The consequences of a data breach can be severe – sometimes the fallout can even kill a business. How can you best prevent a breach? Here are some suggestions – following them can help improve your odds:
- Use security software on all “Computers,” of course, includes both classic computers as well as smartphones and tablets. Microsoft Windows has built-in security features (or, for some versions, available for free download), and there are many inexpensive packages that add other security capabilities. Portable devices should also have remote wipe capabilities enabled in case they are stolen or lost.
- Encrypt all sensitive information. Keep in mind that if you are unsure as to whether something needs to be encrypted, it probably does. Encryption capabilities are built in to many versions of Microsoft Windows, and there are plenty of third-party free encryption tools available as well.
- Address human risks. I will address human risks in more detail in future blog posts, but at a high level you want to make sure employees are aware that your organization is a target for hackers, that people are properly trained in cyber-hygiene and how to secure the data that they handle, and that people do not have access to sensitive data and systems to which they do not need access in order to do their jobs.
- Do not allow anyone to share credentials. The use of shared credentials not only undermines system auditability, it also increases the chances of a data leak: Employees are more likely to “go rogue” or be less than meticulous with the security of information if they use shared credentials that offer plausible deniability in the event of a data leak.
- Implement and enforce a proper password policy. Requiring complex passwords for all systems is not a proper password policy – as doing so can increase risks of a data breach by encouraging password reuse or the writing down of passwords. For more on password policies, please see my article entitled Why You Should Ignore Everything You Have Been Told About Passwords. To learn how to create strong passwords that are easy to remember please see my article: How To Create Strong Passwords That You Can Easily Remember.
- Devise social media policies, and enforce them with technology. Inappropriate social media posts can cause many problems – including leaking data directly or providing criminals with information that can be used to social engineer employees as the first step in perpetrating a data breach. Never rely on policies alone – we know how poorly saying “Don’t open attachments” works to prevent malware infections in the absence of security software.
- Address personal device risks. If people are ever going to have work data on a personal device, make sure you have a mechanism to secure that data on those devices.
- Segregate Internet access. Internet-of-Things devices should not be connected to the same networks as smartphones, laptops, or servers. Also, if you provide Internet access for employees’ personal smartphones and tablets, or for visitors to your office, implement such access via a separate network; most modern routers offer such a capability.
- Comply with all data-security regulations. If you process credit cards, for example, make sure you comply with the most recent current PCI standards. In any case, never store credit card security codes or debit card PIN numbers.
- Hire a pro. If possible, hire an information-security professional to assist with designing and implementing your approach to cybersecurity. For the same reason that people go to doctors for medical advice, lawyers for legal advice, and accountants for tax advice, you want to go to an information-security expert for information-security advice.
This post is sponsored by Microsoft Office, which, as part of its Modern Workplace series, is offering a free webcast on February 14th at 8 AM Pacific (11 AM US Eastern) entitled Cyber Security: Help Prevent a Breach. To learn more or to sign up, please click here.