Originally published on the ITProPortal, February 2019, by Jeffrey Harrell
Data breaches and the loss of sensitive business information are the biggest threat that enterprises face today – and no industry is immune due to the valuable personally identifiable information (PII) of customers and employees that their databases hold. Internet of Things (IoT) devices compound this problem as they become fully ingrained in business operations, exposing us to even more risk.
Unsurprisingly, it’s becoming increasingly difficult to navigate these complex cybersecurity concerns and completely avoid a data breach. That said, there are simple and highly effective practices that can help minimize their likelihood. By implementing five steps, you not only can help prevent a data breach from happening in the first place but better protect your data if you are one of the unlucky victims affected.
Encourage Cybersecurity Team Buy-In
The first step on this security journey is to create a workplace culture that values customer and employee privacy and empowers the entire workforce to be active participants in the process. All employees should be encouraged to speak up if they recognize something that could be perceived as a security threat. This can be something small – like printing a customer’s credit card information for an invoice to a public printer – or something more significant – like noticing a suspicious email or an unusual alert to update a specific software application.
Additionally, your cybersecurity team should have a way to share these internal concerns and observations and address them in a timely manner. Introducing an incentive program for employees who detect significant vulnerabilities can increase involvement in the program. Continued employee education can also help participants better understand the difference between real data security threats and minor issues, reducing the number of “false positives”.
Perform Timely Updates
The catastrophic Equifax data breach can be traced to the failure of the company to download a patch. This is precisely why timely updates are no joke when it comes to data protection. When your software prompts you that a new update is available, make sure you perform the update. Despite being such an obvious step in preventing data breaches, users still forego updates regularly for three main reasons:
- Due to the fluid nature of software updates and revisions, what is compatible one day might not be by the time the new update is out. There is often a fear that performing an update may conflict with another element in your IT stack. Understand what software is being used and which issues might occur if an update causes an incompatibility. Have a backup plan in place, and work to eliminate tools that might cause an unresolvable conflict within your IT stack. Inconvenient as this may be, it beats having to deal with a data breach.
- Notifications may be sent to the wrong person, whether a former employee, an outside contractor or someone on your team who does not realize he or she is responsible for this update. Make sure you have a system in place to ensure notifications for patches and updates go to the appropriate recipients. When someone on the IT team leaves the organization or transfers to another department, immediately update your notification settings. Also, consider sending important software update notifications to multiple users so everyone understands their specific role in the process.
- Since automation is a big part of our personal and professional lives, we sometimes assume updates are automated when they are in fact not. Despite being notified (and being the right person) and knowing that this update will not create an incompatibility with other software, users may ignore the update simply because they think it’s already been applied. Communicate to employees that updates will not be automatically applied for every software application and double-check that appropriate updates have been made.
Encryption is the act of encoding data to make it indecipherable to anyone except the person or persons who possess the encryption key. While encryption doesn’t prevent data attacks and breaches, it renders the data unreadable, making it unusable to hackers because. Additionally, some forms of data encryption prevent the act of data manipulation. This is a rarer, more malicious type of data breach where the goal is to change the data as opposed to stealing it. This is usually carried out by groups looking to damage a specific company or individual for some sort of political or personal gain, as opposed to financial gain.
Uber, Equifax, and Yahoo all failed to deploy vital encryption technologies that would have protected their stolen data from being usable as soon as it was taken by hackers. The decision to not encrypt data is a risky one, as peripheral security tools such as firewalls and intrusion protection systems are continually being bypassed by hackers and do not protect the data itself. As a result, these organisations incurred significant penalties and a tarnished reputation for not properly protecting their customers’ data.
The main lesson? Always encrypt your data.
Back Up Your Data
In the event of a data breach, it’s important to make sure you do not place all of your eggs in one basket – or all of your data on one server. This is also incredibly important if your server simply fails or your data is corrupted. Backing up your data allows you to reconcile unauthorized changes in the event your organization is breached and data is modified. It also puts you in a better position if your data is held for ransom. Make sure all of your data is encrypted and that the keys are kept strictly separated from the data store and in possession of trusted individuals.
Another important practice that should not be ignored is to keep your data stored in different, but easily retrievable formats. Some security professionals even recommend making two copies of your data.
Test and Test More
Cybersecurity is not a single event – it’s an ongoing process. While you may upgrade software and patches when prompted, changes to code might create unforeseen vulnerabilities. Hackers are constantly probing systems for any susceptible weakness and you don’t want a hacker to find a security weakness before you do.
Performing vulnerability assessments and penetration testing are two of the most common ways to check for weaknesses and when done in tandem can allow cybersecurity teams to identify possible outsider points of entry and greatly increase the effectiveness of your security. A vulnerability assessment is a process of scanning your system for any weak points, while penetration testing is the act of asking someone to infiltrate your system and take what they can. This might sound counterintuitive but performing a test like this either internally or with an outside, verified team identifies the strength (or weakness) of your cybersecurity approach.
Getting ahead of potential threats is a vital practice in today’s security landscape and all organizations, regardless of industry or size, should be taking these basic security measures into account. An organization is only as secure as its weakest link, so don’t let security efforts fall to the wayside – especially when it’s sensitive employee and customer data on the line.