Think back to the days of grade school. Remember when your teacher was calling on people and you didn’t know the answer, you did what made the most sense, make yourself as small and as unnoticeable as possible so the teacher would not call on you. The notion sounds a bit silly, but this same rule plays out many times over throughout our lives. Keeping a low profile or flying below the radar makes sense in many instances to avoid being targeted. Some professions even teach this as the key to survival including the most extreme instances of law enforcement and armed forces. Reducing your mass also reduces the area which the enemy can target you. It’s the law of survival.
All of these tactics which we picked up in third grade when Mrs. Glass was calling on kids for the correct answer to the math problem, applies all these years later when it comes to cyber security and compliance. Being able to reduce your surface or exposure area will reduce the chances that your organization will be the next victim of an attack. And there are several key steps you can take:
- Access Rights – Chances are that more people access your network than ever before. They may include but are not limited to employees, customers, partners, suppliers, outsourced individual and agencies and much more. Not everyone should be granted the same access. For example, in a financial services organization, bank tellers may not get the same access as brokers or compliance officers, and your system of network administrators definitely don't need access to financial data. Deploying granular access control ensures that each individual gets the access they need, without needlessly exposing confidential data to others that do not require that information. This reduces your profile by making it available to fewer.
- Dynamic Masking – In many instances when you call a customer services rep, they will likely ask you for the last four digits of your social security number. By deploying data masking, it obfuscates the remainder of you social security number while permitting the CSR the appropriate personally identifiable information (PII) to ensure that you are the holder of the account. Security is maintained on both sides of the transaction. This reduces your profile by reducing the amount of data that is available to insiders.
- Encryption – Information is power and the end game for hackers is to access your data. Globally this information is stored on servers, in databases and in the cloud. It is what hackers are after. By encrypting information, the data is rendered completely useless to the criminal. Even if they are able to bypass all security measures, that fact that the data is in an illegible and unusable format, makes it completely useless to anyone but the intended audience. This reduces your profile by making the target less valuable if not completely useless.
- Keeping your externally exposed systems properly patched – There are endless methods that bad actors use to check systems exposed on the internet for vulnerabilities. It’s one of the easiest ways to find an entry point, and an organization that isn’t likely to have good security practices. If systems aren’t updated with security the latest patches, the organizations they support automatically become self-selected targets. The Heartbleed bug is a case in point – large numbers of systems still aren’t patched for this vulnerability today.
- The Compliance Angle – Up until now, we have dealt with reducing the security target, however a close second to that is the compliance target. These are rules made to protect both the company and individual through regulations. By reducing access, masking data and encrypting data, your organization not only complies with many of the regulations but actually helps remove a sizable portion of data from the compliance scope. This clearly reduces the compliance profile that your organization may cast.
As the news too often shows, it is nearly impossible to ensure that your organization in impervious to an attack. Everyday large organizations are breached by the traditional hacker as well as the insider. Much like in third grade, reducing the exposure size makes you less of a target. The scary thing is that it worked in Mrs. Glass’s class and it works in protecting your organization from the security and compliance breach.