Close
Learning Center February 22, 2021 Updated Date: March 7, 2025Reading Time: 21 minutes

30 Best Practices for Preventing a Data Breach

Data breaches continue to plague businesses across all industries. An average data breach now costs $4.9 million! In a hyper-connected business world, organizational leaders understand that data breaches are a fact of life. However, these 30 best practices for preventing a data breach can reduce the risk and respond to an attack more effectively.

In addition to external threats, businesses must also be aware of insider threats, where employees or contractors may intentionally or unintentionally expose sensitive data. They can compromise critical systems, leading to data leaks, financial fraud, and even identity theft.

1. Identity-sensitive data collected, stored, transmitted, or processed

Before you can prevent a data breach, you need to know the sensitive data you collect, store, transmit, or process. Cybercriminals target non-public personal information (NPI) and personally identifiable information (PII) because they can sell it on the Dark Web. They also target intellectual property, like patent documents or trade secrets.

Although often used interchangeably, NPI and PII overlap in some categories and refer to additional non-overlapping data types.

NPI’s include:

  • Name
  • Address
  • Income
  • Social Security Number
  • Driver’s license number
  • Account numbers
  • Payment history
  • Loan or deposit balances
  • Credit or debit card purchases
  • Court records
  • Non-public consumer reports

PII’s include all of that data plus the following:

  • Aliases/nicknames
  • Unique personal identifiers
  • IP address
  • Email address
  • Account name
  • Non-Public Personal Property Records
  • Purchase history
  • Biometric information
  • Internet activity, like browsing history
  • Geolocation
  • Audio, electronic, visual, thermal, olfactory, or similar data
  • Employment-Related Data
  • Education Data Covered Under the Family and Educational Rights and Privacy Act (FERPA)
  • Inferences made by using combinations of anonymized data from the above list

In short, much of the information an organization collects must be protected or, at the very least, disaggregated. Financial institutions, in particular, are prime targets for cyber threats, as attackers seek to steal banking credentials, conduct fraudulent transactions, or access credit card details.

2. Identify areas that store, transmit, collect, or process sensitive data

Security professionals argue that you can’t secure what you don’t know you have. Any data breach prevention strategy needs to include learning where you store, transmit, collect, or process sensitive data. As part of the identification process, you might want to consider using asset detection technology that helps you locate and catalog:

  • On-premises servers
  • Virtual Machines (VMs)
  • Hosts
  • Agents
  • Workloads
  • Instances
  • Networks
  • Applications
  • Social media
  • Files
  • Folders
  • Logs
  • Identity and access management platforms
  • Corporate website download forms

As your digital footprint grows, you add additional locations that store, transmit, process, and collect data. To effectively prevent or mitigate the risk of a data breach, you should be continually monitoring your assets.

3. Identify users with access to sensitive data

Although identifying users may seem easy, many companies struggle because “users” can incorporate multiple types of identities. As you build out your data breach prevention practices, you should think about the following “users,”

  • Standard users
  • Privileged users
  • Contractors
  • Application Programming Interfaces (APIs)
  • Robotic Processing Automation (RPAs/bots)
  • Software update agents
  • SSL/TLS Certificates
  • SSH keys
  • Microservices/containers

Each human and machine identity acts as an access point within your ecosystem, making it a potential data breach risk.

4. Identify devices that store, transmit, collect, or process sensitive data

One of the biggest problems organizations face is managing all the devices that interact with sensitive information. As part of the asset detection process, you should make sure that you’re capturing all devices, including:

  • Workstations
  • Smartphones
  • Laptops
  • Tablets
  • Telephones
  • Printers
  • Modems/gateways
  • Switches/hubs
  • Firewall/security appliances
  • Routers
  • Network adapters
  • Network Attached Storage (NAS)
  • Internet of Things (IoT) devices
  • Security cameras

Each device connects to your network using a communication endpoint called a port. Cybercriminals look for risky ports to gain access to your network, so you need to know what ports your devices use to secure them.

5. Assess risk

You need to assess the level of risk posed for every identified person, device, and location that stores, transmits, collects, and stores sensitive data. While this may seem easy at first glance, many organizations struggle because adding more locations, devices, and users to your ecosystem creates new risks.

For example, a standard user who only accesses one on-premise application that contains no sensitive data while in an office might be low risk. Meanwhile, a privileged user with elevated access to a cloud-based database storing PII who connects from home with a personal device is a high risk.

The more identities, devices, and locations that store, collect, transmit, or process sensitive information your organization uses, the more difficult assessing risk becomes.

6. Analyze risk

Although analyzing and assessing risk might appear to be the same thing at first, they are distinct processes that provide different information.

The risk analysis process means you’re looking at types of risks that exist within your organization. You take each breach prevention strategy and risk assessment metric and incorporate a data breach’s potential impact.

Traditionally, organizations use a combination of qualitative and quantitative approaches. A qualitative approach might consider the productivity impact a data breach would have, while a quantitative approach would consider the financial cost of a data breach costs

Often, organizations use a risk assessment equation that looks like this:

Risk = Criticality (probability of a data breach x vulnerability score) x Impact

Ultimately, the more important an asset is to your business operations and stability, the more significant the impact a data breach has. Monitoring for suspicious activity—such as unauthorized access attempts or unusual data transfers—can help detect threats before they escalate into major incidents.

7. Determine risk tolerance

The whole purpose of the risk assessment and analysis process is to help you determine your risk tolerance. Risk tolerance is essentially a cost-benefit analysis that compares how important a technology is to your organization’s business goals compared to the impact a data breach would have.

When determining risk tolerance, you can take one of four actions:

  • Accept: You might accept a risk without transferring or mitigating it when the business impact is low.
  • Refuse: Risks might be refused if the potential impact is too great, even if you were to transfer or mitigate them.
  • Transfer: You can have someone else take on the burden of the risk at a reasonable cost, such as with cyber insurance.
  • Mitigate: The risk’s impact can be reduced by implementing controls to prevent a data breach, and the technology is critical to your business goals.

Ultimately, the more important an asset is to your business operations and stability, the more significant impact data breach incidents have. Monitoring for suspicious activity—such as unauthorized access attempts or unusual data transfers—can help detect threats before they escalate into major incidents.

8. Set controls

For any risks that you choose to mitigate, you need to establish a set of controls. These controls show that you understand how a potential cybercriminal might gain unauthorized access to sensitive data and have ways to reduce the likelihood of that happening.

Some security controls include:

  • Firewalls
  • Encryption
  • Identity and access management
  • Vulnerability monitoring
  • Installing security patch updates

9. Establish an IT security policy

A cybersecurity policy is a written document incorporating your risk analysis and tolerance. It documents the processes and procedures in place that mitigate data breach risks.

Every IT security policy should, at minimum, include:

  • Objectives: What the policy seeks to accomplish
  • Scope: What data, systems, and networks the policy covers
  • Specific goals: Regulatory and industry standards’ compliance requirements as well as controls
  • Responsibilities: Who is in charge of the day-to-day activities

10. Establish a privacy policy

Although security and privacy go hand-in-hand, they also have differences. Traditionally, a security policy looks to prevent external unauthorized access to sensitive data. Privacy policies include internal and external unauthorized access. Implementing a proactive approach to privacy ensures that organizations can anticipate risks before they escalate into breach attacks.

Some key things a privacy policy should include are:

  • Definition of sensitive data
  • Data collection purpose
  • Data use
  • Data sharing
  • Log data management
  • Corporate communications
  • Cookie collection and use
  • Data protection and security
  • List of applicable regulations
  • Limitation of user access
  • Employee privacy practices
  • Data retention
  • Communications and marketing

11. Establish identity and access management policies

As organizations increasingly adopt cloud-based applications, they need to monitor external access to their systems and networks but also focus on the identity perimeter. Since users don’t always sit behind corporate firewalls and other traditional security protections, creating Identity and Access Management (IAM) policies becomes more important than ever.

Some things that companies need to consider are:

  • What jobs users have
  • What information they need
  • What applications and resources they need to access
  • What devices they use to connect to corporate networks and systems
  • Where they are located geographically

12. Limit access according to the principle of least privilege

A fundamental IAM control is to limit user access according to the principle of least privilege, which means ensuring that users can only access information necessary to do their jobs. In a lot of ways, the focus on least privilege follows the old spy movie adage of taking a “need-to-know basis.”

Many organizations struggle with this because complex, cloud-based ecosystems connect many different business-critical applications like Enterprise Resource Planning (ERP) or Electronic Health Record (EHR) platforms. These applications often use different definitions of user roles, making limiting access difficult.

Large enterprises face an extra problem. Often, employees change roles within the organization. While they still access certain enterprise resources, they may need access to new ones, depending on their business line. 

This creates an excess access risk that cybercriminals can use to gain unauthorized access to systems, networks, and applications. Then, they move within the IT stack to steal data using methods such as exploiting weak passwords or injecting malicious activity into business-critical systems.

13. Enable multi-factor authentication

Multi-factor authentication helps mitigate the risks associated with excess user access. Authentication is the process of proving that you are who your login credential says you are. If a cybercriminal steals a password and tries to log into a cloud resource, multi-factor authentication requires them to use more than just the stolen password.

When users log into a web application, they should be using at least two of the following:

  • Something they know (password)
  • Something that they have (a smartphone or token)
  • Something that they are (a fingerprint, facial identification, or other biometric)

Malicious actors can’t easily fake a push notification code sent to a device or a biometric. Thus, when they try to log in and can’t meet this second layer of authentication, they fail.

14. Establish a strong password policy

Moving to a cloud-first or cloud-only IT stack means incorporating more web-based applications into business processes. To thwart attempted cybersecurity threats, like dictionary attacks, you must create a password policy and define a strong passphrase.

When establishing your password policy, you should incorporate some of the following best practices:

  • More than 10 characters
  • At least one upper-case letter
  • At least one number
  • At least one special character

You may also want to consider providing employees with a password management program account so that they are more likely to create unique passwords.

15. Monitor privileged access

The riskiest identities in an organization are the ones that have privileged access. These can be human users, like system administrators or machine identities, like software update agents. For example, system administrators have “superuser” access because they need to make critical changes to systems and networks. These activities can include creating new user accounts or updating RPA scripts. Meanwhile, software update agents might need to access critical resources such as operating systems, servers, and databases.

Organizations should leverage intrusion detection systems to monitor privileged access attempts and flag any unauthorized activity in real-time. These systems help detect anomalies that could indicate potential threats, such as unexpected login attempts or privilege escalation attempts.

Often, malicious actors gain access to an IT stack by finding a weak login and password combination for either a standard or privileged user. If they get the standard user credentials, they work to gain more access within the system until that account has privileged access. If they gain access with a privileged user account, they automatically have all the access they need.

Monitoring for anomalous privileged access requests and use can help you detect a compromised account more rapidly and reduce your data breach risk.

16. Change default passwords

Most devices, cloud resources, and software come with default passwords. These passwords are often posted on the manufacturer or service provider’s website so that an organization can make changes. For example, to update your computer’s software, the device often prompts for a user or administrator password. In some cases, such as routers or other enterprise devices, the login ID and password may be something as common as:

UserID: Admin

Password: Admin

You may need an administrative password to update the firmware or set up the device. Most default passwords are the same for all devices within a given product or software line. Companies do this to make it easier to set up the devices, but it also creates a security weakness. If you can look the default password up on the internet, so can a malicious actor. Since these default UserIDs and passwords often give you privileged access, this gives cybercriminals easy access to your most sensitive networks and systems.

Businesses should also account for connected devices such as IoT sensors, smart printers, and mobile endpoints, which often come with default credentials that attackers can exploit. Many physical devices, like security cameras and badge entry systems, are vulnerable if their passwords are not changed or if they lack proper encryption.

17. Install anti-virus software

Cybercriminals continue to engage in ransomware attacks. Recent research shows that ransomware attacks are up over 148% since 2021! Not all malware is ransomware. Often, cybercriminals will include malicious code in social engineering attacks as a way to steal login credentials. Once they steal the credentials, they gain access to systems, software, and networks where they continue to escalate privileges undetected.

One way to mitigate the risks that malware poses is to install an antivirus solution and keep it updated. Most anti-virus software providers regularly update the malware signatures or use advanced analytics to predict new signatures. If a user attempts to access a malicious website or download a risky file, the anti-virus detects the code and quarantines it to protect the device.

18. Establish a data governance policy

Data governance is an offshoot of IAM with distinct functions. Your data governance policy sets out processes and procedures for safe data handling and protection.

At a minimum, it should include processes and procedures for ensuring data:

  • Quality
  • Access
  • Security
  • Privacy
  • Usage

You also need to think about assigning responsible parties who enforce these policies.

19. Establish a vendor risk management policy and program

Today’s hyper-connected ecosystem means that third and fourth-party business partners are essential to business operations. While your vendors enable successful digital transformation strategies, they also create new risks because you lack visibility into their security posture. 

Without proper oversight, unauthorized users could exploit weak vendor security measures, leading to potential breaches that compromise sensitive company and customer data.

To protect yourself from a data breach, you need a vendor risk management policy and program that addresses the following risks:

  • Compliance
  • Cybersecurity
  • Privacy
  • Reputation
  • Legal
  • Financial

To measure your vendors’ compliance against your policy, you should incorporate clauses in your service level agreements that address:

  • Network security
  • IP reputation
  • DNS health
  • Patching cadence
  • Web application security
  • Endpoint security
  • Employee security awareness training

Additionally, you should establish meaningful key performance indicators for your vendor risk management program.

20. Establish a 3-2-1 data backup and recovery process

While backup and recovery may not necessarily look like a preventative measure, it does mitigate many of the data loss and productivity risks associated with ransomware attacks.

Your backup and recovery program should be part of your disaster recovery and business continuity plans. You should make sure that you have three backups on two different media, with at least one stored off-site.

21. Establish and test an incident detection and incident response program

Data breach prevention also means having the right teams in place to detect and rapidly respond to potential data incidents. Not every security incident turns into a full-blown breach. In the same way that all squares are rectangles while not all rectangles are squares, all data breaches are security incidents, but not all security incidents are data breaches.

A security incident can include:

  • Malware infections
  • Distributed Denial of Service DDoS
  • Unauthorized access
  • Insider access misuse
  • Unauthorized privilege escalation
  • Device loss or theft

Meanwhile, a data breach usually means that a data security incident led to exposing sensitive information. Having an incident response plan that you test regularly gives you a way to prevent a security incident from becoming a breach. The more quickly your incident response team can detect and respond to a security alert, the less likely you are to suffer security breaches that could result in significant financial and reputational damage.

Incident detection should also include monitoring network traffic for unusual patterns that may indicate an attempted intrusion. Cybercriminals often exploit weaknesses in unsecured connections, and tracking traffic anomalies can help identify potential threats before they escalate. Additionally, organizations should implement automated alerting systems that flag irregular data transfers, unauthorized access attempts, and other suspicious activities across the IT infrastructure.

22. Establish a Bring-Your-Own-Device (BYOD) policy

Often, employees want to use their devices to work remotely or connect to your corporate network. Unfortunately, you can’t always push the same protections to your employees’ personal devices that you can to your owned ones. Your BYOD policy sets out the rules they need to follow when connecting their devices to your systems and networks.

With the increasing use of mobile devices in the workplace, businesses face additional security risks. Smartphones, tablets, and laptops used for work purposes often contain sensitive information but may lack adequate security controls. 

Businesses should use encryption, remote wiping capabilities, and endpoint security solutions for all mobile devices accessing corporate systems. Establishing clear guidelines on app usage, public Wi-Fi connections, and data storage practices can further enhance effective data breach prevention strategies.

The BYOD policy should include:

  • Clear, non-legalese explanation of compliance
  • Definition of personal and work use
  • Reimbursement policies
  • Acceptable use standards
  • Impact on employee privacy
  • Reporting lost, stolen, hacked, or damaged equipment

23. Establish a secure data retention and disposal policy

All sensitive data is a risk, even when you dispose of it. Most regulatory and industry standards require organizations to maintain records for a period of time and then safely dispose of them. However, archived information becomes a data breach risk because people rarely access and monitor the location. 

Meanwhile, disposing of data creates additional risks. Simply deleting electronic data may not remove it from all places you stored it, while physical copies of information need to be shredded.

Failing to properly handle old data could lead to a costly data breach, especially if unauthorized individuals gain access to discarded information. Malicious actors often target improperly deleted records, attempting to reconstruct sensitive data for fraudulent use. 

Furthermore, malicious insiders—employees or contractors with access to confidential information—may exploit weak data retention policies for personal gain or competitive advantage.

An insider with improper access permissions to outdated or unmonitored records can inadvertently or intentionally leak sensitive data. Therefore, organizations should implement strict role-based access controls to ensure that only authorized personnel can retrieve, modify, or delete stored information.

From a data security perspective, your retention and disposal policy should incorporate:

  • Purpose
  • Scope
  • Responsible parties
  • Data categories covered
  • Record retention schedule for each category
  • Types of electronic data covered including email, PDF documents, text/formatted files, and web page files
  • Relevant regulations and industry standards
  • Destruction and disposal processes

Depending on the regulations governing your organization, you may need to address how you document disposal and confirm successful data destruction or deletion.

24. Encrypt data-at-rest and in-transit

When you encrypt data, you take a format that people can read and scramble it to make it unreadable. Think of it like the math homework assignments you did in elementary school where you had to solve a series of problems and each answer correlated to a letter. You then used those answers to decode a message. 

Encrypting data works similarly. Even if a malicious actor gains access to your IT stack, the encryption will leave it unintelligible.

When setting best encryption practices for preventing a data breach, you should use Advanced Encryption Standard (AES) cryptography in 128, 192, or 256 bits. Additionally, you need to make sure that you’re encrypting both data-at-rest (saved on a hard drive or disk) and data-in-transit (traveling from one device to another).

Encrypting data-in-transit protects you from cybercriminals who gain unauthorized access to your IT stack. Encrypting data-in-transit protects from attacks that focus on wireless networks such as man-in-the-middle attacks. 

Companies should also ensure that credentials used for encryption keys are securely stored, preferably in a password manager, to reduce the risk of unauthorized access or exposure.

25. Regularly apply security patch updates to software and firmware

Many cyber attacks start with malicious actors looking for common vulnerabilities and exposures (CVEs). The CVE list is a dictionary of known code vulnerabilities that attackers can exploit. After security analysts discover a vulnerability, they report it to the software or device manufacturer. 

The manufacturer then generates a software update that “patches” the hole in the code, removing the weakness. Since the list is publicly available, cybercriminals are well-versed in the different security weaknesses and actively look to exploit them.

Often, organizations fail to push security patch updates through to all devices that connect to their systems and networks, especially employee-owned devices. Even one device left unpatched can lead to a successful data breach. 

Software misconfigurations can also contribute to security vulnerabilities, as improperly set security controls may leave sensitive data exposed. Organizations should routinely audit software settings and apply necessary patches to close security gaps.

As a best practice, organizations should apply security patch updates within 30 days of their release. Internal IT teams should also remain vigilant against malicious insiders who might intentionally delay security patches or exploit system vulnerabilities for personal or financial gain. Establishing strict patching protocols and monitoring compliance across all systems can help mitigate this risk.

26. Monitor for misconfigured cloud assets

As companies move to the cloud, storage and processing locations become more abstract. For example, your on-premises server was often located in a building with security guards and physical locks. 

Today, cloud storage and processing locations consist of code. For example, according to one InfoSecurity Magazine article, 73% of surveyed cloud engineering and security teams said that they had more than ten cloud misconfiguration incidents per day, while one third experienced over 100 and another 10% over 500 incidents per day.

Some common misconfigurations include:

  • AWS security groups
  • Access restrictions
  • Permission controls

You might think it sounds hyperbolic to say that misconfigurations lasting only a few seconds or less can be a data breach issue. However, just as your company’s security team scans your cloud services continuously, so do malicious actors.

To reduce the risks associated with misconfigured cloud resources, you should make sure that you’re scanning all of the following:

  • Workloads
  • Containers
  • Databases
  • Storage buckets
  • Virtual machines
  • Instances

27. Use a centralized log management solution

Every cloud resource, endpoint, access point, and user generates event log data. This data gives you visibility into all activity across your IT stack, but it can often become overwhelming. However, each cloud resource, application, and endpoint submits event log data differently. 

They may use different formats or report different types of information, which can make comparing them as part of your threat hunting and alert response process time-consuming.

Centralized log management solutions enable a more robust cybersecurity posture because they give you a way to collect, aggregate, and correlate log data efficiently. In doing so, they make it easier to locate and remediate weaknesses. The more rapidly you can remediate risks, the more likely you are to prevent a data breach.

28. Create an employee training program

Employee cybersecurity awareness training needs to be meaningful and useful to protect against social engineering attacks. As part of your data breach prevention practices, you need to provide training, assess user knowledge, and ensure minimum baselines.

Cybercriminals often engage in social engineering attacks to obtain otherwise unauthorized access to systems, applications, and networks. Your training materials should include:

  • Phishing attack recognition and response strategies
  • Vishing (voice phishing) and smishing (SMS phishing) tactics
  • Strong password creation
  • Recognizing malicious websites
  • Issues with unsafe media, like USB drives

As part of your employee security awareness training program, you should document assessment outcomes and periodically provide additional training modules.

29. Continuously monitor security controls’ effectiveness

The only consistency in cybersecurity is that it’s not consistent. Malicious actors continuously evolve their threat methodologies, which means that the controls that protect today may not be adequate tomorrow.

Regulations and industry standards increasingly recognize that point-in-time control reviews no longer secure data. To prevent a data breach, you need continuous real-time visibility into your controls’ effectiveness.

When establishing best practices, you want to set up alerts for several areas that cybercriminals target, including:

  • Malware detected on endpoints
  • Failed login attempts
  • Unusual traffic volumes
  • Slow network speed
  • Outdated software
  • Open, unused ports

While these are only a few issues that impact enterprise systems, networks, and devices, they provide visibility that can mitigate some common attack vectors.

30. Create an audit trail to prove governance

Nearly every organization must meet one or more compliance requirements. While compliance is not equal to security, it often gives visibility into how well your organization enforces security controls and practices.

Point-in-time audits are no longer effective measures of security robustness. However, documentation that shows your ability to monitor your control environment continuously and mitigate ransomware attacks proves governance over your security posture. By documenting your activities, you gain insight into your cybersecurity program’s maturity and continuously improve your program.

Establish best practices for preventing a data breach

Establishing best practices for preventing a data breach can be difficult, but enforcing those best practices feels overwhelming in complex, interconnected IT ecosystems. SecurityScorecard’s security ratings platform continuously monitors security controls’ effectiveness across ten categories of risk and alerts you to new threats.

With our at-a-glance A-F security ratings, you can gain visibility into your IT stack security and monitor your third-party vendors for enhanced security. Customers have aligned their security programs and vendor risk management programs with our platform’s ten risk categories. This alignment gives them a way to establish meaningful, objective cybersecurity key performance indicators to create a quantitative approach to managing risk.

Enterprise security experts receive high volumes of alerts every day, making prioritization and remediation difficult. SecurityScorecard’s alerts incorporate a risk review and actionable remediation steps so that you can prioritize your daily activities.

The first step to security is to establish best practices for preventing a data breach. Continuously monitoring controls and enforcing policies with SecurityScorecard’s platform allows you to mature your security posture.