The phrase “crown jewels” came into common usage in 17th century Britain. Back then, everyone knew what the crown jewels were: the British crown’s jewelry, a gaudy, near-priceless collection held in secure storage in the Tower of London.
Not Your 10th-Great-Grandfather’s Crown Jewels
In the intervening centuries, “crown jewels” has come to mean many other things, not all suitable for discussion in polite company.
Like so many other turns of phrase, IT professionals have adapted “crown jewels” for the digital age. The term now describes, among many other things, the most valuable, closely guarded assets in an organization’s virtual repository — the 21st century equivalent of a vault filled with gold, silver, and precious gems.
Your company’s crown jewels might consist of irreplaceable intellectual property — especially trade secrets, which don’t need to be disclosed and are thus incredibly vulnerable to compromise. Your crown jewels might include sensitive data about employees, vendors, and clients, along with the access credentials or encryption keys needed to make sense of the information. Your crown jewels might even include financial records or correspondence that could embarrass company executives or clients were they to see the light of day — one need only look to mega-disclosures like the Panama Papers to understand the degree of havoc that a well-placed leak or breach can wreak.
Protect Your Crown Jewels – Here’s How
Take these 14 steps to protect your company’s crown jewels from theft, compromise, or corruption. (Yes, you can and should do far more to safeguard your most sensitive information — but this is a start!)
1:- Always, Always, Always Require 2FA
Two-factor authentication, often shorthanded as 2FA, is the most common form of multi-factor authentication.
2FA access protocols require two distinct credentials, usually delivered or retained through discrete vectors. Common 2FA sets include:
- A password AND a unique, temporary numeric code sent via SMS
- A personal identification number AND a biometric signature (such as a retinal scan)
- A security question AND a unique authentication token generated by a security wallet
In certain industries, such as finance, 2FA is de rigueur. But there’s absolutely no reason for organizations in less heavily regulated sectors to skimp on access control. There’s a lot of information behind your secure system’s login screen; why make it any easier to reach?
2:- Invest in a Comprehensive Cloud Backup Solution
The risk of data loss due to natural disasters and human-caused events is always present, no matter how redundant your systems or careful your procedures. Common data loss risks include:
- Ransomware attacks
- Server farm fires
- Accidental data deletion
- Power failures without sufficient redundancy
- Equipment failures, such as server overloads
All of these risks, and more, jeopardize your crown jewels. Reduce or eliminate entirely their potential impact by investing in a comprehensive cloud backup as a service plan that securely stores duplicate records in the cloud — well out of harm’s way.
3:- Use a Multi-layered Permissions Structure
Be stingy with your permissions. There’s simply no need for an entry-level IT drone (no offense to your hardworking devs!) to have the keys to the kingdom. Reserve those for your CISO, and maybe not even her. (More on how to keep high-value insiders in check below.)
Layering permissions according to seniority only is a little too cute, though. Junior security teammates probably need more leeway than your chief marketing officer, who shouldn’t be anywhere near your security architecture — not because you don’t trust them, but because they don’t need to be.
4:- Segregate Information Access by Role and Department
This is an important follow-on to a multi-layered permissions structure. In addition to ensuring that (with exceptions) junior staffers with less skin in the game aren’t able to access your crown jewels — or much else of value — without someone looking over your shoulder, make sure you’re properly segregating access to sensitive information by role and department.
We mentioned the marketing exec who shouldn’t be anywhere near your security apparatus above. You can apply the same logic to a host of different scenarios — your finance team and its vendors shouldn’t have access to human resources records, for instance, nor should your business development lead need to snoop around in your product lead’s files (even if they collaborate closely at times).
5:- Train Every Employee (Including Non-IT Staff) on Basic Threat Mitigation and Response
Subject every new hire to the same rigorous threat response training that you expect your security team (and vendors) to have before you bring them onboard. Don’t neglect:
- Basic email security training, with specific threat focus (more on that below)
- Recognizing and reporting insider threats
- Basic data hygiene and security (including what to do with physical media outside the office)
- Safeguarding and changing access credentials
- Recognizing and reporting novel threats, including ransomware
There’s no such thing as too much training. In the event of a breach, your employees’ time investment will pay off many times over.
6:- Require VPN Usage Wherever Practical
In terms of actionable steps you can take to boost network and user security, requiring virtual private network (VPN) use wherever practical is about as easy as it gets. Enterprise VPNs aren’t as cheap as adware-choked consumer versions, but they’re also far more reliable and safe — some free consumer VPNs may actually be worse than the disease they purport to cure.
If you maintain a bring-your-own device policy, make sure everyone’s on the same vetted VPN — even if that means adding personal mobile phones to your enterprise plan. Incorporate basic VPN usage training into your security onboarding; it should be second nature for each and every team member to switch on their private network before accessing any company assets.
7:- Thoroughly Wipe External Storage Media Before Decommissioning
Whenever you decommission and discard an external storage device, wipe it — completely.
Simple as that.
Here’s a basic tutorial for non-technical folks looking to wipe an external hard drive. The four steps are:
- Back up any important data on the hard drive (this is where your cloud backup service comes in handy)
- Reformat the drive to your operating system’s specifications
- Use an approved disk cleaning application to completely erase the drive
- To be absolutely sure that the data can’t be used by anyone else, physically destroy the drive before discarding it
If you’re not up for physically smashing your hard drive — which, to be sure, is not an OSHA-approved activity — use a trusted electronics recycling service that offers certificates of destruction. You’ll likely need to pay for the certificate, perhaps on the order of $15 or $20 per drive. But the peace of mind (and freedom from client grief) is worth every penny.
8:- Use Intranets for Truly Sensitive Applications
Under certain circumstances, the most secure solution for extremely sensitive data — and potentially the only solution for data that has no need to leave your company’s sphere of control — is a secure intranet accessible only by credentialed insiders.
Using an intranet to manage sensitive information doesn’t eliminate the insider threat, of course. Nor can it completely zero out the risk of zero-day exploits or hardware hacks (see below) compromising outside equipment. But if you take steps to ensure nothing leaves (or connects to) your intranet save for hard copies — we’re talking old-fashioned printouts — you can greatly reduce the risk of unwitting compromise.
9:- Monitor Network Usage (And Watch the Watchers)
When they’re operating inside your organization’s digital domain, your employees shouldn’t have any expectation of privacy. They’re on your time, not their own, and they don’t enjoy the same legal or ethical protections that (say) consumers accessing shopping websites from their home WiFi networks should enjoy.
In short, your corporate network must be nothing short of a panopticon. Per Cipher, consider these five behaviors that your security team needs to keep particularly close watch on:
- Inappropriate or unauthorized password sharing
- Abnormal access to sensitive information (including siloed databases that the employee’s permissions shouldn’t allow)
- Unauthorized data exfiltration (especially through less restricted cloud applications
- Unusual login activity or timing (for instance, logging into a secure network well after business hours)
- Abuse of privileged (high-permission) accounts
Your security team must be in a position to monitor and correct each of these behaviors. The last — abuse of privileged accounts — requires particular attention, since it’s a matter of “watching the watchers.”
10:- Hold Vendors to Rigorous Security Standards
Hold your vendors — all of them — to the same rigorous security standards you expect your own team to follow.
Many of the most egregious corporate data breaches arise out of poor vendor security. The vector for Target’s 2013 hack, still one of the largest consumer records breaches in history, was a regional HVAC vendor that failed to properly safeguard its own systems, leaving a backdoor open for hackers seeking the retail giant’s rich repository of consumer credit card numbers and personal data.
If you operate in a heavily regulated industry, you likely already hold your vendors to exacting standards. Even if not, it’s worth going the extra mile and mandating a “my way or the highway” approach to data hygiene.
11:- Keep on Top of Email Threats
The list of email threats most likely to affect your organization in 2019 or 2020 bears more than a passing resemblance to the list of email threats that affected your organization in 2009 or 2010. The greatest hits include:
- Plain vanilla phishing attacks
- Spearphishing attacks targeting specific stakeholders, such as a chief technology officer or chief financial officer
- Spoofing attacks that use compromised or mimicked accounts to compel sensitive data
- Malware attacks that use seemingly innocuous emails and attachments (including attachments that don’t need to be opened) to deliver malicious payloads
It’s on your security team to educate your employees on each of these threats. They’re your first line of defense, after all; a quick report coupled with the good sense not to open the offending email can save you a lot of grief on the back end.
12:- Make Breach Disclosures on a “Need to Know” Basis
You’re going to suffer data loss sooner or later. Whether the cause is malicious or the data ever turns up where it shouldn’t is immaterial. You’ll need to respond, and fast.
But not too fast, and not without making sure the fact of the breach is disseminated through the proper channels. Keep your initial disclosures closely held and “need to know” — this way, if word of the breach gets out before you’re ready to reveal it to the public (which, by law, you may need to do), you’ll have an idea of how.
13:- Draw Up a Comprehensive Crisis Response and Communications Plan
This is another crucial incident mitigation step that’s best done well before an emergency presents itself. Your crisis response and comms plan should include:
- Designated emergency roles for key stakeholders, such as the chief technology officer, lead security roleplayer, chief marketing or communications officer, and so on
- A clearly delineated crisis chain of command that may deviate from your regular chain of command
- Defined, pre-approved crisis messaging for non-comms stakeholders (since your communications team and outside vendor are likely to be overwhelmed)
- Timeframes for task completion
- Regulatory reporting requirements, if any (you may be required to disclose the breach within a certain timeframe)
14:- Thoroughly Vet Hardware Vendors (And Know Which to Avoid)
Last, but not least, thoroughly vet your organization’s hardware vendors and avoid those that don’t meet your standards. Awareness of “hardware hacks” and built-in backdoors — malicious deficiencies that irredeemably compromise devices — has grown in recent years, but many organizations have yet to grapple with their implications.
Is Your Business Data Safe From Harm?
As a businessperson, you know all too well that there’s no way to anticipate every single adverse eventuality.
Addressing today’s endlessly variegated threat landscape is a matter of resource management — of ranking known threats by urgency and downside risk, and prioritizing those that can’t wait. You’ll always live with “unknown unknowns” — the risks that you can’t anticipate or address because, simply, you don’t know they’re out there.
But that’s not to say you must fly blind. By taking the steps we’ve outlined here and maintaining a nimble security posture that’s equipped to respond to the “unknown unknowns” that lurk just out of sight, you’ll set your security team and vendors up for success — defined here as avoiding the worst outcomes.
It’s not ideal, but that’s the new normal for you.