More than three in four IT decision makers in North America believe their organizations will be hit by a data breach in the next three years, according to a new study by Adastra, a Toronto, Canada-based data and analytics solution provider.
Cybersecurity Protections Lacking
Of the 882 IT pros in the U.S. (589) and Canada (293) participating in the study conducted during the first two weeks of December 2022, 86% said their companies either have a cybersecurity division or are in the process of establishing one.
According to Adastra, here are 10 data security steps organizations should consider to protect their data, particularly as remote workers return to the office:
- Employee re-education of systems and protocols. Employees who go through regular phishing tests may be less likely to engage with malicious actors over email or text messaging.
- Know your inventory. Inventories can be a part of the overall vulnerability management program to keep all assets up to date. Also, a data inventory or catalog identifies sensitive data and allows security controls like encryption, access restrictions and monitoring to be placed on the most important data.
- Delete redundant data. Data that resides in multiple locations may not have equal protection in each environment. Understanding what data is required and what can be archived helps to keep control over data.
- Early detection systems. Today's XDR (extended detection and response) and EDR (endpoint detection and response) systems include automated responses to common attacks. These detection systems can be monitored by internal cyber security staff or third-party security companies, such as managed security service providers (MSSPs).
- Data back-ups. Having a robust, immutable data backup plan can help an organization quickly recover from an incident. The frequency of the data backup depends on the risk the organization is willing to take. "Can we afford to lose a week's worth of data or a day's worth of data?"
- Limiting staff access. Establishing processes for provisioning and de-provisioning user access with approvals, audit trails, reports and regular attestations can limit what an attacker may be able to access in the event of compromised credentials.
- Hire a third-party company to conduct a security audit. An outside assessment of your organization’s security posture, based on established cyber security frameworks such as NIST or CIS, can provide a clearer picture of strengths and weaknesses and a road map to address your greatest vulnerabilities.
- Establish new passwords with two-factor authentication. Traditionally users are authenticated by one of three ways: What you know (password); what you have (card access or one-time passcode); or what you are (biometrics). Adding a second factor to the ubiquitous password authentication adds another layer of security for access.
- Update your computer programs with the latest security features. Establishing a vulnerability management program that regularly scans software assets and applies patches is one of the most crucial security activities a company can perform.
- Physical security. Reinforcing clean desk policies and reviewing physical access controls, including access to secure areas, may be required to ensure assets are not stolen or lost. Work-from-home employees who have company assets should be routinely educated on keeping those assets secure while at home as they would in the office.
A False Sense of Security
Commenting on the survey result, Kuljit Chahal, Adastra’s North America data security practice lead, said:
“In our role as data security experts, we have found that some companies, especially smaller ones, can be lulled into a false sense of security believing that perpetrators will not bother with them — this is absolutely not the case. The results of this survey should serve as a reminder that companies of all sizes must invest in data security protection, resources and education, particularly as we return to in-office activities."
Adastra pointed to Statistics Canada data, which found that in 2021 that 41% of data breaches occurred in small and medium-sized companies with less than 250 employees and that Canadian businesses impacted by cyber breaches spent a collective $600 million to recover.