8 Steps to Data Security
Data Security is in the news in some fashion each and every day. From the infamous Equifax breach, to the recently reported Facebook data harvesting, there are an ever-increasing number of new ways to gain access to your information. Humans have moved ahead of machines as targets for cyber crimes. Ransomware has seen a 15-fold increase over the past two years. Cybercrime damage costs an average of $1800 per seat.
While you noodle those stats around, I want you to focus on something. Humans are the targets, not computers, and the highest increase in attack type is ransomware, which typically requires a human to start the attack.
Is there a solution to Data Security?
Yes… and no. There is no single solution to prevent cybercrime and preserve data security. There are, however, a few simple steps you can take to help prevent your organization from being a target.
Data Security should always start with training employees. Talk about data security and what parts of your organizations’ data is considered confidential. Implement policy that defines how this data should be handled, accessed, and distributed. Talk about what attacks can look like. Don’t forget that employees have lives outside of your business. Address their concerns for online safety at home too. Plan and institute Security Awareness Training a few times a year.
Passwords and Two Factor Authentication (2FA)
Having a password isn’t enough anymore. Be sure to use 2FA, so when you access an account that account can send you a code to a device to be sure it is you. 2FA is especially important for banking, ecommerce and other fiduciary oversight. But don’t stop there. A Facebook, personal email, or Amazon account may seem non-critical, but the data that can be gained from gaining access to one of those accounts could be used to gain access to far more sensitive sites. Most web services now offer 2FA as an optional service, just turn it on.
Mobile Device Policies
It’s great that your organization allows you to use your personal phone, tablet or laptop for work. What happens if that device is lost, stolen, or sold and the organization’s data is still on it? Having the ability to wipe it from remote is a good start. Knowing and controlling what was on the device is better. Having the device encrypted and data unusable without a password and 2FA is best.
Seems like common sense, but there are places you forget you need it. Think about your mobile devices and out of the way systems that run things like HVAC, and internal cameras. Keep all devices up to date with current software versions and good endpoint protection. That protection may be in the form of anti-virus, network protection, or embedded threat intelligence.
Email filtering via an anti-spam system coupled with employees that have been trained to spot phishing and other email-based attacks. Have a product in place that can educate, provide ongoing defense and comply with regulatory compliance.
Backup & Data Recovery
Having a good backup is essential to any organization. Simple data backup is better than nothing. Having a snapshot of your server(s) and your data is better. Having a product that continually backs up your data and able to spin your organization back up any time, anywhere at a few moments notice is best.
Secure Your Wifi
Secure WIFI access to prevent persons from outside the organization getting access to your data. Use the highest encryption, strong passwords, and implement Guest WIFI to allow guests and personal devices access to the internet, but not the organization’s internal network. Never use open WiFi without a VPN.
Secure Your Network
Everyone secures their network with passwords. Not everyone limits access to files and network services to those who really need it. Audit the network often and remove rights to services and files that users do not need.
With the huge increase in remote work, companies will have to adjust in various ways to avoid cyber security risks or interruptions to business. Remote workers have different security controls and needs. Normal business security controls may be ineffective when employees head home, especially if they are using their personal equipment. Here are the all the things we normally recommend, and in this case are fully supported by the Cyber security and Infrastructure Security Agency (CISA) and the CDC.
CISA released an alert to encourage organizations to adopt a heightened state of cyber security. According to the CISA, remote work options require a VPN solution to connect employees to an organization’s network. CISA encourages organizations to review the following recommendations when considering alternate workplace options:
- Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations.
- Alert employees to an expected increase in phishing attempts.
- Ensure IT Policies get put into place or followed for: Telework, Remote Access, and Bring Your Own Device (BYOD).
- Implement Multi Factor Authentication
- Alert employees to contact IT to report incidents, phishing, malware, and other cyber security concerns.
The CDC has released some best practices for a disease outbreak plan where telework is concerned:
- Review human resources policies to make sure that policies and practices are consistent with public health recommendations and are consistent with existing state and federal workplace laws.
- Explore whether you can establish policies and practices, such as flexible work sites (e.g., telecommuting) and flexible work hours (e.g., staggered shifts), to increase the physical distance among employees and between employees and others if state and local health authorities recommend the use of social distancing strategies.
- For employees who are able to telework, supervisors should encourage employees to telework instead of coming into the workplace until symptoms are completely resolved.
- Check with your IT provider to ensure that you have the technology and infrastructure needed to support multiple employees who may be able to work from home.
In addition, we here at 3rd Element are recommending the following best practices and advice for how businesses can remain secure through potential remote work scenarios.
- Use a Secure WiFi Network. Keep a strong password on your home WiFi. DO NOT use public WiFi. If you send your data through an unsecured WiFi connection, you lose the power of privacy making it possible for cyber criminals to intercept your data. You ARE putting personal information at risk if you are accessing your email account or sending sensitive data over a public WiFi network.
- It’s essential to ensure your network is secure through the use of a VPN (or the icon we have provided to you), a strong password that isn’t easily cracked, and multi factor authentication.
- Secure Your Home Workstation: Ensure you have fully patched and updated anti-virus and anti-malware software. It’s important to follow the same best practices you would as if you were in the office, and report any suspicious activity or concerns to 3rd Element. When something happens, we care about getting it corrected and secured first and foremost.
- Do not wait until the last day or hours before you need something to first start reporting it, especially during a crisis. Plan ahead.
As we move into the new normal, don’t hesitate to call, send an email or even just come hang out with us Wednesday’s for virtual happy hour. We’re in this together.