Virtually all businesses today collect and store some sort of information for customers, employees, vendors, and others. From customer account data and intellectual property to trade secrets and proprietary corporate data, the prevalence of information in the business environment has led to a significant rise in data breaches. In the first quarter of 2018, Infosecurity Magazine noted that almost 1.4 billion records were exposed in 686 reported breaches. And, it’s not just a problem for large corporations.
Small and mid-sized companies with fewer data security resources are particularly vulnerable to theft, loss and the mistaken release of private information. As a result, it’s important for businesses of every size to take steps to prevent data breaches. Being aware should always be the first step in mitigating security threats, but there are a few other ways to protect critical assets.
Knowledge is Power
It can be difficult to keep personnel ahead of the learning curve for threat detection and response. Hackers and malicious insiders have a seemingly endless bag of tricks from which to pull. Add to this well-meaning insider breaches that can be caused by such things as broken business processes, and you have a recipe for cyber disaster.
End-user security awareness and data loss prevention training are huge benefits when done often and in such a way as to create a more security-minded culture. By implementing cyber literacy training at all levels of your organization, you help eliminate human errors that could lead to a breach and help employees become more astute at noticing suspicious behavior. Employees should know what types of information are sensitive or confidential and what their responsibilities are to protect that data.
More advanced cyber training is appropriate for enabling IT and security teams to continuously improve their strategy and actively reduce risk. Training in such areas as threat intelligence, malware analysis and cyber forensics promote greater knowledge of threats and vulnerabilities.
Keep Only What’s Needed
It’s important to keep an inventory of the type and quantity of information in files and on computers so you know what you have and where you have it. By reducing the volume of information you collect to only what’s absolutely needed, you can minimize the number of places you store private data and, thus, reduce the opportunities for a breach.
The use of a remote data backup service can provide a safe and effective means for backing up information without using tapes that can be lost or stolen. If you choose to keep your data in-house, remember that deleting files or reformatting hard drives does not erase information. Instead, use software designed to permanently wipe the hard drive, or physically destroy the drive itself. And, be mindful of photocopy machines which often scan a document before copying. The settings should be changed after each use to clear the data.
Monitor What Comes In and What Goes Out
The use of Social Security numbers as employee IDs or client account numbers is a prime way to invite hackers in. If this is a policy your organization practices, it’s time to implement another ID system and update your procedures — pronto.
Good data loss prevention technology allows you to set rules and, based on those rules, block content that you do not want to enter or leave the network. It’s an effective measure for safeguarding personal data and restricting access. So many breaches today occur because employees visit malicious or compromised websites that can exploit a machine, putting an entire network at risk. Being able to block where insiders go is key to a good security policy.
With the right training, key personnel such as your HR person or compliance officer can know how to effectively review insider behavior that could lead to a data breach.
Assess Your Vulnerabilities, Often
Once a quarter isn’t enough when it comes to performing vulnerability assessments. System scans should ideally be done weekly, and every system in the network should be assessed. This is especially important when a new service is added to the network, new equipment is installed, or additional ports are opened. Look at computer systems, applications and your network infrastructure, both wired and wireless networks, internal and external.
The process of defining, identifying, classifying, prioritizing and training against cyber-attacks cannot be undersold. Having the necessary knowledge, awareness and risk background to understand threats and the ability to react appropriately to them is priceless.