In our last blog, we spoke about how the most valuable tool in a hacker’s kit isn’t any line of code — it’s your employees. Social engineering is the easiest way for a hacker to get in. Since most businesses maintain and store personal data about both employees and customers, and that data is accessible often by employees at varying levels within the organization, it’s important to implement best practices for data handling in order to prevent hackers gaining access through them.
A report published by Intel Security suggests that 43% of all data breaches are caused by users. By training your users on how to properly handle digital data, your business can become proactive in its fight to defend your customer’s personal identifiable information (PII) from prying eyes.
Make sure to train your employees on the data security safeguards put in place by your IT staff. This can help to prevent an unintentional data breach. While problems like ransomware and malware loom large in the media coverage of cyber attacks, it’s usually social engineering that tricks employees into handing over confidential data to scammers.
“The weakest point in any security program is people; namely, the insider. Insider threats can be malicious; but more commonly, they are accidental,” writes Philip Casesa in the white paper Securing the Weakest Links: Insiders. “Insiders can have ill intent, they can also be manipulated or exploited, or they can simply make a mistake and email a spreadsheet full of client information to the wrong email address.”
Many businesses have taken full advantage of cloud-based file sharing services such as Box, ShareFile and Tresorit. Storing your data in the cloud can provide your organization with the advantage of being able to share data and collaborate instantaneously. By using secure file sharing services, you can exert complete control over the data your business shares with 3rd parties. Knowing who, what, when, where and how this data is being accessed gives your organization the confidence to begin using secure file sharing services.
If you prefer not to use a 3rd party file sharing service, your business can setup an SFTP server, issue a certificate to trusted peers, and assign access credentials for 3rd parties. This method ensures that the connection to your file repository is encrypted while only authorized parties have granularized access to the resources that they need.
If your business uses file shares to store confidential data, it is important to ensure that only those who need access to the data have the necessary privileges to read, write or execute on the specified network paths.
As a best practice, you should never have a publicly displayed folder on a shared network drive called “HR Data”, “Human Resources Information”, “Employee Info”, or anything of the sort. If a breach were to happen, hackers would be able to spot this folder and know that this is where the valuable data resides. Always hide these folders and use Active Directory group membership as a means of delegating access to sensitive information throughout your network.
Perform a monthly audit on the accessibility of file shares in your organization to ensure that a user doesn’t have access to a resource that is off limits. System administrators can write PowerShell scripts that automate the tedious task of going through and checking all of the access control lists associated with different files shares.
When your employees send email with sensitive data to a third party, it is critical to ensure that this email is sent over a secured channel. More importantly, you may want to exert additional controls over those who see the data, how long they can view the data and what they can do with the data, once opening the email.
Secured email services such as Mimecast, AppRiver and Barracuda have emerged to provide organizations with granular controls over emails once they have left your email’s domain. Also, policies and filters can be setup to alert, block or encrypt emails that contain certain verbiage, words or patterns.
For example: if you sent an email that said “SSN: 123-45-6789,” the email encryption service could sense the presence of personal information and automatically encrypt the email and provide a secure delivery portal for the recipient to review the message.
How does a business drive home the importance of implementing proper data handling procedures?
The practices and policies surrounding the handling of sensitive data shouldn’t be an annual reminder. In fact, organizations should stress the importance of data handling procedures on a day-to-day basis. Classification levels could be created that give employees an outline of how they should handle and disseminate the data they receive in an email.
One of the best ways to get your employees to recognize the importance of data handling procedures is to print up large posters about your data handling procedures and have them posted conspicuously in common areas such as break rooms, hallways and meeting rooms. Employees won’t be able to walk to their desk without catching a reminder of how important it is to properly handle the data stored on your network.
Data handling procedures should be an integral aspect of your organization’s culture. Customer and employee data privacy should be the #1 compliance goal for your entire team. Larger enterprises will create social campaigns that help engage employees on data security awareness policies.
Ice cream socials, catered lunches, and gift cards are often provided by large organizations to help recognize outstanding employees who do whatever it takes to keep corporate data safe. Implement quarterly testing for all employees on basic information handling skills. If the collective score is above a certain percentage, you could then consider rewarding your employees for their excellence in handling sensitive data.
Rather than waiting to act until after you’ve become the victim, your organization should be proactive in ensuring both their network and employees are protected from cyber attacks. As they become increasingly common, a solid security system is no longer optional. BACS Consulting Group provides quality Security Services to companies both large and small, based out of the Bay Area of San Francisco, CA.
Whether you’re interested in data backup, disaster recovery, preventive security measures, or scheduling a security audit to see where your vulnerabilities lie, it’s time to give BACS a call. We’d be happy to take a look at you system and give you a security plan tailored to your unique situation and needs. We can be reached by phone at (650) 887-4601 or click the banner below to schedule your IT Security Audit today.
Published on 3rd May 2016 by James Berger.