Why a Layered Approach to Security is the New Normal
The perpetually increasing complexity and variety of modern cyberattacks continue to drive the need for more robust and complex security postures. Simply having a traditional firewall in place is no longer enough to safeguard your data; left with only a firewall as protection, your network is extremely vulnerable to infiltration. Since so many of today’s business activities take place ‘in the cloud’, it is more difficult to control the security of your data, and some Internet-based services and applications are more vulnerable to certain attacks than others. Understanding the various security risks posed by these business tools—be it an application or server—is imperative to protect yourself from potential exposure.
Add to this the increasing number of IoT devices for mobile and remote workforces (think smartphones, tablets and laptops, for example), and your network is practically begging for an attack. Understanding the necessity to a layered security approach will not only help to secure your company’s sensitive data but can also save you time and a significant amount of money by not having to recover from a breach. IBM estimates that the average cost of a data breach is $3.86 million; add to that the cost of lost business after a breach—$4.2 million—and that can literally put a smaller organization out of business.
Components of a Layered Approach to Security
Because the Internet is fraught with risks at a variety of levels, your security strategy needs to provide multiple layers of defense against them. Implementing a layered approach to your security posture ensures that a potential attacker who penetrates one layer of your defense will be stopped by a subsequent layer. Generally speaking, your security plan should cover everything from system and network-level security through application and transactional level security.
A sound security strategy has multiple layers. When developing your overall Internet policy, it is important to develop a strategy for each individual layer as well as identifying how each layer will interact with the others; this helps to ensure you have a comprehensive security safety net in place for your business. The six security protocols below are a recommended minimum starting point for your security strategy.
- Endpoint Security
- Firewalls
- Intrusion Detection and Prevention
- Vulnerability Scanning
- Penetration Testing
- Distributed Denial of Service (DDoS) Mitigation
Regulation/Compliance & Security
When considering what security solutions are right for your company, there are a number of different laws and regulations to take into consideration, depending on the industry. For some, like those in the healthcare or financial industries, security and compliance are at the forefront of their business plans. The same goes for online retailers; at first blush, it may seem that these rules would not apply, but any company that collects personal data needs to ensure that their networks and systems are protecting this information at the highest levels possible.
Personal data, also known as personally identifying information (PII) or sensitive personal information (SPI), encompasses a fairly large set of information including (but not limited to):
- Name/surname
- Date of birth
- Social security number
- Phone number
- Email address
- Home address
- IP address
- Biometric information
- Health/medical history/genetics
- Biographical information
- Religion
- Salary
Depending on the country you live in and/or do business with, there are any number of regulations and security laws that you should be familiar with in order to ensure you are compliant. In the event that you are not compliant, not only are you potentially breaking the law and opening yourself up to fines and penalties, but you are risking the reputation and longevity of your business by subjecting your customers’ personal data to exposure.
Here is a very brief overview of some of the most wide-reaching laws and regulations that you should, at a minimum, ensure you are compliant with. This is not a comprehensive list, so always perform your due diligence if you have any questions about whether or not you are subject to a particular statute, and it’s almost always better to err on the side of caution than to assume a law or regulation does not apply to your business.
GDPR EU (General Data Protection Regulation)
The purpose of the GDPR is to protect all EU citizens from privacy and data breaches in today’s data-driven world. This regulation applies to all companies processing the personal data of anyone residing within the EU, regardless of the location of the company. Fines for breaches of GDPR can be up to 4% of annual global turnover or €20 Million (whichever is greater).
Data Protection Act (UK)
This act is the UK adoption of the GDPR in support of Brexit, providing clarity on definitions used in the GDPR for in the UK context. The Act ensures that sensitive health, social care and educational data can continue to be processed while making sure that confidentiality is maintained. Additionally, the Act provides appropriate restrictions to rights to access and delete data and sets the age of parental consent to under the age of 13. Fines levied are similar to GDPR, £17 Million, and criminal charges can also be brought against offenders.
PIPEDA (Canada) Personal Information Protection and Electronic Documents Act
PIPEDA applies to the collection, use or disclosure of personal information in the course of commercial activity; federally regulated businesses such as airlines, banks, and telecom companies also fall under this umbrella. Individuals must be notified of any breach of the security safeguards involving their personal information, if there is a reasonable belief that the breach creates a “real risk of significant harm.” At the same time, the exposed organization must also report to the Privacy Commissioner of Canada. PIPEDA also requires organizations to keep and maintain a record of every breach of security safeguards for two years even if the breach is not required to be reported.
CCPA California Consumer Privacy Act
CCPA applies to businesses that fall under any one of three categories:
- Have an annual revenue in excess of $25 Million
- Buy, receive, sell or share personal information on more than 50,000 Californian households or devices
- Derive more than half of their annual revenue from selling consumer personal information
CCPA goes into effect on January 1, 2020, and protects traditional personal data as well as some more non-traditional, such as internet browsing/search history, geolocation data, and audio, electronic, visual olfactory or similar information. There are six main requirements set forth by CCPA, including the right to request that a company delete personal information and the right to opt-out of the selling of personal information.
HIPAA Privacy Rule and HIPAA Security Act
The HPR addresses the saving, accessing and sharing of medical and personal information of any individual, while the HSA more specifically outlines national security standards to protect the health data created, received, maintained or transmitted electronically.
PCI-DSS (Payment Card Industry Security Standard Data)
This standard is comprised of twelve regulations designed to reduce fraud and protect customer credit card information, which includes network security, vulnerability management, and the overall protection of cardholder data.
SOX (Sarbanes-Oxley Act of 2002)
This legislation protects the public from fraudulent or erroneous practices by corporations and other business entities. The goal of the legislation is to increase transparency in the financial reporting by corporations and to require a formalized system of checks and balances in each company. Within this act are requirements for formal data security policies to protect all stored and utilized financial information that are both communicated and enforced.
Questions to Consider
According to the 2019 State of SMB Cyber Security Report, commissioned by Continuum, cyber-attacks cost small businesses more than $50,000 per incident on average, with larger companies losing considerably more money. The survey also uncovered more than 60% of these organizations don’t have an in-house security expert to dedicate to handling threats or breaches—or even maintaining their security solutions.
When beginning your search to help close the gap created by lack of security, there are some questions to consider when implementing the best security solutions at the best price point for your business:
- How many full-time employees are at your business?
- Are your employees, including executives, trained on cybersecurity?
- What pieces of technology or what services do most of the heavy lifting for your company when it comes to security? Who manages that?
- When was the last time you were audited?
- What was the result of your last audit (if applicable)?
- When was the last time you completed a security assessment?
- Do you have an incident response plan?
If yes: How was that created to be specific to your end users, your industry, and your customers?
If no: Why not? - Do you have any specific concerns, such as changing IT security and compliance regulations?
If so, which ones? - Have you experienced any public or known business challenges, such as a data security breach or major outage?
- Do you have disaster recovery (DR) or business continuity (BC) strategies in place?
- What is the state of your company’s current cybersecurity strategy and plan?
- What is the process for selecting the security solution or tool to address your cybersecurity challenges?