Critical steps that must be taken to ensure the security and protection of your company’s data.
The critical dangers and potential for damage to a business’s reputation from a data security breach are severe, and the risks of such a breach can come from any part of a business, including unlikely sources.
Verizon’s 2014 report on business data breaches – which analysed over 100,000 such breaches and security incidents during the last ten years – should make particularly chilling reading for business owners and IT managers.
It demonstrated the sheer magnitude of potential risk to a company, and not only from obvious areas such as public facing web services. Personal data can leak from all departments, including through coding errors (e.g. Heartbleed), insider leaks, and social engineering to name just a few.
The Risks Are Everywhere
Verizon’s data has been collated with the assistance of over sixty organisations in ninety countries, including law enforcement agencies, making it particularly noteworthy for every business owner. There have been very few weeks during the last year in which a data breach of some kind – whether confirmed as having been exploited, or simply a publication and a recommendation to change passwords – has not been highly publicised.
Consumers are increasingly wary of the data they hand over given these concerns, leading to a general mistrust of services and a re-examination of their use of such services given the implications of a breach.
While brute-force hacking was the most prevalent method of data breaches in 2009, in 2013 the use of stolen credit cards obtained through hacking took the top spot. Threats from external sources have risen significantly since 2009, a four-fold increase, however it is crucial that businesses ensure they are protecting both their sensitive data from all potential sources of attack or exploit.
Top 5 Best Practice Recommendations
Analysis has led to a top five recommendation of best practices to ensure that businesses are adequately protecting themselves from such data breaches, and ultimately not only mitigating the risk of reputational damage, but also from potential liability, litigation and data protection fines.
1. Secure Destruction of Personal Data
Whilst data on public facing services is seen as being more exposed to risk, due consideration must be given to the destruction of all data in the company where necessary. Here’s a great resource to help determine what documents to shred.
Hard copies should be securely shredded using best practice minimum width standards or through regular use of a paper shredding service. Electronic data should be securely wiped and physically destroyed. Legacy storage devices must only be sold or donated after thorough destruction and verification.
2. Layered Encryption Mechanisms
The recent Heartbleed bug – involving the exploitation of an OpenSSL bug, underpinning the security of the web – should be a warning toll to each and every business owner.
Analysis of exactly how personal data is being encrypted and transported over networks should take place on a regular basis, and multiple layers of encryption used where possible.
3. Password & Certificate Audit
Auditing of not only how well public and private servers are secured, but all external and internal systems including wireless networks, is crucial to determine current levels and implement improvements.
Internal password and security guidelines should be made available to all employees, actively audited and monitored for compliance. Special characters with no dictionary words or similar words should be enforced. Certificates and encryption keys should be regularly updated in line with best practice.
4. Consideration of Password Management Services
Online password management services such as LastPass are useful tools for management of multiple, complicated passwords.
If based at just one geographical location, the use of an offline-only password management tool could prove to be sufficient and is more secure that using an online service.
Built-in compliance tools can audit the security level of passwords used. A policy on the logging out of such services when not in use is highly recommended.
5. Education of Staff
Finally, the prevention of data security breaches should be the responsibility of every employee, and steps must be taken to ensure proper training is given by the business.
From revealing personal data through social engineering to an improperly protected Twitter account, everyone in the organisation should ensure they are following the best practices set.
This sponsored article was written in conjunction with Shred-It.