February 15, 2018 – SpiderOak Blog
In 2017, IBM reported that the average cost of a data breach totals $3.62 million worldwide. Large and small businesses alike can’t afford to operate without proper security measures in place. Be sure you’re taking the following precautionary steps to secure your workplace data.
Establish Clear Data Policies
Despite all the strategies hackers can use to get ahold of company data—from password hacking to viruses and malware programs—your greatest threat will always be human error. For example, an employee might fall for a phishing scam or mistakenly send sensitive information over an unencrypted connection. They might leave their account logged in when they’re away from their desk or accidentally lose a flash drive that contains trade secrets.
It’s the potential for mistakes like these that make it so important to establish clear data policies and to educate your employees about them. Be clear with your employees about why these policies are important. For example, don’t just tell them they can’t work over public Wi-Fi without connecting to a virtual private network (VPN) first. Educate them about the potential dangers so they aren’t writing it off as a silly rule. Teach your employees how to spot the signs of an attempted breach, such as a phishing scam. Let them know what to do if they receive a suspicious email or phone call and who they should report to.
Ensure that all employees are receiving this information, such as by setting up a training day rather than sending out a memo that some people might never read. Then be sure to enforce these rules. Your company’s data security depends on it.
Vet Your Vendors
One area of entry into your data systems is through the vendors you work with. A small vulnerability in their systems can mean catastrophic consequences to your data. Before choosing to work with a billing company, cloud file-sharing service, or other third-party vendor, be sure that you’ve properly investigated your options.
Talk to them about the types of security measures they have in place. Will they encrypt your data? Do they use two-factor authentication for log in? Are their physical facilities secure to mitigate the risk of their servers being hacked? What do they do to backup data in the event of a security breach or natural disaster? Questions like these can help you confidently choose a software company that will handle your data as carefully as you would.
However, software companies aren’t the only vendors to vet for security purposes. Anyone who has physical access to your building, such as utility companies or vending machine operators, should be considered just as carefully. With physical access to your building, someone could, for example, copy information from a logged in computer to an external hard drive. You should be able to trust your vendors and their employees to take your security seriously.
Secure Your Building
As mentioned, physical access to your building poses a security threat. This doesn’t mean your whole building has to be on lockdown at all times, though. It simply means that you need to implement security procedures to keep unauthorized personnel out of areas that contain sensitive information.
Even small businesses can take little steps to secure their facility. For example, you might require employees to lock their office doors when they’re not inside to keep people from getting their hands on computers or physical files. Businesses should also have an anti-theft security system in place with cameras and alarms that will notify of break-ins or help law enforcement during an investigation.
Secure Your Computers and Devices
Any device your company owns should be equipped with proper security features. Computers and other devices should have a firewall in place and anti-virus software installed. It’s also important to keep the software up to date. Every update issued for an operating system or app is more secure than the last because the new version patches up holes that have been discovered. These holes make your computer vulnerable to hackers, but keeping things updated will help ward off these malicious attacks. If the device manufacturer no longer supports software updates for your phone, computer, or tablet, it’s time to think about upgrading.
You can also add an extra layer of security to your company devices by requiring employees to use strong passwords. Be sure to educate your employees about your password policies, such as how often to change them, if they should include a variety of numbers, letters, and symbols, and how to safely remember passwords without writing them down for someone to find.
If you have a bring your own device (BYOD) policy at your company, it’s a good idea to provide free IT support to employees. That way you can rest easy knowing devices connected to your business are up to date and less vulnerable to attack.
Encrypt Your Data
Data encryption means that while your digital data is transferring from one computer to another, the information is scrambled and encoded. Only someone with the encryption key can decode it to view the data. That means that if a hacker intercepts your data on its way to the recipient, they can’t decipher the information and use it against your company.
Though encryption might sound complicated, it isn’t difficult to take advantage of since your computer does all the work for you. All you have to do is ensure that any sensitive company data is being sent over a secure connection. For example, your web browser can create an encryption connection on sites that use HTTPS in the address bar rather than HTTP. Also be sure to check that any collaboration or file sharing apps your team uses support data encryption.
Encryption is especially important over public Wi-Fi. Most free Wi-Fi networks don’t encrypt data, so anyone using the network could potentially eavesdrop on what other users are up to. Without taking precautionary measures, your remote employee working in a coffee shop could be inadvertently placing trade secrets into the hands of hackers. Consider choosing best VPN services allow remote workers to secure their data over public Wi-Fi by funneling the data to their servers and encrypting it before it can fall into the wrong hands.
Use Reliable Password Managers
Changing passwords often is a good idea, but they can be difficult to remember. That’s where a good password manager can come in handy. However, it’s crucial that the password manager itself is secure. If someone can hack into this single account, they can get into others.
If your employees choose to use a password manager, they should only be using programs approved by your company. A secure manager should be a No Knowledge software program, which means that the information is only accessible by the user. By encrypting and decrypting your sensitive data locally, the information can’t be hacked into on the cloud storage provider’s servers. Not even the app developers would be able to see the information you’re storing.
Encryptr is a free password manager from SpiderOak that meets all the criteria stated above. It’s a smart choice for employees who only want to remember a single password.
Disable Accounts That Are No Longer in Use
Remote hackers aren’t the only types of cybercriminals businesses have to worry about. Another common way company data can fall into the wrong hands is through former employees. These situations might involve malicious attacks, such as if a former employee feels betrayed by the company that fired them. They could take trade secrets and hand them off to a competitor.
Alternatively, data might fall into the wrong hands due to an honest mistake. For example, a former employee might use the same password at their new job that they used for your business accounts. Someone who works for your competitor could get ahold of that login information and use it to easily hack into your former employee’s old accounts.
No matter how the data falls into the wrong hands, you can reduce your risk of these types of breaches by disabling employee access as soon as they leave your company. Ensure former employees no longer have access to shared documents, company email accounts, or other apps that may contain sensitive information. Also make sure to get any company devices, such as phones or laptops, back from an employee before their departure.
Destroy Old Data
Electronic devices don’t last forever, which means that businesses often toss out old computers to make way for the latest models. However, it’s important that you dispose of old devices and the data on them properly. Otherwise, anyone who gets ahold of your old hard drives can recover the information on them.
Before you ditch your old devices, it’s a good idea to back up your files. You never know when you might need to access your company’s archives. You can back up your data on another computer or external hard drive or by using a cloud service. SpiderOak can help through our data backup services for small businesses, complete with end-to-end encryption.
Next, deauthorize the device from the accounts it was used with. For example, Microsoft Office and similar programs only allow a certain number of devices to access files under the same account. Go into your account and remove that computer from your device list. Then uninstall the program from the computer.
Finally, wipe your hard drive clean. Simply clicking “delete” doesn’t remove the files completely. Those files need to be overwritten; otherwise, any tech-savvy hacker can use a data recovery program to access that data. Some older computers can be wiped with certain programs like File Shredder for PC. Others require you to encrypt your data and then factory reset the device.
Test Your Security
It’s always a good idea to put your data security to the test to identify where vulnerabilities lie so you can make improvements before a breach occurs. You can run security tests on your own or hire a third-party agency for this specific purpose. These security testing companies mimic hacker behavior, but none of the information collected during these tests is used against you.
An example of a test they might run is called a penetration test, or a pen test. A pen test is an authorized simulated attack. For example, the testing company might employ highly skilled hackers to try breaking into your network to see if it can be done. If they’re successful, then you’ll have a better idea of what change so that a real hacker can’t succeed.
Other tests might involve planting a tester inside the building. He might try to get through security, access unauthorized locations, or copy data from a company computer to an external hard drive. You might also run phishing scam tests, where the tester calls or emails an employee to try to get ahold of sensitive information. Ideally, your employees will know how to spot the signs and will report the incident.
Following the test, the security team will analyze your weaknesses and identify ways in which your company can adapt and improve.
Plan for a Breach
Nobody wants their data security compromised, but it’s less of a question of if it will happen and more of a question of when it will happen. Having a plan in place for how to deal with possible scenarios will help you recover from a breach faster and save money caused by the disaster. Your data breach response plan should outline detailed steps such as:
- Identifying and reporting the breach
- Validating the breach
- Managing the evidence
- Assembling your team
- Minimizing the impact
- Notifying data owners
Following a security breach, your team should review the incident and implement new security measures that will prevent the same type of thing from happening again.
There is no bullet-proof way to completely secure your data from hackers or malicious attacks, but taking the steps above will help reduce the risk of falling victim to cybercrimes. What precautions will you take to secure your workplace data?