Holding customer data is becoming an increasingly perilous duty for businesses of all sizes. With data breaches on the rise and fines ramping up, organisations need to take the necessary steps to protect their data. From training new recruits, to employing ‘white hat’ hackers, Cyril Law, CTO at Outra – provides his top 5 data security tips.
These days data breaches are never far from the headlines. Recently we’ve seen cyber criminals steal the personal and financial information of 380,000 British Airways customers. Meanwhile, Equifax were handed a £500,000 fine after last year’s catastrophic attack which led to the compromise of personal information pertaining to 15 million consumers.
Moreover, a study by Kroll revealed the number of breaches have increased by 75 per cent over the past two years.
Clearly it’s an incredibly adverse environment for organisations that hold the data of their customers.
So with all this in mind how do organisations best protect themselves? Here are five top data security tips to ensure you don’t find the ICO on your doorstep!
1. Training and Threat Assessment
Firstly it is crucial that all staff are trained on how to spot a threat and deal with it. That includes everyone from the CEO down to part time workers.
It is essential to run through potential scenarios which could impact the business with department heads to confirm if all areas are covered. These might include unencrypted emails, potentially sensitive documents lacking password protection and work laptops with weak or missing passwords.
Research shows that despite the increased threat of phishing and data breaches, 60 per cent of people still use the same password for everything – and often they don’t contain a mix of capital letters, lowercase letters, numbers and special characters.
This is becoming so important that California recently passed a law banning default passwords like “admin,” “123456” and the old classic “password” in all new consumer electronics starting in 2020.
Every new gadget built in the state from smart home tech to routers will have to come with “reasonable” built-in security features. The law specifically calls for each device to come with a pre-programmed password “unique to each device” – much like the gobbledegook WiFi passwords printed on the back of Netgear or BT routers.
It also stipulates that any new device “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.” This compels users to change the unique password to something new and secure as soon as it’s activated for the first time.
For years, botnets have utilised the power of badly secured connected devices to overwhelm websites with high volumes of internet traffic — so-called distributed denial-of-service (DDoS) attacks.
Botnets typically rely on default passwords that are hard coded into devices when they’re built that aren’t later changed by the user. Malware breaks into the devices using publicly available default passwords, high jacks it and ensnares it into conducting cyber attacks without the user’s knowledge.
Understanding how easy it is for security to be breached is half the battle. The next half is ensuring that employees and key suppliers understand what to do to preserve security, being clear about efforts made to ensure data integrity and managing stakeholders’ expectations.
2. Update security policies and regularly review staff permissions
All staff should adhere to company security policies. It’s vital everyone understands the importance of robust passwords, never clicking on suspicious links, and recognising hacked websites. Every new person joining the business should be inducted on the organisation’s security policies. A study revealed that this is not the case for the majority of new recruits, with only 22 per cent receiving clear information on security protocols.
A friend of mine works at a business school and in one week they had five data breaches including a member of staff receiving a phishing email which they responded to with their university system password. The same password was also used for a number of their personal accounts. The hard drive of the laptop was deleted and the victim was advised to change all passwords.
Another member of the team received a call whilst working at home purporting to be from BT telling them their account had been hacked. They downloaded the support software and made a payment before realising it was a scam. IT disabled the account remotely.
Fortunately, no evidence was found that any data had been compromised, or of any virus. However, as a precaution the laptop hard drive was erased and again the member of staff was instructed to change all passwords.
The other three incidents were less serious such as sending an email containing name and address data to the wrong person, however, this is still a data breach under GDPR and action must be taken. This shows that it is vital to keep reminding staff about security policies and ensuring that data security tips are routinely shared and made part of the culture.
Whilst it may feel like you are giving the safety talk on an aeroplane, which you know full well no one is taking any notice of, at least some of it will permeate. After all we all know that “the life jacket is situated under your seat…”
3. Detection and prevention solutions
They say prevention is better than a cure. Consequently organisations should invest in intrusion detection with alerts and automatic prevention systems in the event of an inadvertent hack. Segmented networking, data encryption, role-based security and two-factor authentication architecture should also be implemented.
Many SMEs make the mistake that this is only applicable to the biggest corporations, but this is not the case. In the UK, 42 per cent of micro/small businesses reported a cyber security breach in 2018, rising to 65 per cent for medium/large businesses.
For SMEs it’s essential to make sure that:
- enterprise-wide anti-virus systems are all up-to-date
- there are encrypted hard drives on all computing devices
- employees avoid using USB devices or sticks
- systems are backed up and securely stored to mitigate risk to key systems
4. Use an ethical hacker
Often the best way to determine how secure your systems are is by hiring a white hat hacker to do it for you. Public facing internet sites, for instance, should be pen tested at least on a quarterly basis.
Pen testing, otherwise known as penetration testing, is an authorized simulated attack performed to evaluate the security of the system and identify any vulnerabilities. It should also flag up the strengths of the system as well as weaknesses which will need to be addressed immediately.
Actioning data security tips is all well and good, but having a white hat hacker examine your site and reveal its weaknesses really hits the message home.
5. Make an organisational commitment to security
ISO27001 is the international standard prescribing best practice for an Information Security Management System (ISMS). It provides a framework for establishing, implementing, operating, monitoring and improving information management using a six-part process model.
Currently only one per cent of UK businesses currently hold ISO27001 due to the complexity involved in adhering to the controls outlined by the standard. The accreditation builds a culture of security and helps protect valuable data and information assets.
So while it may require a little extra effort to implement, it’s that effort which ultimately helps ensure your organisation’s data security.
Get your defences ready
A data breach can be hugely costly to businesses of any size. So making sure you have the right defences and procedures in place, should be a priority. The question is: is data security a priority at your organisation yet? If not, it’s time to get planning…
The following article was published by The Global Marketing Alliance, 17th December 2018.