There are countless ways by which your information can become vulnerable to data breaches. We tackle three of them here and what you can do to mitigate the risk.
1. Poor Work Practices
The Verizon Data Breach Investigations Report in 2017 found that 81% of hacking-related breaches leveraged either stolen and/or weak passwords. In January 2018, CSO Online compiled a list of the biggest or most significant data breaches of the 21st century. They found a password reset would have eliminated the bulk of the risk. It's clear password management is critical to protecting yourself against data breach.
Access to systems through legitimate, even if old, passwords can occur when employees walk away from their desk, or work remotely from home or elsewhere using networks that may not be so secured. Theft can occur by all types of people including former employees, current employees, rival companies, and any individual who may hold a grudge against your organisation. Criminals also steal data under contract, or in the hope of selling that data to the highest bidder.
What to do:
- Robust authentication is essential to any security implementation plan. Consider making these passwords as solid as you possibly can and apply best practices in password-management such as complex passwords and regular updating.
- Immediately delete access for users who leave the organisation whether cordially or not.
- Restrict access to information on a "need to know" basis for all employees in the organisation.
- Restrict physical access to some areas of your business promises such as the server room and even physical copies of data.
- Finally, discourage access to work accounts in networks that are unsecured.
2. Systems and Software Updates
Outdated software poses a high risk to the data in your enterprise. System and software updates are more than a necessity in averting a security disaster. Allowing your systems and software to miss a critical update is like leaving your car doors unlocked at night. Hackers pay close attention to software update patches to assess vulnerabilities of the previous versions and then write code that attacks machines using outdated versions of the software.
What to do:
- Regularly update all software including your antivirus.
- Track and monitor access to your computer systems.
- Update all software patches as they become available.
- Have a third party conduct a regular audit of your network and devices.
3. Use Plain File Transfer Protocol (FTP)
FTP has been a great technology for a long time to transfer files between users, systems and networks. It has often been the go-to protocol because it is less costly, quickly accessible and easy to use. However, over time, FTP file transfer has degenerated into a data breach risk because it lacks non-repudiation functionality and built-in secure authentication and therefore allows information to potentially end up with unauthorised users.
Simply put, using FTP is as good as transferring data across a network 'in the open'. This exposes files to risk such as man-in-the-middle attacks. The fact there is no encryption of data in FTP connections makes it even easier for hackers to access your information during a data transfer.
What to do:
- Use secure protocols and data security solutions such as network DLP to facilitate secure FTP usage.
- Use SSL (Secure Socket Layer), SSH (Secure Shell) and TLS (Transport Layer Security) file transfer protocols as alternatives to FTP as their connections are encrypted.
Consider Data Masking Too
We also recommend using data masking in your database management system. This exceptional technology replaces sensitive data with fictional equivalents to protect the genuine data from unwanted disclosure. Data masking is one of the best ways to keep information secure when data is used for secondary purposes such as application development, testing, training, and analytics.
You can learn more by downloading the Data Masking White Paper. In addition, if you have data security concerns or are looking for a more robust, secure and scalable database, then contact one of our database experts at email@example.com.
The contents of this blog is for general informational purposes only, and does not constitute legal or professional advice nor is it intended to be comprehensive. You should seek formal legal advice or professional advice in relation to particular matters pertaining to you or your organisation.