How secure is your business data?
If you’re like many CEOs and CFOs, you hope it’s safe, but you have other, more pressing issues to address. I’ve heard many business leaders explain the reasons hackers wouldn’t be interested in their data: they’re too small, they don’t handle medical records, they don’t process credit cards, or they don’t sell anything over the Internet.
Their reasons for neglecting data security may have been appropriate years ago, but they certainly aren’t applicable today. The theft of information from Ashley Madison, a site that helps people cheat on their spouses, proves that we don’t know what information a hacker might want next. It could be personal information or medical records, or it could be information that could embarrass their targets.
By simply leaking the names of Ashley Madison users, hackers have made life difficult for celebrities, politicians, business leaders, and millions of private individuals. Cyber criminals working for business competitors, some nation states, or criminal rings are looking for a variety of information, including strategic initiatives, research projects, customer names or employee information. Business size no longer matters. Everyone is a potential target.
The problem with waiting to take action until something happens is that it’s too late by then. Once someone is on your network, they can siphon your data in a matter of seconds. Some hackers even stick around for months to see how much data they can get before being detected.
So what can you do to secure your data? Here is an action list of my top five recommendations:
- Make sure both your anti-virus and anti-malware software is installed, current, and functioning. If you haven’t installed either or both, don’t delay another day; they are the minimum requirement. Without them, a hacker has an easy means to gaining access to your systems and data. Regularly update anti-virus and anti-malware software on all computers and servers on your network. When your software sends you a security alert, act on it immediately. Too many companies have lost valuable data simply because they ignored the warnings.
- Do a risk assessment to determine what data is the most sensitive and most vulnerable. Most IT departments have limited security budgets, and you want to be sure you spend the necessary time and resources to protect your most sensitive data. After conducting a risk assessment, you’ll know where to focus your IT budget and your prevention efforts.
- Conduct a vulnerability assessment. HORNE conducts assessments for its clients using its own tools, but any assessment you use should identify known vulnerabilities on servers, workstations, and network hardware. For example, some software contains bugs or malware that allow hackers to access your system. Developers send patches to fix problems like this, and your assessment should document that patches are installed quickly on all servers, workstations and network hardware. Conducting the assessment, however, is only the first step. You must also address any weaknesses the assessment uncovers. Remember that hackers are running similar scans all day, every day. It’s their job to find systems they can hack. It’s your job to keep them from hacking yours.
- Increase employee awareness about data security. In any system, humans are the greatest asset – and sometimes the weakest links. We don’t mean to be, but our behavior sometimes puts data at risk. We don’t install software patches. We don’t configure firewalls or install and update anti-virus and anti-malware software. We open emails with malware attached. We share our user names and passwords. We leave laptops and USB drives unattended, or we lose them. We allow people we don’t know access to the physical portions of our systems, like the server closet. You must educate your staff members about data security and their role in it. Data security must become part of the culture, as well as a part of training for new hires.
- Monitor vendors and partners who have access to your data. When you outsource a function like IT support or data analysis, your vendor’s security becomes your security. They are a potential threat to your security plan because you have no control over what security measures they use, how they train their staff members, how they handle employees who leave their company, or their rules for updating their systems.
Before you sign a contract, ask your vendors and partners for a SOC 2 Type 2 report outlining the security measures they take. If they can’t provide reports, ask for the right to audit their internal control environment and network security procedures. You can also request that they conduct IT security assessments and provide the results to you. The bottom line is that you must ensure that your partners are working to keep your data secure.
You can’t ignore threats to your data; they aren’t going away. In fact, they will only increase as time goes by. Make sure you’re doing everything you can to protect your data. With these five steps, you can start today!
For weekly insights from the Horne Cyber team, please sign up here: