Data security is crucial to ensuring the health of your business, keeping personal, client, and company information confidential and out of the hands of would be hackers. We’ve seen examples of significant data breaches, including Target in 2013, Home Depot in 2014, and Equifax in 2017. While these large organizations had the financial backing and reputation to weather the storm that followed, many smaller businesses are not in the same situation.
The main step is evaluating and managing the risk of data attacks, as one solution does not fit all organizations.
The level of risk is based on what data you collect and where. If you’re taking payment information or working with health information you will be subject to the Payment Card Industry Data Security Standard (PCI DSS) and/or Health Information Portability and Accountability Act (HIPAA) respectively.
The threat landscape continues to evolve with ransomware becoming more targeted and destructive. The National Institute of Standards and Technology (NIST) has pulled together voluntary guidance — the NIST Cybersecurity Framework — based on existing standards, practices, and guidelines for managing cybersecurity risk — from identification through to recovery.
Types of Attacks
- Spyware, an unwanted software that steals your internet usage data and sensitive information, can collect financial/banking information and use it to deploy ransomware or other malware.
- Ransomware threatens to publish the victim’s data or block access to it unless a ransom is paid.
- Wipers overwrite data or use other means to corrupt data. They can be detrimental to an organization.
The primary access method into a network often happens through the following destructive means:
- Spam attacks can be used to get unsuspecting users to click on links or open attachments that contain malware that can spread through the network.
- Phishing attacks purport to be communications from a credible source that encourage the user to reveal information such as passwords or credit card information.
- Spear phishing is more targeted at an individual with a message that appears to be from a trusted sender such as a manager or executive within the firm.
Protecting the Network
Network security is important but varies based on the risk a company faces. Basic security includes using firewalls, VPNs for remote access, and secure password policies including enabling multi-factor authentication. These have become more important as workers have transitioned to a work from home environment during the COVID-19 pandemic, meaning that companies have had to open up external access so employees can remain productive. Ensuring that your network is secure for access from inside and outside of your physical location is key.
Additional levels of security applications can be used, such as threat protection, mobile device management, and for public facing websites that collect and store client information, use of a Web Application Firewall (WAF) is recommended.
Maintaining and updating any servers you support is crucial to ensuring a secure network.
Securing workstations is a critical step to helping control the access points to your network. Anti-virus/malware software is required, as is keeping your operating systems current with the latest security updates from the provider.
At the end of the day, the security tools need to be supported by user behavior. Users should be trained on how to identify red flags for a phishing email —poor grammar, suspect sender address, attachments from a person you don’t know or were not expecting, among many others.
Users should also not use USB drives that are from unknown sources. USB ports can be disabled for use with USB drives as a preventative measure.
Physical Security
Property security is fundamental to making sure unauthorized people are not allowed into areas where they are not permitted. Many companies are utilizing secure card access, video monitoring, and require visitors to check in/out and be escorted when in the building.
Overall, security is both technology and human activity working together. Understanding the risks that an organization faces is the first step. MarksNelson can help you take that first step and the steps after. Reach out to us today to see how our technology team can help you succeed.