Securing Your Data Assets
WITH THE NUMBER OF CYBER-ATTACKS INCREASING, ORGANISATIONS ARE CONSTANTLY FACED WITH THE CHALLENGE OF ENSURING THEIR MOST PRECIOUS COMMODITY, DATA, IS KEPT SECURE. ORGANISATIONS MUST BE PREPARED TO PROTECT THEIR DATA AND TO DEAL WITH THE IMPACT AND BACKLASH ASSOCIATED WITH LOSING SENSITIVE INFORMATION SUCH AS CUSTOMER’S PERSONAL DETAILS AND CREDIT CARD RECORDS.
Data security involves applying digital privacy measures to prevent unauthorised access to computers, mobile devices, databases and websites. This should be the main priority of all organisations, regardless of their size and industry. Failing to have security measures in place to protect the company’s data could be detrimental to an organisation and could carry dire consequences if the data is compromised.
According to Acronis’ 2013 Data Protection Trends Research report, Australian organisations have been found to be rather lax with implementing basic IT security measures, especially when it comes to their BYOD policy. What can you do to secure your data and prevent your organisation from falling into this trend? What steps can you take to downplay the occurrence of a cyber-attack?
Why do security breaches occur?
Before an organisation can protect their data from being compromised, it is important to understand why security breaches occur. Too often, organisations have data security policies in place but take a minimal approach to implementing these policies across the various departments. The reason for this is that many organisations perceive information security to be an impediment to its operations and too prohibitive, which can often impact the organisation’s efficiency. However, this could increase the potential of a cyber-attack as the company is seen to be an easy target for hackers.
Recent hacking scandals have been the result of catastrophic errors made by the business. It has been said that most security breaches occur due to human error – employees who misuse permissions to access company records, or misplace devices that contain sensitive data. This is especially the case with companies who implement a BYOD policy, and those who make exceptions for certain employees within an organisation. For example, C-level executives may be given certain authorisation and access to critical data as requested. However, giving employees the chance to bypass BYOD policies is an open invitation for data loss and serious compliance issues as they are increasingly exposing the organisation to security risks.
Additionally, employees could potentially increase the risk of an internal security breach by:
Sharing their passwords with others
Using their legitimate passwords and permissions to access data which they do not need for their own work and copying this data for unintended use
Accessing data that they do not need but that can be misused later
Accessing data with all the necessary permissions for malicious intent – this is often carried out by disgruntled employees or ex-employees
These internal issues could also heighten the risk of external parties hacking the organisation’s data as the systems are more vulnerable than those with intensive security measures. Hackers often access online assets through the cloud provider’s infrastructure or through login details within online records. Therefore, it is important to ensure your employees and vendors are working towards a mutual relationship where data security is front of mind.
How can your organisation secure your data assets?
Data security is all about risk mitigation – although you cannot eliminate all of the risk, you can mitigate the risks of losing data by following best practices. Customers and individuals can secure their data by:
Using strong, memorable passwords that are a mix of letters, numbers, lower and upper cases and symbols
Avoiding the reuse of passwords, especially when storing crucial data like credit card numbers, date and place of birth, address or social security numbers
Considering double-protecting inboxes with two-factor authentication so that a secondary code is sent to a mobile phone to verify that it is the authorised user
Using complex questions for your password recovery process
To ensure an organisation is well-equipped to deal with the occurrence of a data breach, a contingency plan should be put in place. These plans will help the company to withstand the fallout associated with the attack, allowing them to continue to run the business effectively.
To ensure the security of their data, organisations should:
Carry out risk assessments to identify potential physical risks to the data and have a plan of attack if this was to occur – it is important to understand the nature of the threat as this is often unique to the organisation. Measuring risk is a crucial step in designing a plan of action to protect the company from the threat. The organisation should understand the value of their data and what critical protections are needed to ensure the data is kept secure if subjected to a threat.
Ensure everyone knows who is responsible for the data – make a list of who has access to sensitive data and who is accountable for inputting it. This allows the organisation to identify who needs to be trained and who is at fault if something was to happen to the data. Additionally, everyone within the organisation should know who the crisis management team is as they have the authority to deal with threats quickly.
Run regular virus scans to minimise the risk of computer viruses – more than three quarters of business computers are affected by viruses. As shown by this statistic, it is extremely important to manage this risk as the result of ignorance could be catastrophic.
Implement an IT security policy – having a policy in place will allow staff to understand how data should be handled. Within this policy, organisations need to include rules on how to handle customer and business information, limitations on the amount of access employees have to data, and an acceptable use policy for internet and email.
Create a data backup routine – this will ensure the business isn’t affected if something happens to the organisation’s servers. Ideally, organisations should back up their data at least once a week.
Establish a culture of security – since employees can be the weakest link or the first line of defence in the battle, the organisation needs to couple good technical tools with a strong culture of security. This involves understanding the vulnerabilities of social media and personal emails, and establishing guidance on insider threat and rules for operating in foreign countries.
Enforce security technology measures such as scrambling – this is the process of mixing digital data, software, hardware and hard drives and rendering them unreadable to unauthorised users and hackers.
What are the effects of ignoring the need for data security?
Failing to implement data security measures can have detrimental effects on an organisation. Depending on the level of the data breach, an organisation may need to spend a multitude of time and resources to rectify the issue to go back to operating as they did before the attack. Regardless of what an organisation does to deal with an attack, the level of trust shared with its customers may be lost. In turn, this would require further effort and investment to re-establish the trust with their customer base.
Therefore, it would be beneficial for an organisation to implement and enforce rigorous security measures, both technological and cultural when it comes to dealing with their data. Doing this will ensure the protection of an organisation’s most precious commodity while providing the necessary ammunition to take on the intruder should an attack occur.
It may also be beneficial to employ security experts that can rigorously test and audit the security infrastructure of the organisation. In doing so, they can provide guidance as to whether the implemented security measures are suitable and recommend best practice solutions that can increase the level of security to protect the organisation.
Lui, S., BYOD exceptions expose Aussie organisations to data security vulnerabilities: Acronis, July 2013
How security breaches occur, 2013
Wainewright, P., 5 practical steps to keep your data secure in the cloud, June 2011
Woodrow, F., How prepared is your company for a cyber-attack?, June 2013
1.5 million account number hacked after Visa and MasterCard data theft, April 2012
George, J., LivingSocial’s site hacked, data stolen, April 2013
Reuters, LinkedIn hacked, data breached, June 2012