As companies collect more and more valuable data, securing that data is more important than ever. It’s a challenge to know exactly what to do to ensure the safety of that data — especially when taking the wrong steps could leave networks vulnerable.
We reached out to several experts to get their take on data security best practices. Here’s what they recommend.
- Back up, back up, back up
- Always be suspicious of emails
- Adopt a privacy framework
- Employ multifactor authentication
- Centralize your data
- Ensure logs are tracking user access and changes
- Encrypt devices
- Implement a data loss prevention system
1. Back up, back up, back up
“Businesses must have backup systems in place,” says Bob Herman of IT Tropolis. Not only that — they must ensure the backups are managed so data can actually be recovered in the event of a loss.
“I’ve been on the receiving end of too many calls from business leaders who indicate they have a backup, but it hasn’t been managed, with the last successful backup being run weeks or months prior to the incident,” Herman says.
2. Always be suspicious of emails
The FBI’s Internet Crime Complaint Center published a recent report indicating that phishing-related scams — where bad actors pose as reputable or familiar individuals to convince the recipient to disclose personal information — resulted in more than $48 million in losses in the U.S. This shows how much harm a simple email can cause.
“All employees must be trained to be suspicious of all emails, especially unexpected ones,” Herman says. Even emails from known people, including coworkers or friends, can be malicious because their email account may have been hacked.
Usually the context of the email gives it away. “For example, consider an unexpected vendor email that has odd wording and is asking you to download an invoice from a link. When in doubt, verify directly with the source,” Herman says. “Don’t download anything.”
3. Adopt a privacy framework
He recommends adopting the privacy by design framework, which mandates that privacy be embedded into the very core of your operations, and the responsibility for privacy shared among all levels of your team.
With this framework, you proactively embed privacy into the design and operation of IT systems, networked infrastructure, and business practices. “For example, if you collect only essential data from users, and you consider security throughout a product’s development, the risk of a data breach for that product is significantly minimized,” Fogg says.
4. Employ multifactor authentication
As technology becomes more advanced, cybersecurity threats become more sophisticated. Fogg says that implementing a system that uses two or more authentication factors — among them, knowledge, possession, and biological traits — adds extra layers of protection, with each factor compensating for the weaknesses of another.
Examples of authentication methods include biometrics (fingerprint scans and facial recognition), PIN tokens, and SMS messages in addition to regular passwords. “Combined with proper employee training, multifactor authentication is a robust cybersecurity defense for organizations in every industry,” says Fogg.
5. Centralize your data
“Having data spread far and wide can tremendously complicate data security,” says Brad Pierce of HORNE Cyber. He recommends having a well-planned data repository that’s reliable and accessible as part of your data security plan.
“This is one of the biggest areas where shadow IT creeps in. If your team members can’t rely on your system to store their business-related files and information, they will seek more reliable options, most of which could put your data at risk,” Pierce says.
6. Ensure logs are tracking user access and changes
Pierce notes that, regardless of whether you’re using a complex document management system or a basic Windows file share, logs regarding access and changes should be active and monitored. “Documenting these transaction logs will help you identify unauthorized access or modification of files, better securing your organization’s data.”
7. Encrypt devices
Laptops and mobile phones are frequently used to access and store sensitive data. However, these devices are also constantly at risk of being stolen or tampered with as workers take them in and out of the office at will.
You may not be able to control the mobility of these devices, but you can take strides to secure their access. Encryption is one way. If a device is used to access company data, that device should be encrypted. “If a laptop or phone goes missing, having the disk encrypted can provide assurance that the data on that machine cannot be accessed,” Pierce says.
8. Implement a data loss prevention system
Sometimes users can have a lapse in judgment. Even though security awareness training stresses otherwise, users may still send a document containing personally identifiable information (PII) to a trusted contact via email.
Among its many capabilities, a data loss prevention (DLP) system can help protect your organization by scanning, detecting, and blocking sensitive information contained in emails and attachments. Pierce ties it all together: “DLP systems help ensure data doesn’t leak from accidental email sends or more malicious events like a current employee funneling data to USB drives before a ‘graceful’ exit.”