7 Basics for Keep Your Company's Data Safe

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.entrepreneur.com/article/241457

Every other week there is a new high-profile data breach in the media. From
Target to Home Depot to iCloud to JPMorgan to Snapchat to the White
House—and most recently the devastating attack on Sony Pictures
Entertainment—there’s always a headline highlighting the loss of data and
breach of trust.

But that doesn’t mean your business has to be one of them and suffer the
staggering $3.5 million losses resulting from an average data breach.

Here are seven practices and products you can adopt today to stay out of
the data breach club.

1. Arm yourself for the threats within.

Data risks today don’t solely originate from malicious hackers, even if
news headlines suggest otherwise. A recent PwC study found that internal
threats and mistakes now constitute a bigger challenge to business security
than external ones, meaning that regardless of size, today’s businesses
must control not just data on storage platforms, but on employee and
business partners’ devices and accounts.

2. Get the lay of the land.

Ask yourself: “What is the most sensitive, confidential data that our
business holds, how is it handled, and who has access to it?” Create a
spreadsheet matching data types and services to the employees and business
associates who can access them. Make sure to include the two most sensitive
types of data: customer information and intellectual property.

3. Roles and permissions.

Once you’ve identified your assets, review levels of access and if they can
be regulated via policy, or, better yet, programmatically. An important
factor to consider is whether your content management platform of choice
allows the depth of control administrators need to set roles for each
specific use case within the company. It’s important that these are
refined, limiting access and edit of important data to authorized staff.

4. Learn your weaknesses.

Most people reuse the same password across services, including work-related
programs. When a big retailer or service provider is breached, there is a
very real chance that corporate emails and passwords are also impacted. A
similar vulnerability recently enabled attackers to gain access to millions
of Dropbox accounts as third-party services integrated with the product
were compromised, laying millions of usernames and passwords vulnerable.

To learn if this has happened before, start by heading over to security
expert Troy Hunt’s site or Breach Alarm’s free tool and scan employees’
email addresses through their tool—their database is often updated with the
latest published breaches.

5. Passwords hold the key.

To prevent a similar incident, have a strong password management policy.
Educating employees about never reusing passwords across services and
creating stronger passwords (aim for length over variety of characters,
though) is also key.

Understandably, this requirement results in difficult to remember
passwords, straining productivity. If possible, start using a password
management application. They’re easy to use, automatically generate strong
passwords for each service—and, most importantly, they’re secure. LastPass
is a leader in this field.

6. Anticipate the next Shellshock.

There is another important reason to stay on top of security news. Within
the past year alone, two major vulnerabilities were found to be lurking in
widely used software—Heartbleed and Shellshock. We can safely assume that
it’s only a matter of time until the next vulnerability is unearthed, and
it’s important to pay attention to the news for when they come to
light—especially if any of the software your business uses is compromised.
Mass exploitation of these vulnerabilities can happen in as little as a
week’s time after they’re disclosed, so your business is at risk if you
wait around—or even worse, do nothing.

7. Do your homework.

When choosing services to implement into your business’s workflow, it’s
important not to overlook pure security for productivity benefits, an easy
mistake in today’s productivity-and-cloud-crazed environment. Do your due
diligence, and make sure to go with services that are recommended by
security professionals and your industry’s relevant associations, which
often publish guidelines relevant to your market and regulatory
environment. It’s also important to make sure the services that you decide
to go with include privacy policies and guarantees that will inform you
when their systems are breached.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!