7 Steps to Preventing a Data Breach
Data breaches are unfortunately common. In today’s increasingly digital world, more and more sensitive data is being kept online and in databases, which makes for more enticing targets for hackers. In the last few years alone, we’ve seen data breaches at Adobe, LinkedIn, eBay, Equifax, Marriott International, and dozens of others — compromising the personal information of hundreds of millions of users.
Surprisingly, the most common cause of data breaches isn’t talented hackers exploiting a system’s vulnerabilities, it’s simple human error. Organizations or individuals get lazy about security and opportunistic attackers take advantage. The good news is that these errors are relatively easy to mitigate if you know what to look for.
1. IT Education
The more people that are accessing your systems and sharing data, the more points of vulnerability you create. It’s crucially important that every single person who interacts with your computer systems is well-educated about the most common scams, vulnerabilities, and procedures that might compromise your system.
Teach your employees to recognize phishing attacks. Google intercepts 18 million phishing emails per day, but plenty of them still get through to your inboxes, and your team needs to know how to spot them. You can even create your own phishing test email (though you probably shouldn’t promise money while doing so, as GoDaddy did recently).
Phishing isn’t the only way that attackers attempt to trick people into giving out sensitive data. Chrome notifications, verification texts, robocalls, and mobile apps can all be a source of malicious activity. Some will promise money in return, while others might instruct users to enter a verification code.
2. Security Procedures
IT security is an ongoing process and should be audited on a regular basis. Conduct regular training to keep employees up to date on the latest threats and vulnerabilities. You should also establish clear policies and procedures on acceptable use, password complexity, whether employees can install software on their own, and other rules.
Password security is particularly important, given that modern companies use dozens of password-protected software tools. An easily-guessed password is one of the most important vulnerabilities to patch, and you can easily do so by implementing a company-wide password manager.
A password manager offers significant security benefits:
- Requires unique passwords for every user and every site
- Generates secure, unique passwords and saves them automatically
- Alerts you to password breaches at sites you use so you can change them
- Allows you to grant login access without sharing passwords
- Allows you to instantly revoke passwords if an employee quits, is fired, or security is breached
Of course, a password manager is only useful if everyone’s using it. Use of the password manager has to be universal and compulsory — if a single employee is using “000000” as their password and keeping it written in an Excel spreadsheet, the entire network is unsafe.
3. Remote Monitoring
You won’t always be in the office, so it’s important that you implement some sort of remote monitoring software that alerts you when the network is accessed remotely. As remote work becomes more common, you’ll have less control over the devices your employees are using to access your network — unless you plan to buy work computers for your employees to take home, you need a tool that will let you keep an eye on any connections.
4. Data Backup
Backing up your data is always a good idea. Whether you use an offsite server or a cloud service, it’s important to have a redundant copy of your data in case of fire, water damage, or just accidental deletion of important information.
In addition to helping you avoid accidents, backing up data is a security concern. Many malicious hacks take the form of ransomware attacks — ransomware encrypts your data with a key known only by the attacker, who then demands a monetary payment in return for the key.
If you have a secure backup of your data, you can simply ignore ransomware demands, deleting your encrypted data and restoring it from the backup. Full data restoration is time-consuming and might require significant downtime, but it’s better than paying an astronomical sum to a cybercriminal.
5. Destroy Sensitive Data
When you need to destroy data, emptying your recycle bin is not sufficient to protect you. The data on those drives is still easily recoverable by anyone who gains access to your computers or discarded equipment, but most people don’t take the appropriate precautions to prevent that recovery.
In one experiment, data removal company Blannco purchased 159 used hard drives from eBay and other sites and found that 66 of them still had recoverable data on them. 25 of those drives held personally identifiable information like photos, birth certificates, names, email addresses, and more.
To properly delete data, the drive must be thoroughly wiped and overwritten, preferably more than once. If you’re discarding drives and want to take no chances at all, the only way to truly guarantee that the data isn’t recoverable is to physically destroy the hardware itself.
6. Keep Software Current
The longer a piece of software is on the market, the more time hackers have to find vulnerabilities. That’s why it’s so important to keep your software as up-to-date as possible. In an office that works a typical 9-5, this is a much easier undertaking. Just come in one Saturday a month to update and reboot everything.
For servers that have to be online 24 hours a day, you’ll need to develop a redundancy plan. You might outsource server traffic to a cloud service while you update your local hardware — or consider running updates overnight when traffic is low and you can afford to take half your servers offline at a time.
Begin a Conversation
Have a question? Want to connect about a problem? Interested in getting started? Whatever it is, we’re here when you need us.