Best Practices to Prevent Data Breaches

A zero trust approach to security employs strategies such as least privileged access, policy enforcement, and strong encryption to ensure you maintain control and visibility over your users and their devices. 

Hackers have many ways to acquire usernames and passwords: buy them on the dark web, find them written on sticky notes in employee workspaces, or guess them using password-generating software. That’s why 81% of data breaches are a result of compromised credentials. It’s also why Entrust proposes passwordless solutions to protect PII, intellectual property, and other sensitive information. Entrust’s identity platform can give you a modern approach to data breach prevention.

Data breach prevention programs can benefit from multi-factor authentication—rather than relying on just one form of authentication. This will enable organizations to transition from basic to high-assurance authentication. In choosing multi-factor authentication, consider whether you want the authentication method to be transparent to the user and whether authentication should take place online or through a physical device. 

Adaptive authentication evaluates the legitimacy of every login attempt that a user is who they claim to be, verifying the user and the device. The user is evaluated by checking information such as geolocation, user behavior, device reputation, and evasion detection before being granted access. If a login attempt is deemed to be suspicious, adaptive authentication enables a step-up authentication process. This offers security and UX by prompting the user to provide additional information or blocking the user if the risk is deemed very high. Adaptive authentication is especially important for highly privileged users, including IT personnel, executives, and merger and acquisition teams.

Encryption is the gold standard for data security — and for good reason — but it should not be the sole means of protecting PII in your organization’s computer ecosystem. Many legislative requirements — including GDPR and HIPAA — only require notification if a breach results in the loss of unencrypted data, but cybercriminals can and do defeat encryptions. Entrust nShield HSMs can offer an additional layer of protection against a data breach. 

One of the most effective ways to prevent a data breach is to take a detailed inventory of the personally identifiable information (PII), intellectual property and other sensitive data stored within your business’ IT ecosystem. There are ways to strengthen your PII and IP data security in the cloud. Knowing what data cybercriminals are targeting helps you better protect it.

Transparent authenticators validate users without requiring day-to-day involvement. These authenticators can be in the form of digital certificates, IP-geolocation, and device authentication. Digital certificates leverage existing X.509 digital certificates issued from either a managed digital certificate service or a third-party service. IP-geolocation authentication registers locations that are frequently accessed—a corporate network or other assets. Device authentication creates an encrypted profile after an authenticated user registers a frequently used device. 

Physical form factors are devices that users carry and use to authenticate. They can be in the form of one-time passcode tokens, a display card, or grid authentication. For one-time passcode tokens, there are two options. One is a mini-token that is OATH-compliant and generates a secure eight-digital passcode. Another is an OATH-compliant Pocket token with more features such as PIN unlock and challenge-response mode. A display card authenticator is similar to a token in a credit card. Grid authentication uses a grid card authenticator with numbers and characters in a row-column format. 

This method of data breach prevention enables the verification of user identities when people aren’t carrying a physical device. Authentication can be in the form of knowledge-based authentication, out-of-band authentication, and mobile. Knowledge-based authentication requires users to provide information an attacker wouldn’t know. Out-of-band authentication generates one-time confirmation numbers that are transmitted with a transaction summary to the user. Mobile authentication works for consumer, government, or enterprise environments and provides security via mobile authentication, transaction verification, mobile smart credentials, and transparent authentication technology. 

By continuously monitoring users and assets, it will be easier for IT teams to spot suspicious activity, should it occur. 

Oftentimes, breaches occur when software and solutions are behind on patches and updates. By adopting solutions where patches and updates are performed automatically, you aren’t leaving your systems vulnerable due to user error.

A data breach of your vendor or partner could become your responsibility. To mitigate this risk, ensure that your organization maintains control of your PII, intellectual property and other sensitive data, and hold vendors and partners to the same standards to which you hold internal users.

For some industries, PII, intellectual property, and other sensitive data is the lifeblood of the organization. For other sectors, such as healthcare, access to data and medical records can be a matter of life and death. Learn more about how to prevent a data breach in healthcare.