Today's SMBs are generally more security-conscious than their 20th-century counterparts, and actively take steps to prevent data loss. Unfortunately, however, mistakes are still made at the employee level that are seldom accounted for when designing protocols.
In the '80s, the 'hilarious' free cupholder email prank (with an executable attachment) kicked out the tray of an employee's optical drive. They all laughed as IT professionals cringed, knowing full well this innocuous result could spread a virus throughout their network and yield a loss of data from keyloggers. Well, they probably wouldn't laugh today.
Unfortunately, while today's users are often savvy enough not to launch executable files received by email, little has changed and human error remains the most common cause of data breaches. In fact, it was responsible for over 90 percent of all reported breaches in the Verizon 2015 Data Breach Investigations report. Even though a new workforce is impractical for a growing business, a problem-free IT infrastructure needs to be realized. One approach is to construct a risk management team to train employees according to a defined company security policy. The risk management team can then perform risk assessments to identify potential challenges and lock down each one, amending the policy as new threats are identified.
Complicated by new technology, increasing data volumes, bring your own device (BYOD), mobility, the cloud, Internet of Things (IoT) and more, the threat landscape is increasingly difficult to manage. But it's easy to classify.
Unintentional and Internal
This is generally an issue of workforce literacy. Adherence to the company's security policy and making staff aware of cybercriminals' most common attack methods can substantially reduce this problem. How? Some of it you may already be enforcing:
- Due diligence when opening email attachments
- Awareness of phishing red flags
- Use of the public cloud or mobile apps that aren't company-approved
- Weak account passwords that are never changed. Social engineering on social media (or other publicly displayed platforms of data) can lead a hacker to one's 'secret' password or security question
- The loss or theft of a physical device, such as a smartphone
- Low- or no-tech methods such as dumpster-diving, shoulder-surfing or poor building security that allows for direct network access
Intentional and Internal
This is more difficult to deal with, given the countless methods available to disgruntled staff for sharing and gathering data. Think about audio and video via mobile devices, as well as cloud storage, unified communications (UC), file sharing, free email accounts and more. Even a simple printout of account passwords can result in data loss.
It goes without saying that firewalls, threat intelligence systems, antivirus software and the like should be in place. It's also important to monitor network traffic for discrepancies and to ensure that any file transfers taking place are protected, encrypted and controlled for user access via employee role — usually with an audit trail for compliance purposes. When correctly configured, your file transfer solution will integrate into your data-loss prevention system and facilitate recovery if file transfer is interrupted. Installation of application updates and security patches should also be in your back pocket regularly, as hackers are quick to exploit vulnerabilities in outdated software.
Fires Start Small and Hard Drives Aren't Perfect
Data loss is not limited to the actions performed by the malicious or ill-informed; there are also hardware issues to consider. Like cybercrime, hard-drive failure will happen — it's just a matter of when. Putting all your code in one line is never recommended and, in the event of a natural disaster (fire, flood, you name it), offsite and onsite backup is essential.
Old hard drives may make attractive coasters or works of art, but remember: Most of them, even if fire- or water-damaged, can be recovered using skilled data forensics techniques. When donating computers to charity or a local school, it's best to degauss or physically destroy hard drives if they've ever contained confidential data. Your donation may not be as well received, but your data is secure.
Preventing data loss is an ongoing task and regular staff training is necessary as new threats appear daily. Only by being vigilant can companies protect themselves and prevent penalties from government or industry bodies that call them out on lack of compliance.