Summary: With data breaches on the rise, security becomes more important than ever. Is your company (unwittingly) putting your data at risk? Are you following best practices for data security? Learn 7 ways to better secure your data.
They say that “any press is good press.” But, I’d guess that any of those companies who suffered widely publicized data breaches recently would argue with that.
Does it feel like data breaches are becoming more frequent? It’s true. A recent IBM report finds a 12% year-to-year increase in security incidents. What’s worse: These breaches lead to reputation damage, lost productivity, and lost revenue.
With that in mind, let me ask you a question: Is your business data secure?
What steps are you taking to ensure that your company doesn’t make the news for a security incident? Today, let’s focus on that topic. How can you keep your business data secure? While the list could be much longer, here are 7 important tips:
1. Avoid spreadsheet overuse
Let’s start off with one of the biggest threats to data security: Spreadsheets. Many businesses put their data at risk because they rely too heavily on spreadsheets. They store critical business data in spreadsheets. Or, they export data from their business systems into spreadsheets for reporting.
Why is this such a problem? Once your data is in a spreadsheet, it’s vulnerable. What happens when a user shares that spreadsheet with other users? What happens when those users edit the data and share it with others? Soon, you have multiple versions of the same data floating around, beyond your control.
Which version is accurate? How many different spreadsheets exist? Where are they stored? Did any users make a data entry mistake, or somehow tarnish the data? There’s no way to know.
How bad is this problem? Studies have found that over 80% of spreadsheets contain critical errors. User groups now exist to warn businesses about the dangers of spreadsheets. If your company still relies heavily on spreadsheets, your data is already at risk.
2. Create password policies
End users have notoriously bad password habits. How bad? According to this annual list of the most popular passwords over the last year, “123456”, “password”, and “12345” top the charts. That’s right. It’s that bad. Without a strict password policy, your employees can unwittingly put your data at risk with weak passwords.
“One way businesses can secure their data is by taking a look at employee password habits and implementing a companywide password policy,” says Joe Siegrist, the co-founder and CEO of LastPass. “Unfortunately, many of your employees probably have pretty terrible password hygiene and are making mistakes like storing their passwords in word docs, sticky notes, sharing passwords with co-workers via email, using the same passwords for business and personal accounts and using weak, easily crackable passwords. Poor password hygiene can result in a costly data breach or hack.”
3. Use 2 factor authentication
Now, a strict password policy helps, but it’s just one step in the process. What happens if a hacker gains access to one of your employee’s passwords? How can you protect your data?
Two-factor authentication (2FA) is a great way to combat this risk. It adds a second layer of security to your applications. Rather than identifying users with a single factor (user/password), it adds another identification factor–usually a pin number delivered via sms. This is a great method to add extra protection to your most sensitive data.
“Passwords remain a primary source of breeches, and will forever be that way as long as a human is required to remember something,” says Conrad Smith, CISO of Bitium. “Whether it’s a simple password guessing attack against your Twitter account or a sophisticated spear-phishing attack against executives, the impact of a successful attempt to compromise a password can be mitigated by enabling and enforcing 2FA. With 2FA, even a if password is compromised, without that other piece of information (something you have or know), the attackers cannot access the account.”
4. Monitor user workstations
Here’s another password-related problem: How will employees remember multiple, complex passwords? If you impose strict password policies, users need a way to remember their passwords.
What do they do? Many write their passwords on sticky notes and leave them on their desks–defeating the point of a password in the first place. To combat this, perform periodic security checks on your employee’s workstations.
“This helps make sure that desks aren’t security violations,” says Robert Siciliano, Security Expert with TheBestCompanys.com. “Think sticky notes with sensitive information, such as passwords, on them. Are filing cabinets locked? Are computers left on without password protection when employees are away from their desks?”
How can you enforce a strict password policy, while ensuring that users aren’t posting their passwords on their desks? Use a password manager.
“Using a password manager within your organization is an effective way to manage employee passwords and ensure that every employee is protecting your business’ sensitive information properly,” explains Siegrist. “Most password managers offer features like password generators to ensure employees are using unique passwords for each and every account and password sharing features which make it easier to share passwords within your organization. Since all employees’ passwords are stored in one secure location, it will encourage them to create unique passwords for their business and personal accounts.”
5. Hold security and awareness training
Hackers aren’t usually the biggest threat to your data security. The fact is, uninformed employees are often your biggest threat. Many don’t understand proper security habits. They don’t realize their actions put the company at risk. It will stay that way unless businesses ensure that their users understand best security practices.
“Businesses not only need to be concerned with combating the external data security threat posed by hackers and intrusions, but considerable focus and resources should also be aimed at combating the internal threat as well,” says Brian D. Kelley, Chief Information Officer at Portage County. “Employees are in fact one of the biggest data security threats. Data theft, tampering with records, and misuse of personal and business technology in the workplace are a serious and formidable threat to data security in the workplace today. Businesses need to have a strong Security Education, Training, and Awareness (SETA) program in place. Strong data security policies, enforcement, and monitoring are essential to securing data from the inside threat.”
6. Create a good rapport with end users
In some companies, there’s a disconnect between the IT department and the end users. Both sides have an “us vs. them” mentality. The users feel like IT gets in their way, and the IT department feels like users can’t be trusted. The problem is, this disconnect puts your business data at risk.
If end users don’t respect the IT department (or vice-versa), do you really think they’ll respect their security policies? No.
”Having a good rapport with your end users is vital to securing your data,” says Brad Meyer, IT Manager at TechnologyAdvice. “It doesn’t matter how many policies you may put in place–if your end users don’t respect your IT department, how are you going to truly enforce these policies and expect them to listen to you when you tell them the importance of securing their data? Once you build that rapport, your end users are much more willing to be trained and accept policies.”
7. Limit data access
Allowing too much data access is another critical security mistake businesses make. They give users access to all of their data. This opens the business up to all sorts of security risks. For instance, what happens if a user decides to copy data to a personal device and bring it home? What happens when a user accidentally deletes data, or enters new data incorrectly?
“One of the most important steps in keeping business data safe is to tightly control access to any sensitive data, and that includes administrators, says Jon Gossels, President of SystemExperts.
Nobody should have access without oversight and logging.
Make sure that every user has the least privileges necessary to perform their job and that every user has his own unique login credentials so that actions can be traced.
If you have computers on-site, make sure they are used only for business (e.g., don’t allow anything to be downloaded or for people to browse the Internet), and make sure you have constantly updated anti-virus software running at all times – and keep those computers isolated/segregated from any other networks or computers you may have.”
Summary
Now, these are just the first 7 tips to help businesses keep their data secure. I’ll be covering more tips in the next few weeks. Stay tuned!
So, what do you think? Is there anything you would add to this list? If so, please share your thoughts in the comments.
Pingback: Is your business data really secure? (Part 1) -...
Pingback: Is your business data really secure? (Part 1) – mrc's Cup of Joe Blog | securitysiciliano