10 Pieces of Advice That Will Help You Protect Your Data
In today’s increasingly connected world, data theft has become big business for organised crime. SMEs may feel overwhelmed at the danger posed, but small business IT support specialists can offer appropriate and affordable levels of protection for businesses who need to keep an eye on costs. That having been said, however, falling foul of the criminal’s nefarious ways can cost you dear, so knowing how to protect yourself is paramount in the digital age. As one of London’s leading cyber and data security companies we have encountered many instances where following a few simple-to-implement strategies could have saved a company from the expense, disruption and reputational damage of a data breach.
Information Security Audits
An information security audit is an exercise whereby the organisational IT infrastructure is tested for any weakness which could be targeted by unscrupulous individuals such as hackers. The audit is typically undertaken by a third party organisation, but in some circumstances an organisation with an internal IT security team may undertake an internal audit. Of course the latter is less efficient than using an external and unbiased consultancy. An InfoSec audit is a proactive and mature way to remediate any potential issues before they are exposed. Indeed within the banking industry, further to a number of high profile cyber-attacks, the regulators strongly advise banks to have regular InfoSec audits.
What would an InfoSec Audit cover?
Many vulnerabilities are not systems related but are due to the way in which individuals interact with the system. For example employees may frequently leave their PCs unlocked, or share login passwords. An audit will look at the policies, procedures and human interactions with the system.
Very often vulnerabilities occur because software is not kept up to date with the latest patches. Therefore the auditor will check that everything is up to date and that there is no unsupported software or hardware. Often an auditor will perform a thorough threat analysis which will include scanning the internet, including the dark net, to see if any organisational artefacts have been leaked. This is important as those artefacts may be used to instigate malicious attacks. The auditor will also enter into hacker forums and other chat rooms where people planning attacks on organisations meet to chat.
Part of the audit will usually include a penetration test. A penetration test will involve the auditor trying to gain access to confidential areas in the organisational systems. The penetration test is usually done in two ways; from within the network, and from outside. In the first scenario the auditor will be given access to the systems as if they were a typical employee. They will then see how far they can get from there to access areas that they are not permitted to enter. The second scenario would involve giving the penetration tester no systems access, and they would try and access from the outside.
These tests are meant to be soft to the extent that they do not actually bring any systems down, but there is a chance that the interference could cause unwanted outcomes. Therefore penetration testing typically happens outside of key business hours.
What happens after the Info Sec Audit?
Usually the organisation who has carried out the audit will pull together a report which addresses any weakness areas and advice for remediation. This typically includes the scale of the potential risk, and the likelihood of it being exposed. Some consultancies go a step further and provide high level costs to remediate the key risk areas. This will then be circulated with senior management, or the board, who will decide on which changes they will make, when, and by whom.
While you wait for the results of your InfoSec Audit, here we take a look at 10 things that will help keep your data secure whenever you’re online. Let’s get started…
1. Be careful what you type
Performing actions such as transferring money from one bank account to the next requires surprisingly little information. All that is needed is the account number, sort code and the amount that you wish to send – that’s it! Mistype one digit in any field and you can say sayonara to your hard earned cash. Best practice when sending large sums is to send a small amount first to make sure that you have the right details, then you can forward the balance once you have confirmation.
2. Mobile devices pose a threat
Businesses are increasingly adopting a Bring Your Own Device (BYOD) policy to cut hardware costs and enable staff to work from anywhere, but there are other costs to take into consideration. Sensitive data stored on mobile devices is at a greater risk of falling into the wrong hands. Make sure your business is protected against such threats by having adequate systems in place.
3. Shared admin accounts can be costly, too
Allowing multiple employees to log in via one admin account gives employees a cloak of anonymity that makes auditing all but impossible. Make sure that your business issues unique login details to anyway accessing your system. (more tips below the infographic)
4. Limit access
Employees chop and change positions and roles with greater frequency than ever before, and that poses a potential problem when it comes to your data. A change in project or job title may come with a change in permissions, but how often do you reassess what your staff can access? Regularly audit who has access to what and remove any permissions that are not directly related to that individual’s role in your organisation.
5. Protect wireless access
If your company has wireless capabilities available to staff, it is absolutely essential that you use a secure password (see point 7) and change it frequently. It is also advisable to have a guest access strategy in place. This will allow visitors to hop on to your network, but only allow them to use it when they actually need to, and not be able to access your data.
6. Secure mass data exits
Client data is the lifeline of many businesses, and yet there are plenty that do very little to protect the valuable property that they hold in their care. Don’t be that business! Closing mass data exits will help prevent huge data losses and can be as simple as shutting off open USB ports and restricting access to things such as private email accounts and file sharing software such as Dropbox.
7. Don’t be sloppy with your passwords
Passwords are a lot more important than many people give them credit for, and they can be the difference between keeping hackers out and letting them stroll straight in to your system. Mix your passwords up with a combination of symbols, letters (both upper case and lower case) and numbers. Make sure that they are at least eight characters in length and do not contain whole words – even if they are spelt backwards.
Password managers can help you keep track of these nonsensical digits or you can even set up a formula that will help you remember them. This could start with a word that has numbers replacing some of the letters. This would then be followed by a set amount of symbols and then a string of numbers derived from something familiar, but calculated by using a square root formula or something similar.
8. Free Wi-Fi can be costly
Accessing Wi-Fi in a coffee shop, airport or hotel can be convenient, but it can also be costly, too. You may appear to have a unique access code, such as a room number, but never assume that you are logging on to a secure network. Even if the connection is secure, bear in mind the person sitting close by with the iPhone that could be videoing your every keystroke, or the staff member with a grudge who has access to the security camera’s footage once you leave the premises.
9. Be savvy with backups
Having a solid backup policy in place is essential if you want to protect your data properly. Remember that a backup effectively deletes previous files so make sure that you have defined the parameters in which you’d like them to operate. How far back do you need to go to restore an individual file or even a whole software suite? And, once you’ve worked that out, how long are you going to hold that data for? Your IT support company will be able to advise if you are required by law to hold data for a defined period? All of these points should be addressed when drawing up your company’s backup policy.
10. Don’t become too reliant on the Cloud
While Cloud storage is undoubtedly one of the most convenient ways to share and save data amongst co-workers, it’s important to remember that this information can be easily deleted by mistake and that they are potentially vulnerable to both hackers and system failures. It is, therefore, vital that you perform a physical backup of all of your data that you have stored in the Cloud; either to another platform, a local USB drive, or, more preferably, both.