Cybersecurity is no longer an option. All organizations, from mom-and-pop shops to Fortune 500 companies, must take appropriate steps to protect themselves from anything that might compromise operations — whether that be an employee accident or malicious activity from an unknown hacker.
There are two sides to cybersecurity: protecting data and protecting networks. Each side has its particular requirements and challenges. In this article, we’ll look at both data and system security and describe best practices for your organization.
Data security relates to all the efforts your organization takes to ensure that the information you possess isn’t accidentally deleted or modified — or deliberately accessed, manipulated, stolen, sold or otherwise misused. There are many regulations regarding data security and breach reporting; you can find the information on the Federal Trade Commission’s Data Security guidance page.
Just as you have an inventory of your physical assets, you need a similar inventory of all the information you maintain. Start by cataloging everywhere digital information is stored within your organization. Some of the items will be obvious, like laptop computers and servers, but others not so much, like your digital photocopier and printer.
Once you know where the information resides, take stock of how data enters and leaves your organization. Where does consumer information come from? Health records? Financial histories? Credit card numbers? These entry and exit points can prove to be major vulnerabilities, and must be monitored. If you have to send data to a vendor or supplier, make sure it is encrypted and that the other party has proper data security precautions in place.
A comprehensive inventory will help you determine what data you need to keep, and what can be destroyed. If there’s no legal or business reason to hold on to information, have it erased securely. If you don’t possess unnecessary information, it can’t be stolen.
The next step in data security is to make sure that your physical assets can’t be taken. This requires locking down laptops and limiting access to servers and other equipment. Laptops should be encrypted and password-protected. Your employees should be instructed not to let strangers into workplaces and take other security precautions. Require employees to change passwords at regular intervals — but not so frequently that they’ll need to write them down! Remember onlookers can also compromise that information, so consider investing in privacy screens for laptop computers if your employees work on airplanes, in coffee shops or at other locations out in the open.
System security goes hand-in-hand with data security. System security describes the controls and safeguards that an organization takes to ensure its networks and resources are safe from downtime, interference or malicious intrusion. If data security is meant to protect the information in the books in the library, then system security is what protects the library itself.
Here are some of the common techniques for cyber attacks, and what your organization can do to mitigate the risk.
- Backdoor attack: Many computer networks might not be as secure as they seem. Sometimes programmers leave in code that allows them to access the network easily, usually for debugging purposes. Hackers might exploit these weak points. Be sure to review the code for any customized software used at your organization and that software-as-a-service and platform-as-a-service suppliers are not vulnerable to these kinds of attacks.
- Denial of service (DoS) attack: Instead of breaking into your computer network, malicious parties might try to overwhelm it by bombarding it with requests for service, slowing access and network-reliant operations to a crawl. A regular denial of service attack can be stopped by blocking the attacker’s IP address. A more sophisticated type of attack, distributed denial of service (DDoS) attack, is harder to stop, as it involves many IP addresses. Several vendors sell solutions that reduce the effects of DDoS attacks.
- Direct access attack: When people have access to your physical assets, it’s relatively easy to access your most sensitive information. Cyber criminals can simply steal laptops, hard drives and flash drives, or break into an office, and take or copy the devices that contain the information they want. The best defense against this type of attack is heightened security, worker training and information encryption.
- Malware attack: In a malware attack, a malicious party gains access to your computer network and then encrypts all your data. To get the encryption key, you must pay a ransom. Typically, the ransom escalates in price over time, and payment must be made in Bitcoin. Malware usually makes its way onto your network through a virus or worm, so educate your employees about the danger of clicking on suspicious leaks or attachments.