Vulnerabilities / Threats

8/13/2018
10:30 AM
Francis Dinha
Francis Dinha
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Data Security Landscape Is Shifting: Is Your Company Prepared?

New ways to steal your data (and profits) keep cropping up. These best practices can help keep your organization safer.

The world around online data is changing, and with it the landscape of business is facing an irreversible shift. Not only in terms of regulations — with the European Union's General Data Privacy Regulation enacted — but in the way businesses actually use and have access to data. An increasing number of businesses are moving their data to the cloud, which brings a different set of security issues.

Through the cloud, hackers can shut down your business for weeks — or longer. They can steal not only your data but your resources. Companies often don't take this threat seriously enough. The cloud feels invisible, so we make the incorrect assumption that it's inaccessible. I've seen many powerful companies neglect simple steps — like properly training their staff, having a backup in place, or limiting employees' access — which can make the difference between powerful profits and destruction due to cybercrime.

Thankfully, there are steps you can take to protect your company, and they aren't that complicated. Implement these five best practices to keep your data (and profits) out of the hands of hackers.

1. Make sure your IT staff is highly trained and available. Make sure your IT staff is highly trained and available. Too many companies relegate their IT crew to a dusty office in the back, with no supervision and little training. They're treated as outsiders, usually because they have a different skill set and a different goal than the rest of the team — they're there to support the company, rather than expand the company like sales or product development. Because of this, IT faces the same kind of problems people in other supportive departments, like HR, face: they're taken for granted, denied the resources they need, and sometimes even unfairly blamed when something related to their department goes wrong.

But these supportive departments are vital to your company's functioning, and you neglect them at your peril. The IT world is constantly shifting, so the training for your employees needs to be updated constantly if you want them to succeed. Provide them with the right resources and ever-updated training, and you'll find yourself with an IT team ready and able to support your employees and protect your data. Proper training means your IT staff will see the incoming problems before they arrive — and, for the problems that do come, your IT team will be well equipped to handle them.

2. Educate your regular staff and develop a company-wide policy. Once your IT staffers are highly trained, you can rely on them to develop a company-wide security policy that you can implement and enforce. Many details will depend on your company and industry, but there are a few basic practices that every company should employ.

  • Create a process everyone knows how to follow, including a two-factor authentication system, strong passwords, and access to a private network.
  • Don't let your employees use their personal phones for company work. But if you do, have the right certificates installed on their devices.
  • Put up all walls to protect employees from hacking, and make them a standard part of your company policy — one that your employees understand, are trained in, and can implement. Having the best security tech in the world will mean nothing if your staff isn't taking it seriously.

3. Everything is on a need-to-know basis. Your employees do not need access to everything — they only need access to what's relevant to them. Policy comes into play here again: Make sure each level of access is protected by two-factor authentication and strong passwords, and work with your IT team to see that everyone has the access they need — but no more.

4. Back everything up. Yes, this step may seem basic, but I've seen plenty of otherwise savvy executives avoid it. They don't want to deal with the work of creating a backup to all their data, all their code, all their important financial info — it feels like a hassle, but it's absolutely essential. You're at risk of losing an incredible amount of work if you don't have a backup to turn to in case of an emergency. What's more, make sure you back it up somewhere private. Don't simply rely on Google Drive! On top of all this, charge your IT team with having their own backups and regularly taking snapshots of their work. There are plenty of tools available to make this simple; just make sure your IT staff really is using them. Then, of course, make sure all those backups are private and insulated extensively from attack.

5. Prepare for the worst. No matter how much you prepare, there will always be risk involved with any kind of online data storage. Inherent risk means you must be inherently prepared. Have a disaster recovery plan in place, ready to go if a hacker destroys your data. Recovery from this kind of attack is all about speed — the longer your company is down, the greater the damage will be long-term. No insurance or reparations can make up for the potential business your company loses when it's out of commission — which means a speedy recovery, more than anything else, determines whether a company will be able to bounce back. Use the backup you developed to rebuild and relaunch your programs; make it automated if possible. Set a plan in place so that, when the worst happens, you can turn it around quickly, efficiently, and effectively.

If hackers have your company as a target, they'll either want to attack you and bring your network down or they're simply after financial gains. Many hackers will try to gain access to your Amazon cloud account, steal the key, and launch a prolific amount of CPU usage, just to mine it for digital currency. Every day they develop more strategies, and every day they find new incentives. But whatever the goal, a cyberattack can mean the loss of profits, or worse, a permanent shutdown of your entire company. As our data and business landscape shifts and changes with developing technology (and corresponding government policies), make sure you and your team are prepared to ride any wave that comes your way.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Francis Dinha is the CEO and co-founder of OpenVPN, a security-focused open source VPN protocol. With more than 50 million downloads, OpenVPN has been in the open source networking space since its founding in 2004. Its Private Tunnel service provides "last mile" security to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AdelaidaP
50%
50%
AdelaidaP,
User Rank: Apprentice
8/16/2018 | 3:58:21 AM
just
I think you can't be 100% prepared for all.
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why Password Management and Security Strategies Fall Short
Steve Zurier, Freelance Writer,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8584
PUBLISHED: 2018-11-14
An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC), aka "Windows ALPC Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers.
CVE-2018-8588
PUBLISHED: 2018-11-14
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8541, CVE-2018-8...
CVE-2018-8589
PUBLISHED: 2018-11-14
An elevation of privilege vulnerability exists when Windows improperly handles calls to Win32k.sys, aka "Windows Win32k Elevation of Privilege Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2.
CVE-2018-8592
PUBLISHED: 2018-11-14
An elevation of privilege vulnerability exists in Windows 10 version 1809 when installed from physical media (USB, DVD, etc, aka "Windows Elevation Of Privilege Vulnerability." This affects Windows 10, Windows Server 2019.
CVE-2018-8600
PUBLISHED: 2018-11-14
A Cross-site Scripting (XSS) vulnerability exists when Azure App Services on Azure Stack does not properly sanitize user provided input, aka "Azure App Service Cross-site Scripting Vulnerability." This affects Azure App.