No matter what business you’re in, you undoubtedly have data that needs protecting. This is mostly a job for your IT department, but the entire organisation needs to be educated on what it means to protect data and how to avoid breaches. We caught up with two of our in-house experts to learn more about data security, the most common data security challenges, and what you and everyone within your organisation can do to protect and recover sensitive information. Read on for all of their advice, tips and scary anecdotes that will have you changing all of your passwords immediately!
What is data security?
Data security is using a particular set of techniques to secure files, databases and accounts all housed on one network. Different levels of protection are right for different kinds of data, depending on how important or sensitive that data is.
“You want a good balance of organisational security, so how people misbehave or behave, and then how technology misbehaves or behaves,” says Dougie Reid, Avado’s Data Protection Officer, and the Chief Information Security Officer at Blenheim Chalcot. “The other thing to add into the mix is what you’re trying to protect, because that will govern how strong the protection needs to be.”
Different businesses will have different reasons for how they stack up their security protocols, but making sure both the people within your organisation and the technology they are using are synced is super important.
“Even the type of mailbox you have at the front of your house is a type of data security,” says Chris Bull, IT Service Desk Manager here at Avado. “It’s so important because you can lose an entire company with poor data security.”
Why is data protection important?
Data protection is important because, as Chris said above, poor data security can lead to massive losses for an organisation. According to a report from the Ponemon Institute and IBM Security, the average cost of a data breach in 2019 was $3.92 million US dollars. Data breaches that happened at companies like Capital One and Zynga left more than 100 million customers’ accounts exposed every day. The average breach in 2019 affected more than 25,000 accounts and because you have to notify every single customer, that’s a massive PR nightmare and likely a huge hit to your trustworthiness.
It seems that every IT professional has a horror story. “When I was an outsourced engineer, I helped a solicitor’s firm revamp their whole system,” says Chris. “We moved all their data to a new, super secure server, and I stayed up until 3 a.m. to get the backup running, and the next day, they got hit with a ransomware attack.”
More on ransomware coming up, but that attack could have locked all of the firm’s files and until they paid £10 million to have them unlocked. “A breach like that attack can take a whole company down easily,” adds Chris.
Data security tips
How can you avoid data breaches and protect your organisation’s sensitive data? There are lots of best practices.
Things you should be doing on a regular basis are:
- Regularly reviewing credential requirements and policies
- Keeping track of what data you have and where it is being stored
- Regularly checking for cloud misconfigurations
- Implementing password resets often, particularly if you’re going through a data breach
Training your employees on a regular basis is also an important part of protecting your data.
“People just click on things and don’t think of it,” says Dougie. “Sometimes you just forget, you’re in a rush, and that’s what the hackers are relying on.”
For us at Avado, Chris tries to send around regular emails warning our people about things like phishing emails that we should be on the lookout for. “Education is the single most important thing because if people know what they’re looking for, they’re not going to get caught out,” he says.
Another thing we do here at Avado is regular penetration tests, where an external company comes in and looks at our infrastructure and determines where we are lacking in security. “Companies should always run regular penetration tests, even though they cost an arm and a leg. It’s like insurance,” Chris adds.
Regularly updating machines is important, as well. It’s simple, but when you get security updates, it resets your system and all the vulnerable parts of your previous system are likely no longer there. Of course, always running antivirus software in the background is essential, too.
This sounds ominous, because it is. Ransomware attacks are one of the most common threats and they can take organisations both big and small down. “You can’t prevent the ransomware attack, but you can prevent them from completely destroying an organisation by having things in place,” says Dougie.
What is ransomware?
Ransomware is a kind of malware that gets into your system, encrypts your files, and the attacker then demands a fee to restore your access to those files. They most commonly gain access to those files via a phishing scam, which often involves an email that looks normal with an unassuming attachment. When that attachment is downloaded, the ransomware is also downloaded. The worst ones might trick you into giving the malware administrative access, and when that happens, it can take over your computer and encrypt everything.
How can I avoid ransomware?
There are a few things you can do to both protect your machine and files from ransomware, and recover from an attack if it happens:
- Again, always patch and update your software. As we said above, it will minimise those vulnerabilities
- Don’t install anything or give it any kind of privileges unless you’re 100% sure you know what it is and what it’s for
- Install antivirus software and keep it running in the background, always
- Back up your files as often as you can.
Data encryption is one of the best ways to protect your data, and it’s used by majority of organisations as a key line of defence.
What is data encryption?
Data encryption is translating your data into a whole new form, like code, and only someone with a password typically called an encryption key can access it in its un-encrypted form. There are two kinds of data encryption: symmetric and asymmetric.
Symmetric encryption involves using the same password or key for both encrypting and decrypting a file. It’s faster, but the sender has to share that key with the recipient, and if you’re moving a lot of data around all the time, that means a lot of different keys. That’s where asymmetric encryption comes in. It uses an algorithm to exchange the key after your data has been encrypted.
Why is data encryption important?
Data encryption can give a whole new level of confidentiality to any data you are transferring to another network, or within your own network. It means that only the person who has both the encrypted file and the key can see the actual contents of your data, and even if someone is able to intercept your transfer, they won’t be able to extrapolate anything useful from it. Having that level of authentication and password protection means that the origin of the message can be verified, and you can also see that the contents of the message have not been changed since they were sent.
As per Chris’s horror story above, backing up your data is a must-do. It means that even if you face a breach that has wiped all of your data, you will always have a second set of everything, ready to restore.
What is data loss prevention?
Data loss prevention is a strategy an organisation takes on to make sure data can’t get lost or be accessed by unauthorised people, typically outside of the organisation. Unlike defending against attacks, data loss prevention is more like offence, setting you up with software that minimises any risk of confidential information going outside of your network. And, if you’re facing a ransomware attack, you won’t need to bend to a request for payment to return your data, because you’ll easily be able to restore it from your backups yourself.
Backing up files
“We now live in a world where Office 365 and Google G Suite and all of those cloud-based services are out there, it’s brilliant,” says Dougie. The data loss prevention benefits of these cloud-based services mean that they can host backups of your files. This provides offsite storage for your organisation, which means if your network is breached, you have those backups outside of your network. There are tons of cloud-based services that you can use to house your most sensitive data, depending on your budget and what your security needs are.
Last but not least, passwords. So many of us use the city we were born in, our birthdays, our pets’ names, all of which are easy for someone to figure out. “I think people all realise that weak passwords are so easy to crack,” says Dougie. The longer your password is, with lots of special characters and words that aren’t in the dictionary are ideal.
How to manage passwords
The most common problem people have with passwords is forgetting them, which might lead them to use something easier to remember, but that also means it’s easier to hack. That’s where a password manager, comes in. A password manager can generate random passwords for you with a mix of letters, characters and numbers, and eliminates the need to recall them all by storing them for you. Then, you can access your bank of passwords by logging in to your account. “I use LastPass to generate a 40-character password,” says Chris, and he also uses its built-in feature that updates all his passwords every 90 days.
Multi-factor authentication is yet another barrier for any account you might be using. Once you’ve typed in your password, it pings another device owned by you so you can verify that you are the one attempting to log in. “It means that if someone has your password, they still can’t get in without access to your phone,” says Chris. “I have that on every single account I have.”
If you’re able to take on all these functions, update them on a regular basis, and educate all of your employees on best practices, you’ll be well-prepared to fend off any attacks, and deal with the unfortunate ones that do make it onto your networks.
For more than 20 years, Avado have been providing professional training and qualifications that transform businesses. This month, we relaunched a tool that tests your organisation’s data literacy as part of our Data Academy. Take it now and find out how you score!