Any modern business owner knows how important it is to protect confidential information and intellectual property. Doing so will safeguard public opinion of the company, maintain trust with clients, and also keep your work in accordance with data protection legal guidelines. However, online data breaches are now more widespread than ever before, with over 22 million records exposed in 2018 alone. That year also saw business giants including Facebook, British Airways and Google+ experience massive leaks, while the first study of its kind calculated the full cost of “mega breaches” as high as $350 million.
As a result, many savvy businesses are taking appropriate steps to prevent and tackle perceived cyber security threats, but is their data really as safe as they think? From mobile security software to password protection, here’s how organizations can take action against the potential sources of data leaks they may be neglecting.
Corporate mobile phones
Corporate mobile phones enable staff to work remotely, access emails on the go, and provide a more cost-effective means to communicate from abroad, or with international clients. However, this practice doesn’t come without security risks, and worryingly only 11% of businesses take more than one basic measure when it comes to mobile security.
Just one cyber security breach via a corporate phone could give a hacker access to sensitive company data, and mobiles are vulnerable for several reasons. Employees could connect to public access wi-fi points set up by hackers—often given seemingly safe names like Free Airport Wi-Fi—or fail to update their devices regularly, thereby missing out on the most recent security policies.
Mobile phone users are also more likely to fall victim to a phishing attack because these devices are often the first place employees will read any new messages. Additionally, many devices only display a sender’s name, making it easier for hackers to impersonate others and trick somebody into believing an email is from a person they know or trust.
In spite of these threats, many organizations do little to protect the devices they give employees, nor do they monitor the networks employees access on their phones. Mobile security specialist Wandera is adamant that for effective protection against threats, IT and security leaders need to have multi-level security solution that protect at the endpoint and network levels. Their Mobile Threat Defense solution provides vulnerability assessments, app vetting and real-time prevention of network attacks, strengthening user privacy and protecting corporate data in doing so.
For optimum mobile security, companies should also provide a secure connection for their mobile workforce by having a virtual private network (VPN) in place, which ensures that all devices are protected with PIN numbers, and block any high-risk or suspicious apps.
Beyond the possible gaps in a business’ cyber security, many potential data risks result from mistakes made by company employees. A recent study revealed that 47% of business leaders blamed human error for their company’s most recent data breach. Leaving devices unlocked, losing electronic devices, clicking links in fraudulent emails, and inadvertently revealing sensitive information while working in a public place are all ways employees could open their organization up to a data breach.
It is essential for employees to be clued up in the latest cyber security practices, particularly given the growing popularity of Software-as-a-Service (SaaS). This allows businesses to access software via cloud hosting, with approximately 73% of organizations predicting nearly all apps will be SaaS by 2020. Meanwhile, there has also been a huge increase in business email compromise (BEC) attacks in recent years, in which a hacker impersonates a superior or staff member in an effort to steal company funds. According to the most recent Proofpoint Quarterly Threat Report, BEC attacks increased by 226% from the previous quarter and are up 476% compared to the same period a year ago.
As online threats are constantly changing, it’s recommended that employee training programmes are organized every six months, or once a year at the very least. Regular updates via newsletters could also discourage employees from downloading potentially dangerous software from unknown sites.
Unfortunately, data is not always completely safe after it’s been wiped from a computer. This is particularly problematic for businesses seeking to totally erase sensitive data, as failure to do so could inadvertently lead to a company breaching data protection laws and even open it up to fraud.
The first step in deleting data is to reset the device to its factory settings. This bars access to any installed programs or files, but sensitive data can still be extracted following this process. Much of the time, manufacturers simply don’t provide the software necessary to fully wipe flash storage, which is notoriously hard to delete. Flash storage is a drive, repository, or system using flash memory, which retains data in the absence of a power supply for an extended period of time.
Once you have factory reset your devices, you should always run data-shredding software across all computers in question. If you no longer need to use the device, you could also simply remove the hard drive and physically smash it to pieces in order to break the ‘platters’ containing the data.
Alternatively, you can hire professionals to ensure that data is well and truly disposed of. The best companies will use CESG-approved data erasure software to wipe your devices,and should be able to provide certification as evidence of data removal. They are also usually willing to collect and return computers which have been securely wiped and are safe for redeployment.
Insufficient password protection
Rule number one of cyber security is a strong password. The strongest passwords are difficult for both humans and computer programs to detect,and should contain at least six characters—though the more the better—as well as a combination of letters, numbers, and symbols. As passwords are also case sensitive, strong ones should use both upper and lowercase letters, and forgo any dictionary words, or any parts of the user’s name.
Businesses should implement distinct password protection policies which show employees how to create strong passwords, how to store them, and how often to change them. Different, complex passwords are required for each individual website and app, otherwise ,a security breach on one site exposes every user’s information. Therefore, business owners should also invest in password managers to allow staff members to keep track of their logins, as these tools automatically create, remember, and fill in passwords.
However, a strong password alone is often not enough to protect sensitive company data. Encryption provides an extra layer of cyber security and is a necessary part of preventing a data breach. This software involves scrambling text so it is unreadable to unauthorized users, and can be applied to individual files, folders, or even entire hard disks. If a computer is stolen, the thief may not need a password to access certain files, but encryption would prevent them from being able to access the data. Strong encryption is incorporated into modern versions of the Windows and OSX operating systems, while there are also a number of third-party encryption programs business owners could use in order to safeguard their company’s sensitive data.