPN); use endpoint protection and virus scanning software; be skeptical of links and attachments in emails; and avoid USBs, period.

What is the biggest mistake you see companies make?

At NexDefense, we live in a different context than most other security companies. We focus on industrial control system environments, such as oil rigs, utility substations, power generation, manufacturing plants, mines, etc.

The biggest mistake I see industrial-leaning companies make is taking a reactive approach. Far too many companies wait till something like #WannaCry, #StuxNet, #Havex or a similarly deviant malware or attack shows up on their doorstep. Companies must be more vigilant and prepare themselves now.

What should readers be looking for in a security provider?

My recommendation for researching and selecting a provider would be to look at companies who fundamentally understand and takes a holistic view of production, safety and security. Many providers claim to assist with human errors, system failures or malicious security, but in reality they spend 99 percent of their time focused solely on security. But this is at the exclusion of other risks such as design flaws, system misconfigurations and even regulatory issues.

Nicholas Friedman

CEO, Templar Shield

What steps do you personally take on a regular basis to secure sensitive data?

Securing sensitive data goes hand in hand with limiting potential vulnerabilities through risk awareness. I encrypted data in transit and at rest, use VPNs when traveling, and only use secured wireless networks. Additionally, I keep my systems up to date on patches, avoid suspicious emails and rotate my passwords regularly.

What is the biggest mistake you see companies make?

Not knowing where their sensitive data lies and when to get rid of it. Too many times companies are just checking compliance boxes and not taking a risk-based approach to securing their data. This leads to applying under- or over-compensating controls which can cause additional costs to the organization. 

What should readers be looking for in a security provider?

A good partner won’t sell you a tool or service to solve your security needs. They invest time to understand your business, grasp your maturity, identify weaknesses, and provide both strategic and tactical solutions to mature your security posture. Limiting potential vulnerabilities through risk awareness, management and mitigation is the goal.

Next article