mrc's Cup of Joe Blog

Join us in exploring the world of modern development, evolving technologies, and the art of future-proof software

Is your business data really secure? (Part 2)

EducationSummary: With data breaches on the rise, security becomes more important than ever. Is your company (unwittingly) putting your data at risk? Are you following best practices for data security? Learn 7 more ways to better secure your data.


photo credit: Didgeman via pixabay cc
photo credit: Didgeman via pixabay cc

Like a chain, your data security is only as strong as your weakest link. You may have the strongest security protocols in place, but one small misstep can compromise your entire system.

Have you taken every security precaution? Is your business data really secure?

In the first part of this article, we covered 7 important security tips that you can’t ignore:

  • Avoid spreadsheet overuse
  • Create password policies
  • Use 2-factor authentication
  • Monitor user workstations
  • Hold security and awareness training
  • Create a good rapport with end users
  • Limit data access

But, that’s just the tip of the iceberg. Security is such a broad topic, and one that we can’t possibly cover in a single article.

Today, let’s dive deeper into the topic. What others steps can you take to keep your business data secure? Here are 7 more important tips:

1. Don’t rely on anti-virus

Many consumers (and even some businesses) wrongly assume that security starts and ends with anti-virus software. But, will anti-virus software truly protect your business data from modern cyber attacks? No. Anti-virus is just a small part of the security landscape.

“Once the trusted umbrella of protection for everyone, anti-virus solutions now provide a false sense of security for most,” says John Thompson, Director, Systems Engineering of ThreatSTOP. “Anti-virus solutions offer credible protection for older issues but, today’s cyber criminals know this and have adapted. Today, most attacks first seek to disable a device’s anti-virus. They also disguise its compromised status from the management server so the attack can continue undetected and spread. Companies can leverage anti-virus by adding a complimentary layer of non-host based security to block certain inbound and outbound traffic. Simply, by using a continually updated shared intelligence of bad and suspect IP addresses, a firewall can block malware’s attempts to communicate in real-time. As Gartner reports that “malware is already inside your organization,” this strategic approach effectively blocks attacks faster and, should malware find its way onto a device, cuts the lines of communication so the bad guys can’t “call home” and leak data to 3rd parties or damage additional IT assets.”

2. Keep employees informed

Your data security is only as strong as its weakest point. For many companies, that point is uninformed employees. While most companies have security policies, not every company makes them accessible.

If you want employees to follow your security policy, ensure that it’s always available (and that they know where to get it.) Don’t let ignorance lead to a data breach.

“Make sure all employees are aware of the data security policies,” says Sean Merat, CEO of Witkit. “There are times when data is compromised simply because an employee is unaware of certain policies. When all staff is made aware of the importance of security, and how to safely send information, the chances of a weak link compromising sensitive information significantly lessens.”

3. Develop a security-first mindset

photo credit: dierk schaefer via photopin cc
photo credit: dierk schaefer via photopin cc

Security must be a company-wide goal.

Your company may have the most comprehensive security guidelines. You may communicate those guidelines clearly to your employees. You may have the best security software. But, it’s all meaningless if you lack one key element: A security-first mindset.

For instance, what if the IT department or the C-level executives aren’t following proper security protocols? What message does that send to your employees? Actions speak louder than words. If your entire business doesn’t have a security-first mindset, it will be clear to your employees.

“Develop a security-first mindset, make it a C-level responsibility and verify with an expert,” says Carl Mazzanti, CEO of eMazzanti Technologies. “Everything that you do relates to data security from backups to business continuity planning to hardware, software, networks and all of the people in the organization. The doer shouldn’t be the checker. You always need someone that you can trust to come in to guide the data security and continuity planning process. I am continually in touch with the data security space and work aggressively to help my clients make the best security technology decisions.”

4. Backup the backups

Data security is more than protecting yourself from attackers. It also involves creating regular data backups to protect yourself against data loss in any form.

But, research shows these important practices go ignored.

For instance, this survey finds that 53% of SMBs do not even conduct daily backups.

Another study finds that over 34% of companies do not test their backups and of those tested 77% found that tape backups failed to restore.

Let me ask you a question: How are you backing up up your data? Do you watch your automatic backups to ensure they’re working? Are you backing up your backups?

“Cloud storage is becoming cheaper by the day and reliability is improving,” says David Zimmerman, CEO of LC Technology International. “It’s a viable option for backups, but make sure you don’t simply move all of your data storage to the cloud. You want redundancy, which means a mixture of cloud and on-premises storage. For the most sensitive data, consider a private cloud and/or saving information to hard drives that are kept in a locked safe. Cloud data access does rely on internet access, so physical media can still be useful if you can’t get online.”

5. Stage fake attacks

photo credit: s2dent via pixabay cc
photo credit: s2dent via pixabay cc

In the first part of this article, we highlighted the importance of security training. But, how much of that training will an employee retain?

Research shows that within one hour, people will forget an average of 50% of the information presented. Within 24 hours, they have forgotten 70%. In a week, it’s up to 90%. No matter how much great information you teach, employees will forget nearly everything. That’s pretty depressing, isn’t it?

How can you get these security principles through to your employees? Here’s one way: Set up fake attacks. Employees will learn key security principals much faster if they experience them first hand.

“Stage fake phishing attacks,” says Robert Siciliano, Identity Theft Expert with BestIDTheftCompanys.com. “See who gets duped into clicking a ‘malicious’ email link by sending staged phishing emails to employees’ inboxes. Of course, the site that the ‘malicious’ link leads to will be safe. These test emails should contain clues that they’re not from the alleged sender.”

What happens if employees fall for these traps? Use it as a learning experience.

“Don’t embarrass your employees,” says Siciliano. “Don’t waste time criticizing employees who fall for your pseudo traps. Instead, help them understand why it’s critical for them to be on guard—the next trap could be the real thing.

Share the details about how to spot a phishing scam. For instance, grammatical and spelling errors in an email are one tip-off it’s probably malicious. Also, if the sender’s URL contains an IP address or seems to originate from a domain that’s different from the purported sender’s domain, it’s most likely not legit.”

6. Implement systems to track data and user access

We hear all about data breaches caused by organized teams of hackers in other countries. These types of breaches make the news.

Do you know what doesn’t make the news? The disgruntled employee who steals data on the way out of the company. The user who has too much data access. While often ignored, these are bigger risks to more companies than a coordinated group of super-hackers. As explained below, creating a formal system to track accounts and user access is an invaluable security step.

“One of the pitfalls I see in many small businesses is no formal system for keeping and tracking critical accounts and passwords,” says Garrett Perks, Principal and Creative Director at EvenVision. “Have a system in place to track each account, who has access to it, and how access can be managed.

This becomes especially important if a staff member leaves unexpectedly, or needs to be let go. Knowing what they have access to & how to regain access in their absence is key. Being able to terminate access when terminating an employee is also essential. A disgruntled past-employee can cause serious harm if the employer doesn’t know exactly what they have access to and isn’t able to rapidly manage access to pass control to someone else.”

7. Keep all systems patched

photo credit: archer10 (Dennis) via photopin cc
photo credit: archer10 (Dennis) via photopin cc

The Open Web Application Security Project (OWASP) is a highly-respected online community dedicated to web application security. Their “OWASP Top Ten” list outlines the biggest security vulnerabilities facing modern web applications.

Number 9 on their list: Using Components with Known Vulnerabilities. It’s a common problem. Businesses fail to keep their systems patched with the latest updates, leaving an open door to an outside attacker.

“It is very useful to set an automatic program updates, including operating system updates,” says Vasiliy Ivanov, CEO at KeepSolid. “The statistics show that unpatched devices are more likely to get hacked as their software has more vulnerabilities, easily exploited by phishers and hackers.”

Summary

While this list could certainly go on, the points listed above are some great tips for securing your business data. What do you think? Would you add anything to the list? If so, please feel free to share in the comments.