Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/13/2018
10:30 AM
Francis Dinha
Francis Dinha
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Data Security Landscape Is Shifting: Is Your Company Prepared?

New ways to steal your data (and profits) keep cropping up. These best practices can help keep your organization safer.

The world around online data is changing, and with it the landscape of business is facing an irreversible shift. Not only in terms of regulations — with the European Union's General Data Privacy Regulation enacted — but in the way businesses actually use and have access to data. An increasing number of businesses are moving their data to the cloud, which brings a different set of security issues.

Through the cloud, hackers can shut down your business for weeks — or longer. They can steal not only your data but your resources. Companies often don't take this threat seriously enough. The cloud feels invisible, so we make the incorrect assumption that it's inaccessible. I've seen many powerful companies neglect simple steps — like properly training their staff, having a backup in place, or limiting employees' access — which can make the difference between powerful profits and destruction due to cybercrime.

Thankfully, there are steps you can take to protect your company, and they aren't that complicated. Implement these five best practices to keep your data (and profits) out of the hands of hackers.

1. Make sure your IT staff is highly trained and available. Make sure your IT staff is highly trained and available. Too many companies relegate their IT crew to a dusty office in the back, with no supervision and little training. They're treated as outsiders, usually because they have a different skill set and a different goal than the rest of the team — they're there to support the company, rather than expand the company like sales or product development. Because of this, IT faces the same kind of problems people in other supportive departments, like HR, face: they're taken for granted, denied the resources they need, and sometimes even unfairly blamed when something related to their department goes wrong.

But these supportive departments are vital to your company's functioning, and you neglect them at your peril. The IT world is constantly shifting, so the training for your employees needs to be updated constantly if you want them to succeed. Provide them with the right resources and ever-updated training, and you'll find yourself with an IT team ready and able to support your employees and protect your data. Proper training means your IT staff will see the incoming problems before they arrive — and, for the problems that do come, your IT team will be well equipped to handle them.

2. Educate your regular staff and develop a company-wide policy. Once your IT staffers are highly trained, you can rely on them to develop a company-wide security policy that you can implement and enforce. Many details will depend on your company and industry, but there are a few basic practices that every company should employ.

  • Create a process everyone knows how to follow, including a two-factor authentication system, strong passwords, and access to a private network.
  • Don't let your employees use their personal phones for company work. But if you do, have the right certificates installed on their devices.
  • Put up all walls to protect employees from hacking, and make them a standard part of your company policy — one that your employees understand, are trained in, and can implement. Having the best security tech in the world will mean nothing if your staff isn't taking it seriously.

3. Everything is on a need-to-know basis. Your employees do not need access to everything — they only need access to what's relevant to them. Policy comes into play here again: Make sure each level of access is protected by two-factor authentication and strong passwords, and work with your IT team to see that everyone has the access they need — but no more.

4. Back everything up. Yes, this step may seem basic, but I've seen plenty of otherwise savvy executives avoid it. They don't want to deal with the work of creating a backup to all their data, all their code, all their important financial info — it feels like a hassle, but it's absolutely essential. You're at risk of losing an incredible amount of work if you don't have a backup to turn to in case of an emergency. What's more, make sure you back it up somewhere private. Don't simply rely on Google Drive! On top of all this, charge your IT team with having their own backups and regularly taking snapshots of their work. There are plenty of tools available to make this simple; just make sure your IT staff really is using them. Then, of course, make sure all those backups are private and insulated extensively from attack.

5. Prepare for the worst. No matter how much you prepare, there will always be risk involved with any kind of online data storage. Inherent risk means you must be inherently prepared. Have a disaster recovery plan in place, ready to go if a hacker destroys your data. Recovery from this kind of attack is all about speed — the longer your company is down, the greater the damage will be long-term. No insurance or reparations can make up for the potential business your company loses when it's out of commission — which means a speedy recovery, more than anything else, determines whether a company will be able to bounce back. Use the backup you developed to rebuild and relaunch your programs; make it automated if possible. Set a plan in place so that, when the worst happens, you can turn it around quickly, efficiently, and effectively.

If hackers have your company as a target, they'll either want to attack you and bring your network down or they're simply after financial gains. Many hackers will try to gain access to your Amazon cloud account, steal the key, and launch a prolific amount of CPU usage, just to mine it for digital currency. Every day they develop more strategies, and every day they find new incentives. But whatever the goal, a cyberattack can mean the loss of profits, or worse, a permanent shutdown of your entire company. As our data and business landscape shifts and changes with developing technology (and corresponding government policies), make sure you and your team are prepared to ride any wave that comes your way.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Francis Dinha is the CEO and co-founder of OpenVPN, a security-focused open source VPN protocol. With more than 50 million downloads, OpenVPN has been in the open source networking space since its founding in 2004. Its Private Tunnel service provides "last mile" security to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AdelaidaP
50%
50%
AdelaidaP,
User Rank: Apprentice
8/16/2018 | 3:58:21 AM
just
I think you can't be 100% prepared for all.
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...