If you have an extra $3.8 million to spare, you don’t need to worry about preventing data theft. That’s the average cost of a data breach in 2015, according to IBM’s 2015 Cost of Data Breach Study. It’s a 23 per cent increase over costs unveiled in the 2013 study.
If, on the other hand, you’d like your company to keep its hard-earned cash, you’ll need to put in place policies and procedures to prevent data theft. Because, as the saying goes, there are two kinds of companies: those who’ve suffered a data breach and those who don’t know it yet.
With that in mind, we’ve compiled top tips from the experts to help you keep your company’s sensitive information safe from data thieves.
Data Storage and Access
1. Abolish paper, or at least lock it away.
If you have to keep paper files, shred them as soon as they are no longer needed. According to John Rowan of Advantage Business Equipment, there are nine things businesses should shred:
- Any mail with a name and address
- Luggage tags
- Trip itineraries
- Extra boarding passes
- Credit offers
- Price lists
- Vendor payment stubs and paid invoices
- Cancelled checks
2. Restrict access to your sensitive data.
“Not everyone in the company needs access to everything. Does the project manager need pricing information? Does the sales person need operations information? By restricting what data each person has access to, you limit your exposure when an employee decides what they want to steal or when the employee’s account is compromised by an outsider,” says Greg Kelley, EnCE, DFCP, of Vestige Digital Investigations.
3. Find out what you need to protect.
“Have an audit or assessment on your data. Everyone company is different. They have different regulations, different types of data, different needs for that data and a different company culture. Hire an outside expert to assess what data you have, how you are protecting it (not how you think you are protecting it) and where that data is going. While you may think it is an unnecessary cost, if you report to clients and potential clients that you have had an outside data assessment, you may find it puts you at an advantage over your competitors,” says Kelley.
Need a quick reference? Download the Data Theft Prevention Checklist.
4. Enforce data privacy controls inside and out.
Hold third parties and contractors your company engages to the same strict data privacy controls you implement in your own organization. Audit them periodically to ensure compliance with your security standards.
5. Protect all computers and devices.
Make it difficult for outsiders to access your company’s and employees’ devices and computers if they are lost or stolen by protecting them with strong passwords and by enabling remote wipe on all devices.
6. Install or enable a firewall.
Even small companies with few employees have valuable data that needs to be protected. Ensure you have a firewall in place to keep outsiders from accessing your company network.
7. Protect your wireless network.
Use a strong password and use encryption and security to hide your wireless network from outsiders. Don’t let neighbors or passers-by hop onto your network, or even see that it exists. You’re just inviting trouble.
8. Use encryption to protect data.
Ensure all sensitive information that is being transferred or emailed is encrypted. Encryption should also be installed on all company laptops, mobile devices and removable media.
9. Use a proxy.
“That free internet at the airport or the cafe is actually shared with dozens or hundreds or other users who might be sniffing your traffic,” says Roberto Arias Alegria, IT Security Consultant at Metaluxo IT Security. “Since encrypted connections (SSL) are far from universal, an easy to use proxy service can save you from prying eyes (e.g. Zenmate, or TunnelBear).”
10. Activate two-factor authentication.
“No matter how secure is your password, there’s more than one way to get it. Consider using 2FA whenever you can, Google, Yahoo, Twitter and many popular services already have support for 2FA,” says Arias.
11. Restrict movement of information.
“Do not permit the transfer of personal information (names, Social Security numbers, Medicare numbers, employee or medical data etc.) to a portable medium, like a laptop or mobile device. This data should be processed in-house, not on an airplane or a commuter train or at home,” says Robert Ellis Smith, Publisher, Privacy Journal.
12. Take extra steps to protect your most sensitive data.
“Truncate Social Security numbers, or remove them from the data base and store them elsewhere apart from the original data file, with a means to link the two later if necessary. Regularly remove sensitive personal data from online databases or “the cloud” and process it off-line,” says Smith.
13. Use anti-virus software and anti-spyware.
Update all software on your company’s network whenever updates become available. This includes security software, browsers, and operating systems. Don’t use free security software as sometimes these contain “scareware” that can fool employees into compromising your network.
14. Require strong passwords.
“More than 70 per cent of breaches are due to weak passwords or poor password management,” says Darren Guccione, CEO and co-founder of Keeper Security, Inc. Make sure you use passwords that are at least 8 characters in length and utilize a combination of uppercase and lowercase letters, numerals and symbols.”
15. Have a “clean desk” policy.
Implement and enforce a policy prohibiting employees from keeping working papers, passwords or any sensitive documents in view while they are away from their desks. Every workstation should have a lockable drawer for employees to secure sensitive information.
16. Guard against social engineering.
Teach employees to recognize and report attempts by outsiders to get information. Train them on the various techniques used by fraudsters, such as “phishing” and “smishing” and to never open attachments or download anything from an unknown source.
17. Beware of personal devices.
“Make sure that you have policies and technology to address the risk of people bringing personal devices to work,” says Joseph Steinberg, CEO of SecureMySocial. “All access to the Internet from such devices – or from devices brought by visitors to your office – should be done via a separate network than is used for company computers. Many routers come equipped with such a capability. Personal devices can be infected with malware that can steal data if the devices are connected to corporate networks.”
18. Implement social media policies.
“Create, and enforce with technology, appropriate social media policies. Don’t pretend that policies alone will ensure that employees don’t make inappropriate social media posts – you need technology to help with this task as people make mistakes – and they can be costly to your business. Many breaches start with criminals crafting spear phishing emails based on overshared information on social media,” says Steinberg.
19. Be prepared for mistakes.
“Employees are humans, and humans make mistakes,” says Quinn Kuzmich, adjunct professor of software security and computer forensics at Colorado Technical University, founding partner at NagaSec Information Security and a Senior IT Security Analyst for Skillsoft. “Mistakes leave your system vulnerable. And when it comes to data security, these mistakes happen all the time. Data gets saved in the wrong folders, which weren’t configured in the right way – this means the wrong people have access to the data. If you forget this important rule, the wrong people will remind you.”
20. Be nice to your employees.
A disgruntled employee can be the most dangerous vulnerability in your company’s data protection program.
Written by Dawn Lomer, Managing Editor