The 10 Hack Commandments
Notorious C.I.O. used to love it when you called him “Big Data”, but these days it feels like the more data he comes across the more problems he sees. He also used to have a “the sky’s the limit” attitude toward big data, but after his big data living caught up to his bad risk mitigation strategy, Notorious C.I.O.’s company got hacked, and he got fired.
With so many data breaches leading to the firing of high level C-suite executives, it seems the whole world must be taking the wrong approach to data-loss risk mitigation. It’s time we finally start learning from the mistakes of our past, by adopting these 10 Hack Commandments:
1. Don’t expose more data than you need to
Obfuscate your IPs, application server type, server version, leaky REST APIs (REST exposing sensitive information like personally identifiable information).
2. Don’t let bad guys know your next move
Protect against cross-site scripting (XSS) and cross-site request forgery (CSRF), as well as unvalidated redirects and forwards.
3. Don’t trust anybody if you don’t have to
Some experts say that nearly 75% of data breaches are inside jobs. Whether intentional or not, you’ve got to put the right kinds of controls in place to prevent insiders from becoming your threat vectors. Creating layered security and authorizations, as well as revoking authorization on employee exit, can go a long way to managing this.
4. Don’t roll your own security
Use standard encryption practices and trusted open source encryption techniques. If you decide to create your own encryption algorithms / schemes you aren’t benefitting from the peer review process and might have holes in your security. Security by obscurity is not a good plan.
6. Manage your 3rd party vendors
With 80% of vulnerabilities coming from 3rd party vendors (Cybersecurity Market Report, Cybersecurity Ventures), it’s time to stop assuming your vendors are going to be good stewards of your data. The time to implement a solid vendor risk management program is now! We built Whistic to automate best practices around vendor risk management, while also staying relevant and priced for companies of all sizes.
7. Don’t use your work computer for personal use
Keep your work computer separate from personal use. Cisco published an article called, “Data Leakage Worldwide: Common Risks and Mistakes Employees Make” (March 12, 2014) where they stated that “46 percent of employees admitted to transferring files between work and personal computers when working from home.”
8. Watch yourself on open networks
Don’t send or download sensitive data when you’re on a public hotspot (e.g. @ Starbucks). You might think you’re on a safe network, but open networks are easily spoofed, enabling man in the middle attacks.
9. Recognize that data breaches WILL turn away customers
A recent study indicated that 33% of customers would leave after a data breach. That number may be somewhat inflated, but it’s certainly directionally true as Target’s quarterly profit dropped by 46% after their massive data breach with revenue decreasing 5.3% YOY.
10. Don’t store data you don’t need to
One of the simplest things you can do is to not hold sensitive data if you don’t need to! This may sound a bit flippant but with so many companies scrambling to do something with Big Data the reality is there is often unnecessary data-bloat. Make that go away and you’ll reduce your data-risk profile substantially.
Ignore these 10 Hack Commandments at your own peril, but remember that if you do, your former colleagues just might start singing “I’ll be missing you,” that is if they aren’t still mad about the whole data breach thing…
Whistic is an award winning risk assessment and analytics platform that makes it easy for companies to assess service providers or self assess against compliance and security standards (e.g. PCI, DSS). Headquartered in Orem, Utah at the heart of the Silicon Slopes, Whistic is the creator of the CrowdConfidence TM scoring algorithm that leverages the wisdom of crowds to assess the residual risk of sharing data with a vendor. Whistic was the recipient of the “Best Enterprise” award at the World’s Largest Startup Event: Launch Festival 2016.
For more information about Whistic, visit: https://www.whistic.com.