Best practices for keeping sensitive business data secured at all times
Seemingly every day, another company is making headlines for all the wrong reasons when its internal records, including sensitive user information, is exposed by a data breach or lost due to a data disaster.
Sometimes it’s the result of a skilled and determined outsider attacker or an unavoidable natural event. But, in other cases, a simple lack of basic security protocols and recovery planning led to an expensive and embarrassing mistake.
Defend Your Data
25,575 records were lost or exposed in the average data breach event in 2019, at a cost of $3.92 million, according to IBM. That’s a 1.6% increase from 2018 and a 12% jump over the last five years. As for overall data disasters, a study by the University of Texas found that 43% of companies that suffer a catastrophic data loss will never reopen.
The list of risk factors is long and growing:
- Hackers / Cybercrime
- Poorly Trained Personnel
- Power Outages
- Industrial Espionage
- Rogue Insiders
- Natural Disasters
In 2020, the value of data and the necessity that sensitive and personally identifiable user information be securely accessible online are clear to most companies. So too is the need to ensure that data never falls into the wrong hands or is inadvertently lost. But, with the rise in managed service options for IT, how can companies be sure their technology partner is safeguarding their data?
Here are 10 data security best practices to expect from IT professionals:
1. Backup Early and Often
Backups are a vital component of a data recovery plan. Properly executed, a business that suffers a data loss can set things right rapidly and suffer a minimum of costly downtime.
With the rise in ransomware attacks (malicious software that encrypts your data and demands a ransom to unencrypt it), the need for redundant backups covering a wide period of time has grown more important. Even when the ransom is paid, the attackers don’t always free the hostage data, so it’s vital to have a backup that predates the attack.
2. Be Proactive, Not Reactive
The International Assembly of Privacy Commissioners and Data Protection Authorities promulgates standards for privacy protection. Among its foundational principles is a recommendation to take action before issues arise, not after. That’s good advice for safeguarding privacy and data in general.
So, use up-to-date network hardware, check all the settings upon installation, change all the default passwords, and install updates and patches promptly and routinely. Also, enable firewalls and virus scanners, and keep a close eye on third-party requests to access data.
3. Stay Alert for Phishing
Phony emails, fake landing pages, and even spoofed phone numbers can all be used by hackers to trick unwitting people into divulging their passwords, account numbers, or other sensitive information — which they then use to gain unauthorized access and do even more damage.
The FBI’s Internet Crime Complaint Center reported that in 2019 alone business email compromise was linked to $1.7 billion in losses. The best defense against phishing attacks is education. All personnel should be taught to spot and report suspicious messages, and if there is even the slightest doubt, don’t click anything, and try to contact the claimed sender by another means to confirm.
4. Log Everything
Moving data around entails a number of risks, but one of the advantages of a digital workflow is the ability to track and record all activity. That includes who is logging in and when, what applications are being used, and what data is being accessed, modified, or transmitted.
Keeping good logs helps security professionals discover unusual patterns of behavior and ferret out malicious actors that may be hiding under their noses — or just authorized users that aren’t adhering to best security practices.
5. Encrypt All Devices
It’s not that easy to lose a server room, but individual laptops and mobile devices are lost or stolen every day, and when there is user information and authorization credentials stored on them, the fallout can be much worse than just replacement costs.
Make sure all devices that may contain sensitive data are locked down and encrypted to prevent tampering or unauthorized access.
6. Harden Your Authentication
One of the most easily avoided data breach risk vectors is also among the most common. When users reuse the same password many times over, use weak or default passwords, or share their passwords openly, they are undermining all of an organization’s expensive and well-thought-out security measures.
Encourage everyone to use multifactor authentication (e.g. SMS confirmation, biometrics, or physical security keys in addition to the password), change passwords routinely, and use a password generator to create strong and random passwords.
7. Protect Data Centers
Modern cybercriminals do most of their dirty work over the internet, but that doesn’t mean the physical space where data is stored can be left unattended. Break-ins, though rare, do happen, and natural and man-made disasters can also occur.
Guard server rooms and facilities with security personnel, CCTV monitoring, and biometric access controls. Ensure backup power is available from an onsite generator, and closely observe environmental controls because heat and humidity rarely mix well with delicate technologies.
8. Use the Principle of Least Privilege
The goal of an effective data security framework is to provide access only to authorized users, and, importantly, only as much as access as they actually need. Too many people with high level access is a recipe for trouble.
Each new user should be given the fewest privileges necessary to perform their function. It’s much smarter to elevate their privileges if requested/required rather than immediately open up full administration control. Additionally, once access to sensitive data is no longer necessary, immediately revoke that authorization — particularly for individuals leaving the company.
9. Conduct Penetration Testing
A company’s current security protocols and data protection plans might be sufficient to thwart attackers and prevent breaches, but it’s always nicer to find out in the course of your own due diligence, instead of suffering an actual breach.
Penetration testing puts your system to the test by simulating an attack. It is useful for identifying weaknesses and vulnerabilities so that a full risk assessment can be performed and the system can be hardened.
10. Don’t Lock the Users Out
With so much focus on preventing unauthorized users, it’s sometimes forgotten that the organizations holding business data also have an obligation to ensure authorized users have uninterrupted, 24/7/365 access to their data and documentation for all networks and systems.
Network management and data safety protocols are all in place to serve the end users. The user credentialing system also requires constant monitoring to keep data where it belongs: in authorized systems, getting work done.
Don’t Wait Until Something Goes Wrong
Most business leaders (94%) report they are extremely concerned about data breaches, as reported by a 2019 Forbes poll. Yet, 76% admitted they didn’t have a robust plan in place to deal with a major data incident.
In the wake of a breach, most companies quickly try to put in place protocols and tools to prevent a recurrence, but, according to the analysts at Forbes, if just 10-20% of that post-breach budget was spent beforehand, the incident could have been avoided.
So, lock down your data, train your team to handle it with best practices, and vet your managed service provider and other third parties with access to your data to confirm they are doing the same.
D2 has been managing and protecting business data for over two decades. We rely on leading-edge technologies and the latest security best practices to safeguard sensitive information.