“We live in a society exquisitely dependent on science and technology, in which hardly anyone knows anything about science and technology.” — Carl Sagan
Your business manipulates and stores valuable data every day. Are you taking the proper measures to prevent its loss or unwanted exposure? Make sure you avoid tempting fate by regularly taking a holistic audit of your security to keep your data safe at all times. Look at it from three key perspectives — your tools, your training and your planning.
Ensure Your Systems’ Protection with Technical Measures
Your first line of defense against information theft or leaks is naturally your systems themselves, which require a series of security precautions to regulate access including:
- Firewalls: Both software and hardware firewalls help protect your network from unwanted snooping and many external attacks, especially those by hackers sweeping for exposed targets. Software firewalls are fine for small networks with few devices, but you’ll need to scale up your hardware to effectively manage centralized protection across larger setups.
- Encryption: Using encryption is a great secondary defense in case your information does fall into the wrong hands. Without the proper means for decryption, it will remain meaningless gibberish.
- Backups: It’s bad enough if your confidential material is leaked externally, but it’s even worse if you lose that information entirely. Protect yourself against attacks that delete or destroy the information on your system by having external backups that aren’t on the network.
- Two-step authentication: The process of providing a physical element as well as knowledge to unlock access predates even computing, and for good reason. Two-step or two-factor authentication will help reinforce these points of entry to your system. SMS and email confirmation codes or specialized hardware dongles minimize the risk of unwanted access when passwords are stolen, so consider implementing them.
- Control over interfaces with the outside: Just like with the human body, the exposed parts of your network are the most vulnerable to an attack. Protect your physical interfaces with a carefully regulated policy on what information can be accessed from external devices, like USB drives or phones, to prevent people walking away with your data. Many companies prohibit any external device from interfacing with their machines.
Train Everyone — Including Management — to Understand IT Security
No matter how advanced your technical measures are, your weakest links are inevitably employees who, whether maliciously or through ignorance, do not implement your security procedures. Having adequate training is essential to get the value from all that protection software and hardware. Security training is also helpful to attract millennial talent, given the generation’s appreciation for technology and desire to work across multiple devices like phones and tablets for convenience. Make sure everyone understands:
- Password choice: Too many people make the mistake of going with simple, easily-guessed passwords, thinking it’s enough to add a few numbers or symbols at the end, or that long passwords are too difficult to remember.
Making passwords 10 characters long instead of 9 increases the possible combinations from 45 quadrillion to 3 quintillion, enough to make most hacking scripts give up and move on to more fruitful targets. Understanding that most password hacks involve simple guesses or brute force attacks is essential to explaining the importance of unique phrases and password length.
- Backup procedures: Make sure everyone knows where to properly store things, both at and away from the office — important files saved on desktops instead of network drives, for instance, are often permanently lost if a full system restore is needed in a pinch.
- Identify phishing: This goes for everyone, but particularly those with access to sensitive information — understanding the telltale signs of email phishing is fairly simple when you know what to look for, and that knowledge will help keep those credentials safe.
- Safe browsing: Encouraging healthy browsing practices will help keep your machines free from malicious software like keyloggers. You should be restricting access to safe sites anyway, but there will always be those that slip through the cracks. Make sure your employees know what is and isn’t safe to download and execute.
Establish a Response and Recovery Plan in Case of a Breach
It’s not enough to do your best to prevent unwanted access to your system. You need to be prepared with well-defined solutions and procedures that can be implemented as soon as any suspicious events are detected. Don’t overlook that disaster recovery plan and include items such as:
- Shut down access: No security system is impervious to a breach. If one occurs despite your best efforts, ensure you have monitoring tools in place to alert you the moment anything happens. You will also need a centralized ability to shut down access to the system immediately for investigation and prevention of further loss.
- Proper access logging: To prevent leaks from repeating themselves, it’s essential you keep proper logs of all access and information transfer, enabling you to pin-point the culprits, whether people or software.
- Backup recovery: If your system takes too long to recover, you’re missing out on valuable business on top of having a security leak. Make sure your backups are ready for deployment on alternate, secure environments at a moment’s notice, and you’ll minimize the damage.
- Re-deployment and password reset: You’ll want to review and reset all access controls when restoring your system, from passwords to security groups. Ensure your settings are accurate to prevent the same credentials from repeating the breach.
Next time you’re considering whether you’ve done enough to protect your system, err on the side of caution — even if things like two-factor authentication feel like a chore on a day-to-day basis. Remember that attacks rarely target individuals alone, especially when it comes to small businesses. They often happen on large, sweeping scales. If your security is always tighter than your peers’, these breaches may just pass you by.
It’s hard to ever be too secure, so start locking things down.
Related ArticlesClawback: Reports Suggest Companies Paying To Reclaim Stolen Data
A recent news report and a survey suggest that companies may be paying to get back data stolen more often than you’d think.FTC Serves Notice to PCI Auditors
A new notice to PCI DSS auditors may be an early sign that the FTC is taking a hard look at the effectiveness of the PCI data security standards and audit process.How the WFH Transition Increased the Risk of Data Loss (Infographic)
We created an infographic based on The DG Data Trends Report, which assesses the risk of data loss during the COVID-19 pandemic.