It’s tempting to imagine your computer systems as airtight vaults, impenetrable and immune to cyberattacks. But this would be a risky move. In reality, IT infrastructure is more like a sponge.
All organizations absorb and retain digital data. Like a sponge, IT infrastructure is porous, often with gaping holes. Data can leak out of these holes when things don’t go according to plan: a laptop is lost or stolen, an employee falls prey to a phishing attack, or sensitive information might accidentally be published online. But in today’s world, a more prevalent scenario is what happens when the sponge is squeezed — when a breach occurs — whether through a hack aided by social engineering, a phishing attack, malware, or any number of increasingly sophisticated threats that result in a damaging data leak.
Here are five ways to safeguard your organization’s data.
Always encrypt sensitive information.
In March, customer information was exposed on publicly accessible webpages on Saks Fifth Avenue’s website. The data on tens of thousands of customers — including email addresses, phone numbers, and some IP addresses — were displayed. Encrypting this sensitive information from the get-go could have limited the breach.
Due to the high cost of encrypting stored data, you may decide to be selective when it comes to what data to encrypt. You’ll want to consider the data’s sensitivity, as well as the level of security controls that limit access to it. But when data moves outside your control, encryption is a must for confidential information.
A company relinquishes control of its data every time a staff member sends an email or takes a laptop, iPad, or other device out of the office. Encrypting these channels and devices protects the information they carry, so that the only consequence of a stolen laptop is a mere loss of hardware.
Take passwords with a grain of salt
In 2016, Yahoo announced two large data breaches, dating back to 2013 and 2014. In a blog post, the company’s chief security officer explained that, during the 2014 breach, hackers used forged cookies, which allowed the intruder to access user accounts without a password. The 2013 breach included stolen data, such as hashed passwords and some unencrypted security questions and answers.
User-managed passwords are the most common form of authentication and also the biggest security weakness. Not only can passwords be cracked and stolen by hackers, but they also place an inordinate level of responsibility on users, both to create sufficiently strong passwords and to not reuse them across multiple systems or online sites. As we move toward multifactor biometric verification — including fingerprint scanning — we’ll approach a stronger, enhanced form of authentication that reduces our reliance on user-managed passwords.
Monitor data diligently
Many companies implement security controls to protect their information systems but forget to monitor them. This is a big mistake, as the porous nature of network infrastructure makes data monitoring a critical step. On average, it takes companies an estimated 201 days to identify a breach, according to a study conducted by the Ponemon Institute.
Fortunately, there are numerous network monitoring tools available that can help you effectively detect breaches on critical servers and databases. Alternatively, companies can also engage third-party vendors to monitor their networks 24/7.
Manage user access
The 2017 breach at a government cybersecurity contractor — which compromised confidential W-2 tax data, including social security numbers, of current and past employees — was rooted in a phishing attack.
By gaining access to high-level privileges, hackers have the ability to bypass implemented controls, making it easy to enter and manipulate the system. Phishing isn't the only way in; hackers can use social engineering — checking social media profiles, search engines, and/or previously hacked data, to figure out users’ passwords and answers to security questions. Not surprisingly, stronger passwords are harder to hack. Ensure your staff use passwords that are sufficiently complex, containing letters, numbers, and characters. An easy way to do this is to use a simple phrase — for example, “My1stDog’sName? Tipsy.”
In addition, regularly review who has access to your networks and to what degree. For instance, what level of access is given to third-party vendors? Has access been terminated for staff who have left the company? As a rule of thumb, about 10 percent of user access is not managed properly — an unsafe percentage when it comes to cybersecurity.
Re-evaluate your independent testing
In March 2017, the hack of a database belonging to Dun & Bradstreet exposed more than 30 million records, including names, email addresses, and other information about employees — many of whom were executives — at private companies and government organizations.
Consistent independent testing is critical to preventing and detecting intrusions. You’ll never know how effective your security really is if you don’t have an outside party test it on a regular basis.
Companies should schedule an independent test at least once a year, but infrastructure changes or regulatory compliance standards may require more frequent testing. Supplementing an annual test with smaller-scale monthly or quarterly tests of specific areas also reduces delay when it comes to finding and resolving issues. By continually making improvements throughout the year, you’ll have greater confidence that your multi-tiered cybersecurity strategy is protecting your customers, your staff, and — of course — your reputation.