Data security failures cause significant damage to a company. The level of harm caused determines the extent of ruin. It might go as far as forcing businesses to close down. The non-compliance with regulations has made data security quite a big deal. It is the duty of a company’s information officer to ensure the privacy and security of the company’s customers’ information and, most importantly, the company’s data parse.
Contrary to the public perception that hackers are the leading cause of data breaches, as they are portrayed in movies, the greatest threat (namely the way these hackers get their information) is actually the employee’s unawareness. In a recent study, it was identified that inadequate employee training and a lack of threat awareness are actually the major threat to data privacy and security.
These failures are regularly realized through the simplest of errors. An employee can innocently respond to an email that claims to be verifying a password and username or a forgotten laptop in a public place can offer enough info for a major breach and so on. Several other simple mistakes can provide hackers the chance of getting a clue to vital information or data.
The greatest wish of any business owner and customers as well is for their data to be secure. With the increase in cybercrime, the rise of insider threat and hackers to your organization’s cyber security, the least you can do is to employ best data security practices to guarantee the safety of your data.
This article will share with you the ten best practices to secure your data, be it online or onsite.
1. Go Back to the Basics
If companies take care of the necessary security requirements, most of the data breaches will not be happening. For an ideal start in securing data, it is good practice to go back to the basics and look at some of the things you take for granted.
(A) Limit the number of people with admin rights.
When there are too many individuals with admin right there are higher chances of a security breach. It is similar to a building with too many master keys. Before giving out admin privilege to anyone, ensure that they are trustworthy. Also be ready to keep an eye on them and their activities related to the company’s infrastructure.
(B) Have a defined Measurement
Ensure that you have clear metrics that will be meaningful and have the ability to help in accessing the nature of your security over time. When attention is increased – which comes with an increase in budget from the management board – there will also be an increase in responsibility. Which means you’re teaching your managers and employees to be more accountable.
(C) Work with other Departments
Often, we see that the security staff is not always working together with other departments of an organization. This difference will be even greater when it comes to the business side of the organization. To overcome this, make sure that the security policies are adopted into business processes and operations, as soon as possible, because the absence of such will give way for scenarios where security will be breached. If you handle the situation before it becomes a problem, your organization will have nothing but to gain from the increased communication, as well.
2. Password Management Policies
The attack against the credentials of users – such as sniffing, theft of password databases and brute force – are very powerful attack vectors, which require the enforcement of a password management policy that is effective. You should practice the following for an efficient password management:
- Request unique password from users of external vendor systems and stop accepting the setting of the same password for internal and personal logins to websites.
- Don’t store passwords unless it is truly necessary, and if you still want to save a password, first ensure that it is properly encrypted.
- If a third party is terminated from collaborating with them, and they shouldn’t have access to your data anymore, make sure any residual access they may have is removed.
- Request users to make use of strong passwords. This rule could require, for example, a minimum of eight characters consisting of alphanumeric characters.
- Conduct a frequent check of all default accounts and make sure inactive accounts are disabled.
3. Email Authentication
Take note of all outbound and inbound mailing streams and request for an authentication to help in the detection of suspicious emails, including spoofed emails and spear phishing. To perfect this action, you can do the following:
- Incorporate inbound email verification checks for DKIM, DMARC, and SPF.
- Verify outbound emails with DKIM and SPF, including delegated and parked sub-domains.
- Request for both ends emails verification using DKIM and SPF with a reject policy of DMARC, or a quarantine system for all streams of mail that are managed and hosted by third parties.
- You should encourage your business partners to authenticate all the emails sent to your company, to reduce the chances of receiving spoofed emails and spear phishing.
4. Conduct Frequent Vulnerability Tests
The importance of this is to ensure that you can identify and thwart all potential threat vectors. Always perform a routine scan of your business cloud provider and check for any possible penetration point and any risk of theft and information loss.
5. Monitor Your Infrastructure
You need to watch over your company’s infrastructure continuously, as well as over the analysis and collection of all real-time network traffic, scrutinizing centralized logs which may include IDS/IPS, firewall, AV, and VPN, with log management tools and also the reviewing of network statistics. Get the knowledge of the anomalous activity, investigate and check your view on unusual activity accordingly.
You may also like: Cyber security best practices in 2017.
6. Patch Your Security Software Regularly
Information is constantly attacked by cyber thieves, by the invention of new malware technologies and techniques, always looking for any potential vulnerability in your security system. An updated and optimized security network is only updated for a time, and not forever. To ensure the safety of your security hardware, update them with all the new anti-malware patches.
7. Continually Refine any Data Breach Plan
Test, develop and improve any data breach response plan continuously. Review and improve on a regular basis the plan, based on any changes in the company’s IT, a collection of data and the posture of security. If your business has faced any threat recently, you should take the time to analyze and improve your plan, and also carry out a periodic tabletop exercise to test your personnel and the plan.
8. Review Server Certificates
To ensure your domain is protected from being hijacked, first, you should make sure you review your server certificates for any vulnerability. It is advised to upgrade from DV certificates to OV or EV SSL certificates because cyber thieves always take advantage of DV (Domain Validated) SSL certificates to impersonate websites of e-commerce and then to rob consumers. The highest level of verification and authentication of a website is offered by EV SSL, a provider of this service makes use of high level of assurance that a website owner is indeed who they are, by presenting a green trust indicator to a user in the address bar of the browser.
9. Allow Only Authorized Wireless Devices
Wireless devices are a source of a potential data breach. So it’s better to ensure you only authorize known wireless devices to connect to your company’s network. This may include credit card devices and point of sale terminals. You should also encrypt any wireless devices communication, which may include printer and routers. Ensure that all guest network access is kept on a separate server, and when accessing devices, make use of a strong encryption like WPA2 with AES encryption, or use a VPN.
10. Least User Access (LUA)
Least user access (LUA) is popularly accepted as a good design to consider in improving the security of data. LUA is a core strategy that is used to secure components. It is advised that all accounts should endeavor to run with only some forms of privileges and as few levels of access as possible. The functions of LUA include helping with the overall control to minimize the damages that are caused by the exposure of rogue employees or passwords. It also protects data from system faults and any malicious behavior for instance. A user may not be privileged to access the customer list and download payroll data. But he/she may have the permission and privilege to edit some specific files or an email campaign.
This article is written by Mike Jones. He is a professional writer and genuine techie. He is very passionate about cloud-computing and its security issues. Mike is a Boston University graduate and contributing editor for BurnWorld.