Protecting Your Business From Data Security Threats
An FBI agent once made the unsettling observation that “the only secure computer is one that’s unplugged, locked in a safe and buried 20 feet under the ground in a secret location.” Then he added, “I’m not even too sure about that one.”
While that characterization may seem a bit hyperbolic, to a certain degree, he’s not wrong.
Technology is constantly changing how people do business by spawning new forms of communication and linkages. While those expanding connections are leading to a more efficient business community through distant and immediate collaboration, they also are opening doors for people determined to exploit emerging vulnerabilities that new technology can bring.
With an increasing reliance upon information technology, “big data” is becoming more valuable to businesses. And wherever there’s something of value, there’s someone who wants to steal it.
Technology experts say that cyber-crime has become a booming industry in recent years, with the top players infiltrating systems from the safety of their basements. Pioneering technology is a two-way street. It can build up a thriving company in the blink of an eye, but it also can bring that company down just as rapidly.
The alarming power of cyber-crime was most recently seen in the waning days of 2013, when one of Minnesota’s most iconic companies fell prey to a huge malware infiltration. While Target’s data breach resulted in the theft of credit and debit card information of up to 40 million customers—as well as the personal information of up to 70 million others—it also illustrated the ominous fragility of information security to businesses around the world.
Now companies are taking a look at their own systems to determine where their weaknesses may lie and what they need to do to avoid a breach of their own.
A Framework for Securing Information
Secure Digital Solutions offers six key steps that are critical to information security.
Classify your data
Determine what information you have—what’s public, internal-only or confidential.
Know the law
Understand and comply with the rules of your industry. Typically, major business sectors, such aas health care and the payment card industry, have special data security requirements. There also are rules that must be met by federal government contractors.
Map your architecture
Look at your web and network components—all the “moving parts” in your system—and see where your sensitive information sits.
Learn the access controls you have for employees and outside vendors—especially with mobile devices accessing data stored in the cloud.
Invest in a security operations center, inside your organization or outsourced, that does penetration testing and watches for suspicious activity. Think of it as your security cameras, only for digital intruders.
Be clear with your employees and third-party vendors about how to keep your network safe.
Who’s in danger?
Although financial institutions such as banks and credit unions remain the prime targets for cyber-criminals, anyone with something to protect is a potential victim. Retailers have customers’ credit card information, law firms have intellectual property, manufacturers have patents or trade secrets—almost all businesses have information worth stealing.
It isn’t just large companies like Target that need to worry about being cyber-victims. The major difference between large and small companies is their attack profile, says Chad Boeckmann, CEO and founder of Minneapolis-based Secure Digital Solutions, an information security and data privacy consultancy.
“Some hackers want to fly under the radar by going after 100 small companies rather than a single giant corporation,” he says. “The large attack will attract a lot of attention but the small ones may not even make the news.”
Small companies also may not have defenses as sophisticated as those at larger companies. Although businesses of any size are all potential targets, an attacker has less risk going after smaller businesses.
Small mistakes, big breaches
Jeff Olejnik, CEO and founder of Assurity River Group, which manages business information security risks, says that sometimes it’s the simplest and most easily fixable errors that provide openings for heavy data compromises.
“The most common mistakes we see are basic things like people not using strong enough passwords or not getting their systems upgraded routinely to fix program bugs,” Olejnik says. “Really, it comes down to training and employee awareness.” He contends that the importance of data security should not be left exclusively to the information technology staffers. He stresses that everyone across the company needs to understand data security issues.
It is critical for all employees to possess some general security knowledge. But Olejnik advises keeping the most essential information under the protection of selected and appropriate people. That means keeping this valuable data in a segmented network.
“If a low-level, untrained employee loses their laptop and they’ve been given access to sensitive information, they may not have that data encrypted and have just invited a hacker into the company’s system,” he says. “Keep valuable data within need-to-know networks of employees.”
Never-ending arms race
It’s a relentless struggle between developers and hackers to create technology that protects—or infiltrates—systems. For businesses, that means that security systems and anti-malware programs are continually being upgraded and changed.
One of the biggest problems, says Boeckmann, is that businesses aren’t updating their security systems as they add new technology strategies, and they’re sometimes buying new software to align with these strategies—such as more mobile engagement—that may not cover all their bases. The latter opens them up to risk without reward.
“Companies are acquiring new security systems, like a mobile security appliance, before they conduct a proper vetting process,” Boeckmann says. “Some of these systems only solve a portion of the mobile security problem and overlook other forms of penetration.” He adds, “We advise that before you acquire a new technology system to accompany your new strategy, you collectively look at your goals, objectives and the risks that taking on the new technology could bring.”
With technology changing so rapidly, companies barely have time to keep up with efficiently applying the technology, much less ensuring that it’s properly protected. In a 2013 study conducted by Secure Digital Solutions, nearly two-thirds of companies have incorporated employees’ mobile devices into the company’s network. But only half of them have actually developed a mobile security plan to protect those phones.
The same issues are occurring as cloud computing becomes more prevalent at businesses. “Cloud security is kind of like an octopus. It has a bunch of different arms that all need to be addressed,” says Boeckmann. “Before the cloud, we just had to focus on perimeter security, like firewalls that are able to control incoming and outgoing network traffic. Now, that perimeter has dissolved and is nearly transparent, so it has become more about remote access and mobility security issues.”
Boeckmann gives the example of a doctor receiving a page while he’s at a restaurant. “The doctor is now able to use his iPad to access the secure medical system, but along with that freedom there is a shift in what needs to be protected,” he says. “Companies need to develop cloud-use policies and adopt software that focuses on protecting the actual moving data rather than the perimeters and firewalls.”