Internet and On-Line Security is something that every business needs to take seriously. The media often have lurid tales of thefts of financial data, malicious attacks on prominent websites, and some have even been hijacked and their content changed.
It`s not just the large corporations anymore. As they have tightened up their defences and made them more difficult to breach, criminals have moved to smaller companies where defences are generally less secure and easier to break.
However, it is not so generally known that the most serious security threats come from within a business. Users can become lazy, or become annoyed with what they perceive as petty restrictions and try to bypass security policy. Sometimes they succeed. At a more serious level, users can steal personal and proprietary company data to sell, or they can take advantage of gaps in security to steal money. That could be business threatening.
The first thing is to realise it could happen to you. Some commentators state that the only secure business is one that has not been breached yet. Complacency is your worst enemy and you shouldn’t rely on your software and security appliances to keep you safe.
Here are six tips and hints about effective ways to prevent data breaches.
Users need to know why there are security policies and procedures in place and what they are. They need to understand that they are there to protect the business and ultimately their jobs. They may seem petty and restrictive, but they must know that they are there for a reason.
End-User Awareness is key to successful implementations of security policy. Without user compliance and understanding, they will either be ineffective or used as a reason for poorer performance in carrying out their job.
It is also important to have regular positive reinforcement.
Security against data breaches is not just about IT. It involves the while company. IT are professionals when it comes to IT security, but they probably are not experts in other aspects of security. Data theft is not only electronic, paper records can be retrieved from dumpsters or taken home in a briefcase for example.
IT needs to work closely with security experts to assess the type of sensitive information held, and the risk of it being stolen. Priority can then be given to protecting the most sensitive data.
Security experts will also give advice on handling data, especially if it can be copied to flash drives or DVD and removed from the site.
Allow people to see only what they need to see
Part of the information that will flow from the risk assessment is knowledge of who needs to see what to be able to carry out their job function. Simply put, people should see only what they need to see. Only trusted and necessary people should be able to see sensitive or restricted information, and only when it is essential to their job.
This could be included in the formal data security policy.
A common vector for malware entering a company network and for information to leave is through desktop computers and attached devices like flash-drives and DVDs. Desktops must be locked down to prevent users downloading and installing their own applications, transferring information to and from web locations, and using flash drives and other portable equipment to transfer information to and from their desktop.
From a technical perspective, every desktop should have malware protection software, regularly and automatically updated. Users should not have access to Administrator mode, and should not be allowed to change any system settings on their desktop. If possible, USB ports and DVD drives should be disabled.
Email security is essential to prevent users clicking on email links that lead to dubious or malicious content.
Data encryption and Password Security
In some cases it might be necessary to use encryption to secure particularly sensitive data and email content. Passwords also need close attention. It is not a fairy tale that users write their password on a post-it note and stick it onto their desktop monitor. They also tend to use easily remembered passwords like a memorable date, or family or pet names.
Passwords need a forced change at regular intervals and ideally are automatically generated to ensure a proper mix of lower and uppercase characters, numbers and special characters.
Take care of your backups
One often forgotten route for data theft is via tampering with or stealing backup data sets. There has been a case in the UK where magnetic tapes containing sensitive personal health details have been found lying on a landfill. A prominent City Bank had a backup tape containing sensitive customer information stolen from a courier service taking it to off-site storage.
A data security policy needs to consider how on-site and off-site data can be secured. Third-party data storage providers need to be thoroughly vetted to ensure security of backup data.
This also includes paper data. If it is to be disposed of, it must be securely disposed of, not just put in the trash. It must be shredded or burnt and if necessary certified as being destroyed. Some particularly sensitive data should also be witnessed as being destroyed.
This short list gives some pointers towards a more secure data environment, not just in IT, but in the entire business. It doesn`t include some other potential risk areas, for example, remote access to systems and data. Carrying out a risk assessment should highlight those areas.