Data-First Security Reminders

Data-First Security Reminders

Five ways agencies can avoid enterprise data security threats

By Sarah Fruy

Today’s tech strategy dictates the inclusion of cybersecurity into every layer of organizational technology. Rising threats targeting sensitive information and the growing efficiency of hacking methods puts data security top of mind for many companies who want to protect personal details gathered from customers. Furthermore, the expense of security vulnerabilities and exposure is a lot more now than just five years ago, with the average cost of a data breach coming in at a whopping $3.86 million last year.

So, how do you prevent your business from making the next security breach headline? Former Portland Webworks Systems Administrator and DevOps practitioner, Lyle McKarns, spoke about the importance of data security in his blog post on how security must be a process and not a product. McKarns encouraged companies to approach data security with a process-driven mindset and use it as a lens to analyze the entire technology ecosystem. We agree that it’s critical for tech leaders to make data security an organizational practice instead of adding it as the cherry on top of mounds of sensitive customer data.

Five commonly dismissed security risks

At Pantheon, I work with partners like GovWebworks to empower clients to get the most out of our tools, and security is a huge part of this process. The ability to recognize these five commonly dismissed security risks can make all the difference in identifying your most costly organizational vulnerabilities. And then we can help you to do something about them.

1. HTTPS certificates aren’t being fully managed

One of the worst data breaches that occurred in the modern digital era was the 2017 Equifax data breach, which went unnoticed for 76 days because of an expired certificate. The breach resulted in the assailants accessing the personal information of at least 145.5 million people.  According to the U.S. Government Accountability Office, attackers obtained unapproved access via the internet to Equifax’s online dispute portal, which housed documents used to resolve disputes. Equifax lacked the ability to inspect web traffic running through its own network, which concealed the 76-day old security breach.

Equifax’s data breach investigation shed light on four major factors: the identification, detection, segmenting of access to databases, and data governance that allowed the hacker to gain access to the network and extract information from databases containing personally identifiable information. Expired certificates are a security death warrant for any company’s data, and Equifax would have discovered the 2017 attack much sooner if it wasn’t for an expired digital certificate.

Solution: To prevent such breaches, a certificate management program is a critical part of any data security strategy, and HTTPS certificates should be a fully managed, automated process that requires little to no configuration.

2. Site monitoring is inadequate

Last year, the number of Common Vulnerabilities and Exposures (CVEs) was the highest number ever reported, according to the National Institute of Standards and Technology (NIST) and its National Vulnerability Database (NVD), indicating that security threats are accelerating at a never-before-seen rate. The data further shows that 57 percent of vulnerabilities reported in 2020 were classified as severe, and almost 4,000 of the vulnerabilities described as detrimental or the ‘worst of the worst.’ To stay off this list, security teams must regularly evaluate intrusion detection systems and perform daily, full-scale monitoring of network, server, and application resources to ensure that systems remain healthy.

Solution: Organizations can employ live status dashboards that generate accurate and real-time performance reporting to quickly identify, target, and correct data security issues as they arise.

3. Role-based access doesn’t exist

Understanding your data is an integral part of figuring out who should have access to it, but most companies lag behind the curve. As a result, more than 70% of employees have access to unneeded and unauthorized data according to HBR, and this “scattered marbles” approach to data strategy creates a cesspool of data leakage that is difficult to clean up. The rise of the Chief Data Officer is a stride in the right direction, but a disjointed data strategy coupled with rogue data sets undermines policies and governance.

Managing permissions throughout your organization is one of the most effective ways to control the unneeded entrance to sensitive data, and this should be done through system administration and training. It’s also essential to train employees on proper procedures across both software and hardware.

Solution: System administrators should have change management features that grant diverse and time-based access to vulnerable data.

4. Critical security updates can’t be easily deployed

The iconic 2014 Sony breach cost the conglomerate $35 million in IT repairs thanks to their insecure infrastructure. Attackers who identified themselves as the Guardians of Peace gained access to Sony’s network and set up a digital mobile home that extracted terabytes of private data and held it for ransom. In the end, hackers posted five unreleased Sony movies and leaked confidential documents across the open web. After months of investigation, authorities believe that the attackers gained access to Sony’s network through phishing emails.

Hackers specifically target organizations where vulnerabilities are detected, such as failed updates or places where employees are susceptible to phishing campaigns. Once the door is open, hackers seek to get members to download malware, go after networks directly, and then leech confidential data.

Solution: To protect data, system administrators should do timely security updates to prevent software vulnerabilities.

5. Employees aren’t trained on security policies

Data is a hot commodity for hackers now more than ever, and how we tackle the rising data security tide comes down to each organization’s collective understanding of data security. To support our partners, Pantheon is fully compliant across The General Data Protection Regulation (GDPR), The Family Educational Rights and Privacy Act (FERPA), and the EU-US and US-Swiss Privacy Shield frameworks on data privacy. Our goal is to help educate organizations in the open web to build the core fundamentals of an ideal technology ecosystem.

Solution: Pantheon’s security program includes SOC 2 compliance, which provides third-party assurance to our customers about the adequacy of Pantheon’s information security system, and requires employees to be fully informed, trained, and aware of security policies.

Conclusion

As we have seen in this post, in order for companies to protect their data, they need to know what constitutes sensitive information and work to ensure that every person in the organization understands what qualifies as sensitive data. Security is no longer about creating a single barrier. Today a multi-layered approach is needed to protect data in the modern digital era. Ultimately, no business is immune to security threats despite the type or size, and making the investment in security infrastructure will always cost less than the cost of a breach.

Pantheon’s mission is to make the open web a first-class platform that delivers results and offers solutions that protect our customer’s data. Being responsible for websites throughout my career has ingrained best practices in my web management strategies. This understanding and passion for being the best in my craft inspired me to take on this new role leading Pantheon’s Partner Program. I appreciate our partners like Portland Webworks because they help unlock the value of the Pantheon platform. They also act as a trusted advisor for our customers. By working together, Pantheon and our partners empower teams to take control of their websites and minimize security vulnerabilities. I encourage you to reach out to GovWebworks to inquire about how your Pantheon hosting platform can help keep your data secure.

Learn more

Guest Author Bio

As the director of WebOps partner marketing, Sarah Fruy collaborates with Pantheon’s agency and technology partners on co-marketing programs and WebOps education. Prior to this role, Fruy served as the director of brand and digital experience, where she led the strategy, goals, and road map for Pantheon’s public-facing website, branded assets, and experimentation program. Fruy is a ScrumMaster® and Certified Agile Marketer who joins Pantheon with over 15 years of experience in the marketing, digital publishing, and online advertising industries, along with marketing strategy and digital marketing certifications from Cornell Johnson Graduate School of Management. Previously, she worked at emerging media companies, such as Say Media, as well as heritage brands like the San Francisco Chronicle.