Enterprise data leak scandals are unfortunately becoming far too common: not a week goes by without a new incident in the media from TalkTalk to SWIFT and the Panama Papers.
Here are 5 basic recommendations that can help you minimize the risks:
1. What to secure.
Enterprise data is always important but some of the data is more sensitive than the rest (e.g. strategic plans, client information). Identifying it is step 1. Also, some enterprise data from day to day operations, whilst important internally, could be even more valuable externally (e.g. client KYC information).
Some enterprises will try to have a blanket approach to data security and secure all their enterprise information using a one rule fits all approach. But the reality is that some of the data needs to be protected even more carefully.
So it is important to determine what are the most sensitive categories of data within your organization and ensure that you take the additional steps to secure them. Although it may seem like a cumbersome task, it is far easier than dealing with the consequences of a data leak.
2. Authentication with a focus on User Experience.
The secret is Multi-Factor Authentication which consists of the three musketeers of data security, namely: “what you know”, “what you have” and “what you are”. Best practice is to have at least 2 of the above 3 for any sensitive information. For example, the combination of a password (“what you know”) and a token (“what you have”) or the combination of a password (“what you know”) and a biometric component like your fingerprint (“what you are”) provides the appropriate level of security. Getting authentication right is step 2.
This will substantially increase the level of security and has become the standard for financial institutions or engineering firms. However, most users find the above not very user friendly although secure. The good news is that innovations in the field of data security in recent months now enable enterprises to provide this Multi-Factor Authentication security but with an enhanced user experience for their end clients or staff. If given the choice between convenience and data security, people will always choose convenience thus the importance of making security user friendly.
3. Access control.
Access control is critical when it comes to data security. Properly defining who has access to what type of sensitive information is step 3. Access controls once in place need to be properly monitored as employees regularly change roles within the organization or simply leave.
There are many stories of employees leaving a firm but being able to access its systems for months thereafter as their access credentials were not withdrawn. Make sure this does not happen to you.
4. Encryption keys rather than encryption.
Everyone talks about encryption and about their security algorithms but often forget to focus on their key management, which is fundamentally important. That’s step 4. There is no point in putting the best locks on the doors of your house if you will simply leave the keys in the mailbox.
However, many enterprises still store their encryption keys in folders without the level of security they deserve. Whilst the industry is probably moving towards a keyless key management system with some of the latest developments in the field, the reality is that most enterprises are still relying on traditional public/private key infrastructures (PKI)/certificate management set-ups.
5. People, People, People.
Your staff is the most important and potentially vulnerable component of the security chain. Many of the data leaks happen because of staff ignorance (e.g. social engineering, phishing scams), staff mistakes (e.g. sending out information to a wrong email, leaving sensitive information unsecured) or simply staff improper behavior (e.g. selling sensitive information). So focus on your staff, that’s step 5.
You can have the best cyber security tools, but if your staff passwords are written on post-it notes on their laptops or if your staff is sending sensitive information over public Wi-Fi (e.g. airports, coffee shops), then it is all useless. Ensure you provide proper internal training and reminders to your staff on a regular basis.
Once again, although the latest technologies in the field are going toward behavior analysis to detect unusual activities and/or a breach before it happens, the human component is and will always remain critical.
Digital Security Perfected – APrivacy Ltd. is an award-winning company which combines military-grade data security with a seamless user experience on any platform, any device, anywhere. APrivacy Ltd.’s enabling technology now allows the financial services industry to confidently communicate with clients using their favourite channels leading to increased revenues and reduced costs while meeting the strictest regulatory requirements.