It seems that every week there is a news story about yet another business that has suffered a devastating security breach. This year we have seen huge names fall victim to malicious digital attacks including Sony, British Airways and the latest: Ashley Madison. So in this post we recap some of the most common vulnerabilities for businesses and what can be done to minimise the chance of a breach. Obviously no amount of investment into security can completely eliminate the chance of a breach, but being aware of the dangers and continually assessing and responding to new threats and risks will help towards ensuring your business’ system and data are safe.
Risk: Disgruntled employees
Internal attacks are one of the most common attacks on businesses and their data and it can be especially damaging if this happens with an employee in the IT department, who has knowledge of the networks and systems with privileged or admin account access.
Strict account management.
Ensure that there is an accurate and up-to-date database of all privileged accounts, with details about who has access to what. Ensure that all redundant accounts are terminated immediately and conduct a regular review of active accounts and access.
Record account activity.
To keep a close eye on how these accounts are being used and to pre-emptively minimise the risk of future attacks, businesses can implement protocols and infrastructure that tracks the activity on these critical accounts. This kind of software can also be used to identify suspicious activity and send alerts so that you can investigate and take mitigating actions early.
Risk: Careless or under-trained employees
If people in your organisation are using old or weak passwords (or not using them at all!) to secure personal devices, such as smartphones and laptops, this can be just as destructive as an employee that maliciously leaks data. A lost or forgotten device could mean that unprotected access to your businesses critical data could fall into the hands of the wrong person.
Ongoing training and support.
Not everyone knows how to keep themselves and their systems safe so providing regular training and support is pivotal. Make sure your employees know how to recognise and protect themselves against criminal hacking methods like phishing and keylogging scams.
Software can be used to enforce password strengths, but often simply educating employees can help to improve defences. Promote good passwords that always have at least one of each kind of character: uppercase letter, lowercase letter, number and a symbol. Ensure that passwords are never used for more than one login and that they are changed at least every 90 days, although best practice often dictates that this is around 30 – 60 days. A business can help its employees to keep their accounts secure with the aid of a password management system; this eliminates the need for users to remember multiple passwords, if you use a Mac this is similar to the Keychain feature.
For all businesses encryption is not an option but a necessity to keeping your critical files and your customer’s private data safe. Depending on your type and size of business there are different levels of security offered through encryption and on the highest level employers can implement multifactor authentication such as a card reader, fingerprint or retina scanning.
Risk: Mobile Device Access
Less than twenty years ago the only way an employee could gain access to business data was through the desktop at their office. Today it is possible, and very common, for employees to use personal computers, laptops, tablets and smartphones to access data. This can create great risk as there are more entry points and different types of access methods which can increase your chance of a breach.
If your company takes advantage of a bring-your-own-device (BYOB) scheme it is imperative that this is supported with a clear and detailed BYOB policy. This ensures that both the employer and employee are clear about expectations and requirements.
Mobile Device Management (MDM) software and services.
There is a variety of tools and software available to help make the management of mobile devices easier, for example Microsoft offer Intune, a purpose-built MDM service, for easy, remote device management even without a strong technical knowledge. Here at Trisoft we can also offer managed MDM services with proactive monitoring and security maintenance. These sorts of services mean that should any device become lost or stolen, any access to critical files can be immediately shut down and data can be wiped remotely. Plus, if an employee leaves the business, you have added peace of mind that they will no longer have access to systems regardless of what device they used to do so.
Risk: Cloud Applications
Cloud is intended to make a business’ system more accessible and secure. However, sometimes you cannot be certain that the third party system you are relying on is as secure as it claims. Plus, as Cloud increases the number of points that data passes through in order to reach the end user, this can also increase risk as there are more opportunities for a breach.
Understand your policy.
Many smaller businesses, that perhaps do not have a dedicated IT professional in-house, may find themselves at a loss simply because they didn’t understand the level of security or protection that they are paying for. It is essential that you understand fully what kind of measures are put in place and managed by your provider and what they will do if the worst-case-scenario happens.
Several recent studies into breaches that took place during 2014 suggest that many companies are not using strong enough encryption to protect their sensitive information stored in the Cloud. To ensure your data’s security always implement strong encryption at the data level, many experts recommend AES 256-bit which is recognised as the crypto gold standard.
Are you concerned about your business’ security infrastructure?
We can conduct a free security audit with consultation at your premises to help you understand the areas of the strength and weakness in your business.
To request your free security audit please complete the form: