You may have read in the news lately of massive data breaches which have put the personal information of thousands of Australians at risk.
Today, the way data is stolen is different from the idea you may have in your head. You know, the one where a shadowy man in a basement types some mysterious code into a console. Then all of a sudden he’s stealing money from bank accounts as a digital dollar counter rises on his screen.
That’s antiquated, and not at all how it works.
In 2018 where data is power, and therefore data is money, hackers and malicious malware and spyware programs are targeting vulnerable and data-heavy businesses. If your business involves the collecting of personal information from your clientele, then you need to be prepared at all times for an attack.
Stolen information is distributed across the deep web. Where it’s bought by those looking for access to private accounts, or programs designed to target those most vulnerable.
With all that said, let’s talk about how data breaches happen and how to prepare for them.
Before that though, it’s important to remember:
Data Breaches Take Multiple Forms
Last year, Australian fashion retailer ShowPo had a former employee download their entire customer list and share it with a competitor. An employee of DuPont in the USA was charged with stealing trade secrets with the aim of selling them to an international competitor.
Employees at Wells Fargo Banked intentionally leaked customer information, which lead to almost US$16 Billion stolen, affecting more than 12 million customers who had their identities stolen in what’s been a massive example of how fragile our data protection can be.
What makes these internal breaches problematic is once your data has been stolen it can never be recovered. If your wallet was stolen it can still be returned. This is not true for information theft as data can be shared and replicated infinitely. This only gets worse as technology improves, allowing for larger data storage and increased transmission of data.
So, if your company possesses mass amounts of data –
Which Data Must Be Secured?
First things first, you need an audit. Ask what data does your company hold and where is it stored? Which staff or regulators can access it? This is vital to establish as data comes in a multitude of forms, and who owns what can be confusing.
For example, does your business own the emails downloaded onto an employee’s smartphone or tablet? It’s imperative this chain of ownership is established to legally protect you should a breach occur.
Once you’ve audited what you do and what data you have, you should implement an Information Security Risk Management Plan. This is the first step in preventing data attacks as much as possible and ensuring you can respond effectively when data attacks happen.
How Do I Secure It?
There is a lot of information out there about how to put together and manage an information security management plan. Frameworks like the cybersecurity framework supplied by NIST: National Institute of Standards and Technology or the Australian equivalent provided by the Australia Signals Directorate offer comprehensive coverage of best practice that you can draw from based on the needs of your business. Following either framework in its entirety is probably beyond the needs of most businesses in the beginning, but you should address the key requirements, no matter your business industry or size.
One of the basic requirements of an information security management plan is to profile your data as public knowledge or confidential. Things like sales brochures or product lists may not require confidentiality, but things like salary agreements certainly do. All customer data must be labelled as confidential, particularly with tough legislation passed last year. So, as a decision maker, you must identify what data is high value and which data can be shared publicly.
Another critical requirement is to decide whether any outsourcing constraints exist and are relevant or 0not to your organisation. For example, do privacy obligations prevent your business from storing personal information you’ve collected in data centres outside of Australia?
Six Steps To Take
Once you’ve decided to put together an Information Security Risk Management Plan, there are six strategies you can follow.
#1 Bring In A Cyber Expert
Educate your employees on the history of breaches by bringing in a specialist to review your processes and train your team on the what-nots to do. The harsh reality is even the biggest companies can, and probably will be hacked at some point. The best thing you as a business can do is educate yourselves on recent incidents and ensure protection is in place to prevent the same.
#2 Separate Business And Personal Accounts
Ensure your business emails and your personal emails do not overlap and ensure your staff is doing the same. That means alternate passwords! If a personal email address is corrupted then the source of the hack will have no trouble accessing a business account if the passwords are the same. Safeguard what you allow to be uploaded and attached via your staff’s email and don’t forget to encrypt!
#3 Involve Employees
Most data breaches happen by total accident. The best thing your business can do is provide on-site support and teach how data protection works. Including how to encrypt files, how to generate passwords and what not to click. Limiting employee access to websites outside their job role is also helpful. An educated workforce is by far and away your best defence.
#4 Increase Awareness
Instil an attitude shift. Most successful breaches use intuitive social engineering rather than brute force. It follows that scepticism and care are fundamental when dealing with, for example, random email messages. Those tasked with data theft are creative with how they access personal data. Paranoia is usually a bad trait in business, but not at all with security. Step one is strengthening passwords and enabling two-step verification for everything.
#5 Make It Feel Urgent
Often businesses do not have a process to secure the data. In addition, employees are not properly trained to protect against a breach. Evidently, some things can be automated like encrypting email. That being said, it’s not a waste to instil a sense of urgency to control the data by establishing the proper processes and training.
#6 Insert Restrictions
Businesses should constantly ensure that employees only have access to information necessary to their jobs. That means removing certain data from shared servers and limiting access to certain sites and WordPress back-ends.
Up next, we’ll be examining how Aurion has implemented our own unique security measures. And, how we can keep your data safe!