To protect valuable commercial and customer data on your information technology (IT) network and cloud servers, you need to invest in technology and employee training.
If you get it wrong, you’ll lose the trust of nearly half of your clients who’ll think twice about spending money with you ever again, according to research from DigiCert. It may also take weeks for your business to get back to normal again after a data breach. If the breach was really bad, you might end up facing class action lawsuits from customers or paying substantial fines from regulators.
Below, we share with you what you need to do to minimize the chances of a data breach. Then, we outline the costs of getting it wrong, ending with a summary of how to roll out a data security policy across your business.
How to protect your bottom line from data breaches
You need several strategies to protect your valuable confidential commercial and customer data from loss or compromise. First, you need a plan to stop breaches from happening. Next, you need to know how to respond if you become a victim of a successful cyberattack. Here are three steps to get you started.
1. Create a tailored cybersecurity plan.
Prioritizing cybersecurity comes from the top of any business. If your IT people and your employees don’t feel it’s important to the company leaders, it’ll never be important to them.
Before you invest in your tech stack and train your people though, you need to know what data you should prioritize for defense.
Know your data assets
There are lots of different types of data. Some of it will be more valuable and sensitive than others.
Start by identifying what data needs the most protection — that’s always going to be the data others can exploit the most easily for financial gain. For you, that might be your customer database containing contact and payment details for every client. If that information is breached, they’ll likely become victims of card fraud and phishing scams (covered later in this article).
For instance, if you run a legal firm, did you know some businesses hire hackers whose sole purpose is to steal your clients’ trade secrets and business information? If you’re in healthcare, be wary because people pay good money to get hold of confidential but valuable patient data.
Make sure you pay the most attention to the data whose loss or theft would be the most catastrophic for your business.
2. Shore up your technical defenses.
Next, consider your tech stack. The person in charge of implementing your data security plan should have extensive knowledge of all the hardware and software you use as well as how you connect to the Internet. If they don’t, you may wish to appoint an outside contractor whose specialties are network security and database management.
Start building your technical defenses by concentrating on the following eight areas:
Protect points of connectivity with strong passwords and encryption
Every item that connects to the internet needs to be secure, including desktops, laptops, mobile devices, printers, security cameras and access control systems. Each offers a way for a hacker to get in and steal data.
Many employees struggle to come up with strong passwords. It might be better to take central control of this by using a password management tool. Alternatively, you could consider the best secure single-sign-on solutions or two-factor authentication.
You should encrypt all data that comes to and from your network. If a hacker does intercept this data, they won’t be able to decrypt it without the correct key. You should also use encryption when connecting to cloud services because, according to machine identity management Venafi, 81 percent of businesses have been subject to a cloud-based security incident in the last 12 months.
Install antivirus software and a firewall
Antivirus software, sometimes called antimalware software, prevents, detects and removes rogue software on your system. It also quarantines any new software or file that’s downloaded to check for safety.
Malware presents major dangers to businesses. For example, hackers can use spyware to find out usernames, passwords, email addresses and other login details. In ransomware attacks, hackers threaten to delete your data or permanently block access to it if you do not make a payment to them
Firewalls also offer proven protection in addition to your antivirus software. They sit between your IT network and the internet, learning over time what types of incoming or outgoing traffic to expect. If the firewall detects traffic from a suspicious source, it blocks it until you tell it that the source can be trusted.
Restrict access to the most valuable data
Security company IS Decisions discovered in a survey that one-third of United Kingdom and United States desk-based ex-employees could still access company data or systems after they’d left the business. It’s hardly surprising then that, with this lack of visibility, it now takes businesses 277 days on average to identify and contain a data breach, according to IBM’s Cost of a Data Breach Report.
As part of your data breach prevention plan, ask yourself which data individual users need access to as part of their job. For example, there’s no need for the receptionist to have the same data or apps available to him or her as the chief financial officer (CFO).
Limiting data access in this way helps you better protect your data and systems in the long run. If a hacker does get into your system using the receptionist’s log-in, the damage they could do will be restricted only to the areas your receptionist can access.
Track who’s using data and how
It’s also important to know who’s accessing what data from inside your business. Employee monitoring software is popular but it’s controversial. You should always let staff know you’re going to use it in advance.
User and entity behavior analytics tools observe what employees logged into your system are doing. It can alert you to any attempts to download or access large amounts of data or data that a user normally cannot access.
Maintain an inventory of permitted devices
Employees bringing their own devices to work was popular for a while. However, most experts now advise against it for security reasons.
You should consider instead maintaining a central list of company-owned registered devices that have permission to access the network. When an employee goes, you can switch off access to a particular device until you assign use to a new employee. You also have the added benefit of automatic blocking of unrecognized devices even if they have the correct password.
Keep software and apps up to date
Make sure that your IT team downloads the latest patches for all the software and apps on your network and connected devices on the day of release. Vendors often release updates when a security vulnerability becomes known to them to protect customers. The longer you wait to update, the more time you give potential attackers to find out that you’re not running the latest version.
You should also stop using any software and apps you use that no longer receive vendor support for the same reason. Staff who have become attached to a particular app may protest about this so make sure you involve them as much as possible in deciding a replacement.
Finally, make sure that members of staff cannot download unauthorized software onto your network or your cloud server.
Protect your website
Websites are now, in many businesses, an integral part of their technology. A poorly protected website offers an enticing attack vector for cybercriminals targeting company data.
You can use various penetration test tools, such as Intruder and Detectify, to check your website and discover any current vulnerability. You should also make sure that your TLS and SSL certificates are up to date and correctly registered. [Learn More: Cybercrime to Reach $10.5 Trillion By 2025: What Can We Do?]
Ban removable media
Some companies allow staff members and contractors to plug removable media like CD-ROMs, memory sticks and flash drives into their servers and terminals.
Most security experts advise against this as removable media is easy to lose. There is an additional risk in that, if an employee uses removable media at both home or work, any viruses or malware they may load onto at home may present a risk when they connect it to your network.
In our review of Teramind, we found how this data loss prevention product detects when an employee transfers files to removable media like a USB drive.
3. Involve your staff
A Verizon report found that 82 percent of data breaches were caused by human error. In many companies, the need to invest in staff training is more urgent than investment in technology.
Most security experts would advise that your training includes, at the very least, the following three items:
Create a social media policy
Many hackers con or dupe employees into taking a course of action that’s damaging to your company using a form of social engineering called “phishing.” One particularly successful way of doing this is by pretending to be someone your co-workers already know.
Often, they get the details they need from social media networks. Someone could look up the name of a member of your IT team on LinkedIn and then email/phone someone else in the business to ask them for their network username and password so they can get to your data. That’s much easier and quicker than using black hat tech to break the code.
How would they do this? On LinkedIn, users often share their name, job title, email address and telephone number. Someone with even basic knowledge of how email works can change their “from name” and “from email address” to pretend to be someone else. Email signatures are easy to fake. For added authenticity, they could also include the names of the victim’s co-workers in the email by going through the list of employees on LinkedIn.
Make sure that your colleagues do not include too much information in their profiles if possible.
How to spot phishing attacks
But, even with a social media policy in place, hackers will find information so you need to do more to protect yourself.
If someone calls a member of your staff “from IT” asking for a network username and password, they should be immediately suspicious about it.
Encourage colleagues to call someone in authority to verify any such request. If the suspicious inquiry supposedly comes from someone in authority, require your employee to speak with the person in charge of data security in your business before proceeding.
You need to get staff to question what others ask them to do as a matter of course. As well as protecting your data, it will also safeguard your company against CEO fraud attacks and more.
“Spear phishing” uses chief executive officer and CFO information gathered from social media so hackers can try to convince your staff to do something damaging to your business by impersonating C-suite executives.
VPNs for staff out and about
Hackers often set up dummy hotspots in coffee shops and train stations using the name of the venue to trick people to log on. They can then intercept the data traffic in both directions from users who have logged onto their spoof network.
To mitigate against this risk, insist that your employees use a virtual private network service to encrypt their data traffic. To offset the risk in general, you could request that staff use cellphone data networks only.
How data loss costs companies
There are three main ways in which a data breach can damage a company.
1. Damage to revenues
The effect that this loss of business has on revenues is significant and it can take many years to fully recover from it.
2. Financial damage
Three other costs businesses need to factor in including:
- Recovery cost. According to a Kaspersky report, the average cost of a small and medium-sized business data breach is more than $100,000. For larger enterprises, the price can scale up to $9.44 million, said IBM.
- Regulator fines. Each state has its own data breach laws whose fines reach into the $100,000s. Finance businesses may also be fined again under the Gramm-Leach-Bliley Act and healthcare providers under the Health Insurance Portability and Accountability Act.
- Class-action lawsuits. On large enough breaches, some law firms attempt to arrange class-action lawsuits against a company. Even if you win, the cost of defending these charges may run into millions.
3. Business interruption
The most disruptive types of data breach come from ransomware attacks. Hackers get into a company’s IT network and stop users from accessing, among other things, stored data. The average cost of a data breach in the U.S. is $9.44 million and it takes an average of nine months to identify and correct it, said IBM.
How long normal trading is disrupted depends on the severity of the attack, the quantity of data involved and whether you have a recent backup of the data under ransom.
In many cases, companies that have become a victim of an attack are unable to sell or provide services to customers during this time. This may be reflected in an increase in negative online reviews about your business affecting its ability to sell to new clients in the future.
Many insurance providers now offer cyber insurance to their business clients that provide coverage in the event of a data breach.
The run-up to becoming a data-secure company
Now you have a plan, create a lead responsible for rolling out your data breach and cybersecurity defense policies. Your IT team or contractor will be able to specify and install the technical defenses you choose. Assign a manager to create training plans for managers and employees. Create a set of key performance indicators (KPIs) so managers can identify which co-workers are putting what they’ve learned into practice and those requiring further training.
Don’t stop there. Hackers are finding new ways to circumvent technical and human firewalls. Keep abreast of these developments and focus additions to your policy on providing protection against the most pressing threats at the time.
Additional reporting by Isaac Kohen.