Over the last decennium, hackers and other malicious people discovered increasingly more possibilities to abuse IT-related vulnerabilities. Not only individuals but also companies work 100 percent digitally nowadays. This makes these companies attractive targets of cybercrime; after all, you don’t need to break into a physical office anymore to steal sensitive data. System administrators continuously take measures to secure company data, but the (risk aware) behavior of your employees is just as important. Below you will find six practical tips to prevent data breaches.
Year after year it turns out that not the technique, but the human factor itself is the most important cause of data breaches. Necessary security updates are not performed, sensitive documents are taken home, passwords are sent by emails, and (malicious) attachments are opened without thinking. Almost weekly, we read about company and personal data being disclosed, but lately, we have been reading more often relating to ransomware that shuts down complete (digital) infrastructures and then these cyber hackers demand millions to get back the data hostage.
Anno 2017, exploiting existing vulnerabilities in commonly used software hardly requires any technical knowledge anymore; everything is on the internet if you know where to look. A big advantage to cyber criminals is that sensitive privacy information is much more brought together within the organization. Once they find a way in, for example via an employee re-using its passwords, they can easily cause much damage to the company.
Fortunately, there are many ways to decrease the risks and to prevent your company from suffering ransomware and data breaches. You can already start today with applying the tips below to prevent data breaches at your organization.
1. Create security awareness
Preventing doomsday scenarios starts with creating security awareness. Sensitive data of companies and individuals often turns out to be insufficiently secured. Each (connected) device within the organization is a security risk. This ranges from laptops and smartphones that are used for business and private purposes to security cameras and hard drives that can be operated using the internet.
For employees, it is important to be aware of the risks. Each time you save data to a USB stick and with each laptop or mobile phone that is not properly secured, you are at risk. Every unsecured device is a vulnerability within the organization, which can be used conveniently by a cyber criminal.
2. Keep training your employees regularly
Creating awareness is the first step to improve the security of your organization from the inside and to prevent data breaches. Security of devices and data should preferably become routine, instead of something that is imposed by the IT department.
Training regularly is essential to keep employees aware of the importance of information security. Teach them, for example, how to recognize phishing and malicious attachments; this way you prevent yourself from data loss and the costs of restoring a locked or infected computer. Also, show them how cyber criminals work and which do’s and don’ts help in preventing a digital burglary. In our Security Awareness Library, you find important subjects which will strengthen risk aware behavior within your organization.
3. Make agreements
Everyone within the organization is a security risk. Therefore, it is important to test everyone and to see if certain users possibly have too many (or too few) rights. Subsequently, it is important to make agreements and to clearly document these agreements. For example:
4. Make security and monitoring a priority
It already helps a lot to make clear agreements within the organization about (handling) company data. However, also taking care of a good base by making security and monitoring a priority is a must. Basically, every business device – also the personal laptop and phone of an employee – should have proper security measures or software. This ranges from an up-to-date virus scanner and firewall to a hard-to-guess password and encryption (with a tool like Bitlocker).
Besides, all accounts and login credentials that are used in a business context should be sufficiently secured. Two-step authentication, for example for your business e-mail account, ensures that hackers don’t have enough information to get access when they have one password. Also, be critical to the password policy within the organization. Each account should have a unique and hard to guess password. If your employees have difficulties with remembering all these different login credentials, you can consider using a password safe like 1Password to give them access in a safe and easy way.
Active monitoring is a focus for the security testers within the organization. Its advantage, compared to automatic monitoring, is that you do not only look at patterns but also at unknown devices and IP addresses. All unusual and unknown behaviors will be reported to prevent misuse.
5. Make back-ups regularly
Several companies who suffered a ransomware attack decided to pay the ransom to get back access to their data. The police advise victims not to pay because this supports cybercrime. Besides, you don’t always get back access to your files. There’s definitely something to say for this, even though you know for sure you are not getting back anything if you don’t pay.
The best you can do is to plan good and regular back-ups. This way, you prevent data loss, because after an attack you can set back a copy of a moment before the infection. You’re better safe than sorry, but back-ups can save your company a lot of suffering once it goes wrong.
6. Be critical to cloud services
Back-ups can be saved locally, but now we also have the cloud. There are a lot of cloud services and it is important to examine how the service you use handles company data and privacy. Dropbox and Google Drive for instance, have their servers in the U.S., where, logically, other rules apply than in Europe. How is data in the cloud secured? Is encryption used and are the privacy and security rules for data in the cloud met? These are questions to which not all companies have an answer.