- November 30, 2021
- Catagory Data Protection
Endpoint backup remains essential, especially with the emergence of the hybrid office and the persistence of remote work, but that doesn’t mean all your data needs to be backed up. The right cloud-based data protection can cover all the bases while being discriminating about what it stores.
The main reason you must back up every endpoint is that business data is distributed across devices and remote locations. Today’s cloud-based data protection makes it easier because it recognizes that employees are more mobile, and their devices have increased in storage capacity and may store critical business information. But you’re certainly not going to want to back up every single bit of data from an employee’s device, especially if they’re a remote worker using a personal device as their workstation.
Discover every endpoint
A key challenge for data protection efforts is that not all endpoints are connected to your corporate network, but you still need to understand what endpoints must be backed up regardless and accommodate both the device type and how it connects.
In some cases, it’s easy to schedule cloud-based data protection at regular intervals based on the value of the data and how frequently it changes because they are on your network or can connect as needed to back up their data. However, laptop connectivity can vary wildly depending on the employee with some remote workers always at home while others may be more mobile. Executives have a reputation for living on their smartphones, putting their entire office in the palm of their hand.
It’s critical that you understand where your critical business information resides, but that doesn’t mean backing up single device, application and server is the answer.
Pick and choose your data
Endpoint backup isn’t necessarily expensive, but do you want to spend money on data protection for information that won’t be missed?
Not all data is created equal, so consider building a data classification strategy. Not only will you not waste time and resources backing up non-essential data, but the exercise will you better understand what digital information is critical to your business operations. By classifying your data, you ensure that the data that truly matters is safeguarded and replicated without overprovisioning your endpoint backup capabilities, whether it’s your on-premises infrastructure or cloud services.
The added benefit of data classification is that you can improve your compliance posture so that you’re applying adequate protection for sensitive information that may be governed with privacy legislation such as Personal Information Protection and Electronic Documents Act (PIPEDA) and the General Data Protection Regulation (GDPR). It’s also an opportunity to streamline your production IT—the more systems you have in place, the more complex the data classification and endpoint backup. Standardizing on a single document management system or CRM will make it easier to find where the critical business information resides so it’s consistently backed up.
Regulatory compliance and data classification are a continuum because your critical business information changes and grows in volume in line with your business. For your endpoint backup to remain accurate, consistent, and comprehensive, consider engaging a managed service provider to help you architect a strategy that can help you classify data, create sound policies, and automate where possible so that your critical business information easily accessible in the event of any emergency or disaster.
- November 26, 2020
- Catagory networking
With security threats to organizations only increasing and privacy legislation continuing to evolve, penetration testing remains a critical tool for protecting sensitive data.
And as endpoints multiply thanks to an increase in remote work, there’s no airtight network perimeter, which makes it all the more difficult for organizations to safeguard sensitive data. For it to be effective, penetration testing must be done properly, and it’s more than evaluating network security. It must be viewed holistically as part of your broader information security program.
Most of all, penetration testing should be more than a box that gets ticked once or twice a year to meet compliance obligations, and it should tap the outside expertise of partner that can put your people, processes and technology through their paces.
Endpoints raise risk
With an exceptionally high number of employees working remotely, the threats posed by endpoints to sensitive data must not be underestimated, whether it’s smartphones, laptops and IoT devices, many of which reside outside the main firewall. One of the most common mistakes is assuming that spending a lot of money on software and hardware will automatically protect sensitive data, but you must also account for human behavior.
Having newer hardware with the latest operating system can mitigate risk, but even the latest greatest fleet of workstations will bring with them their own built-in vulnerabilities. These must be identified and managed based on how they are deployed and the cybersecurity awareness of the end user. This is especially true as more employees work from home—there are many ways to access data and applications that don’t involve hacking a network. All it takes is one poorly configured web portal to open access a domain to threat actors so they can take complete control infrastructure.
These same threat actors take advantage of human behavior as users fall for convincing phishing emails. They also exploit vulnerabilities in software and hardware that are often the result of a convenient feature by using botnets to scan for them even as most organizations are oblivious that they’re even at risk.
And if you think you’re not worth hacking because you’re a small organization, think again. Hackers see you as easy targets because they know you’re less likely to have the security technology, resources and best practices that larger organizations may have. The good news is that as a smaller organization you’re more nimble and agile so you can adapt and more quickly benefit from penetration testing.
Testing should be proactive
Not all penetration tests are equal, and ideally, they should be done before a breach, not after you’ve lost sensitive data.
Rather, you should identify milestones that would necessitate a test of your network security. A trigger might be a workstation refresh or major operating system update as they can often be configured in such a way that unwittingly opens door that can be entered by threat actors. And while compliance obligations should inspire penetration testing, it should be more often than an annual exercise to please regulatory bodies.
Because effective penetration testing takes a great deal of skill and expertise and can take time away from regular IT operations, tapping the expertise of an experienced service provider who can poke holes in your security and will find vulnerabilities goes a long way to protecting sensitive data. They’re up to speed on the misconfigurations and evolving threats that might let someone sneak in, as well as the common mistakes made when configuring enterprise networks and remote worker access.
If you want to truly protect sensitive data, take the results of any penetration testing seriously, even if it might reflect badly on your efforts today. You’ll be better off the in long run. Protecting sensitive data is an exercise in continuous learning that mitigates risk, and frequent penetration testing is a contributor to competitive advantage as it enables you to build trust and credibility with your customers while maintaining compliance.
Sanjeev Spolia is CEO of Supra ITS