5 Conversations Business and Tech Teams Should Have About Enterprise Data Security

MACH-CEO-talk2.jpg



We’re still in the wild west of data proliferation, with a rush to figure out the best ways to secure enterprise data and avoid being a victim of the next digital train robbery.

According to a McAfee survey of 1500 IT and security professionals, two thirds of companies experienced some kind of cyber incident in 2019 and only 44% of respondents say their organization has a plan in place for both prevention and response to security incidents. In 2020, as businesses had to rapidly adapt to new ways of working, the first half of the year saw over 36 billion records exposed through data breaches - twice the number of records exposed than in all of 2019.

These are no easy conversations to have between business leaders and technology leaders - therefore we prepared the conversations for you. Here are five common security challenges that business and IT teams should discuss, we have added questions and talking points to raise and and ensure data is well organized, flexible, available, secure and future-proof .

MACH-CEO-talk3.jpg


Outdated Legacy Software

Many companies have legacy technologies with deep roots in their business. Tools that have been around longer than many of the employees, are covered in layers of customization, and are so baked into the system that they are kept around far past their expiration date. For instance, even though Accellion’s File Transfer Application was in it’s end-of-life stage, vulnerabilities in the software have led to data breaches for many organizations across banking, grocery, energy, and education that still depended on it.

Legacy platforms simply weren’t designed for the proliferation of applications, data, channel, and customer interactions over the past decade. Adopting new ways of working usually meant heavily customizing the platform, creating a tangle of dependencies that makes upgrading a large enough burden that companies are willing to risk staying on outdated versions of software.

This means your train is going miles down the track with holes in the side, and those stop-gap patches duct taped on are often the only barrier to entry far longer than intended.



Points for business leaders to raise


  • What data does our team need to keep the business running? Where does it come from, what features and services does it power, and what channels does it serve?
  • What is the security status of the platforms handling this data, and what critical features and services are relying on outdated platforms?
  • Do we have a prioritized security debt backlog that shows the risk value and impact likelihood of each issue? MACH-CEO-talk5.jpg

Unnecessary Access

According to Verizon’s 2020 Data Breach Investigations Report, 37% of breaches involved stolen or used credentials and 22% involved phishing. Even when the train security is built fully up to code, someone who steals a ticket is going to be a problem.

Cybersecurity training and awareness is, of course, important but people are going to make mistakes. A realistic approach combines efforts that aim for the best case scenario of a fully security-savvy workforce with a technology approach that prepares for the worst.

Compartmented Security

Ideally, employees and contractors should have access to only the information they need to do their job. A compartmented security approach creates zones of permissions, so individuals have access to the services and data they need but no one (or very few people) has access to the full scope of data. Stolen credentials now have a limited amount of movement and become a lot less valuable.

MACH tools are well structured for this kind of granular security. The “M” in MACH stands for microservices, a type of software architecture that breaks up an application (ie, an eCommerce platform) into smaller individual services (ie, product information, pricing, checkout, etc). This means that MACH tools are compartmentalized by design, which can be used to define access rules. Additionally, many MACH vendors provide services around network security design as well as identity and access management.



Points for business leaders to raise


  • What data does each individual on the team, including contractors, need to access to do their job?
  • Do these access needs show a pattern that could be used to map security zones?
  • What are the current access management tools in use, how are they segmenting access currently, and are they capable of further granularity?MACH-CEO-talk6.jpg

Scalable Practices

With the average enterprise using 1265 cloud applications, businesses are dealing with an increasing distribution of data across multiple platforms all using a variety of APIs to shuttle information back and forth.

Too often, these APIs are designed to need minimal levels of authentication to hand over data, making them an attractive entry point for a breach. Additionally, the large number of APIs being used throughout the enterprise tech stack makes it nearly impossible to assign custom access rules to each one, meaning companies need an API security solution that is repeatable in order to scale safely.

Security by Design

Software that is Secure by Design has no added security layers but is natively built that way. Multiple safety approaches are applied early on, and over time the best practices are discovered and repeated throughout the architecture. This can include principles like separating the code between client and server (headless architecture), strategies like substitute sensitive data with an equivalent token, or a UX that requires end-users to have additional levels of authentication when taking high-risk actions.

Designed to be API-first, MACH tools bring both challenges and strengths to a company’s security strategy. These solutions do introduce more APIs into the mix, but also bring the benefit of being built with a focus on API-security from the ground up. While companies will still need to figure out the best practices around their specific security needs, MACH tools offer API standardization and natural compartmentalization of data that makes it easier to manage API-security at scale.




Points for business leaders to raise


  • Do we offer mandatory security awareness trainings for developers, DevOps engineers & Product Owners
  • Who is in charge of “Security-by-Design” in our company, how busy is she or he and which rights does she/he have and when is he involved?
  • Do we have security baked into our software development process already and, if yes, are we compliant with ISO 27000 and aligned with SDLC design principles?
  • Do our teams practice DevSecOps and is continuous security a principle we follow?MACH-CEO-talk4.jpg

Recovery and Response

On average, a cyber incident interrupts business for 18 hours and costs $590,000 according to a McAfee report on the hidden cost of cybercrime. A separate survey from IBM hints that these numbers could be on the rise, with 76% and 70% of respondents saying that pandemic-related remote working would increase the time to identify and the cost of a data breach, respectively.

Transparent and Automated Digital Hygiene

Having a clear picture of where data lives is key to recovering it. Unfortunately, many organizations don’t have full visibility into the pockets of data stored across their disparate legacy technologies.

With data used in a variety of critical ways across departments, creating that clear data map is a collaborative effort. Input is needed from all teams to create holistic strategies to monitor and back up data, reduce duplication, and introduce intelligent monitoring tools such as those for threat detection and detailed auditing reporting.

Points for business leaders to raise


  • What is our current data lifecycle - where does it come from, where is it stored, how is it backed up, and when can it be retired?
  • What types of security monitoring is already in place, how will our team be notified if there is a breach, and what are the actions we should take if that happens?
  • How could we automate the most time-consuming, security related tasks?

MACH-CEO-talk7.jpg

Capacity

Cloud security is still a relatively new field, and training courses and education programs haven’t been around long enough to build up a big enough talent pool to go around. Nearly 3 out of 4 IT leaders believe that there is a cyber skills gap in their teams, and 65% agree that this gap has a negative impact on the team’s effectiveness.

The skills shortage is putting companies at risk, with misconfiguration being the fastest rising error involved in data breaches over the past five years.

Security-as-a-Service

As a principle, Software-as-a-Service (SaaS) providers take care of the maintenance and updates of the platform, and many enterprise level SaaS vendors also provide security expertise for their specific area. Providers can manage security up to an API level for customers, including network security design, identity and access management, continuous monitoring, vulnerability scanning, and data loss prevention.

This reduces the risk of misconfiguration errors by someone not experienced with Cloud technologies, and lets businesses leverage the deep knowledge of multiple security experts in their network.

All of the above is naturally performed by MACH vendors. This means they take the burden of staying on top of security off their customers. Some companies don’t even recognize this aspect, others decide for public cloud and MACH SaaS solutions exactly because of it



Points for business leaders to raise


  • In our current set up, what security responsibilities lie with business users, IT teams, contractors, software providers, etc?
  • How confident are we in the ability of these parties to uphold their responsibilities? Why?
  • Which areas of security would ideally be outsourced, and which is important to keep in-house?
  • Did we ever consider to select SaaS solutions to “outsource” security and risk management?

Interested in learning more about a MACH approach to security?


Software built around MACH principles (Microservies, API-first, Cloud-native, Headless) is designed for modern business, with security considerations around mobile, cloud, integrations, and data exchange are a part of these solutions from the ground up.

We’d be happy to put you in touch with a MACH Alliance Ambassador to have a conversation around your specific security needs. Our Ambassadors are a carefully selected group of business and technology experts with MACH experience - including industry leaders from Sharper Image, Bed Bath & Beyond, PUMA, and Dawn Foods.

Get in touch with us at info@machalliance.org to be matched with the MACH Alliance Ambassador most relevant to your business.