3rd November 2017
Any business that holds data – in any industry – will need to ensure it has effective data protection and security measures. However, even if you have the best systems in the world, mistakes and breaches can still occur. One way to reduce your risk is through employee awareness , and making sure you have adopted and implemented best practice to avoid common pitfalls. Here, we’ve outlined eight of the most frequent hazards that can lead to a data security breach.
Ransomware is often in the headlines – malicious software that targets your system and holds it “captive” until you pay a ransom. By simply clicking on the wrong link, you can find yourself with a system that’s been locked down. Clearly, this can be very damaging – both through loss of business and the financial burden of paying any ransom (never a wise thing to do, but that's another story).
So, how can you avoid this? The best form of defence is having effective firewalls and virus checkers in place. You should also have a backup server. That way, if your system is hijacked, you can simply reload it from your backup. Without a backup system, you will have a serious problem. It’s difficult to spot ransomware in advance, so it’s vital to be in a position to deal with it if an attack does occur.
There are a few things you should be looking out for. Beware of suspicious-looking emails, unfamiliar or inconsistent email addresses, and email addresses that reveal a different name if you hover a mouse over them. Also, look out for emails with poor spelling, odd wording and unusual attachments. If you’re not expecting an attachment from someone, don’t be afraid to give them a call and double check before opening it or clicking on a link.
Phishing is where someone purports to be from a company, such as a utilities provider or bank, and requests your security information or bank details in the hope that you offer this up. Although phishing is scattergun and more of a numbers game, spear-phishing is targeted. Here, criminals identify a specific individual as being vulnerable or having access to valuable information.
You can also fall victim to spear-phishing without being personally approached. Fraudsters will sometimes study the email and communication style of a business owner or financial director, and then mimic it to contact clients and request their financial details.
BYOD, or ‘bring your own device’, is a symptom of our predilection for mobile technology, and refers to being able to integrate personal devices into business networks. Although it’s incredibly useful and convenient, it also poses a threat if your employees’ devices aren’t fully covered by your security system.
If you want to allow the freedom of BYOD, you should ensure devices are properly monitored and policed: this may mean restricting employees to certain devices or applications. Similar issues affect portable business hardware – laptops and flash drives for example. If hardware is freely circulating in and out of your IT system, it can be hard to track activity and security. One way to reduce this risk is that anybody who uses their own device has it made secure by your IT technicians first. Putting the proper steps in place means there’s less excuse or opportunity for a security breach.
Additionally, consider whether your business needs to allow the use of devices like USB sticks; many businesses disable USB ports unless there’s a clear reason to allow their use.
4) Hardware misuse
If you leave your desk with your device open, someone else can very easily walk up and access it, which is a security fail. To protect against this, be sure to embed best practice in your workplace, stating that computer stations must be locked anytime an employee leaves their workstation.
The same goes for physical security - it is crucial that employees take extra care against theft or loss of hardware when they’re out and about – on public transport for example. Speaking of transport, another common security breach happens when working on a train; if you have confidential items on display, others can read this information and this may be a flagrant breach of data protection.
5) Privilege misuse
Privilege misuse is when someone accesses information they shouldn’t. Unless there’s a good reason, not everyone should have access to all areas of a business’ network. It’s easy to create privacy features that ringfence sensitive files – making sure they are only used by those with the right security clearance.
It can be common to share laptops and computers, particularly making use of someone’s desk if they are away, but helping yourself to someone else’s desktop can also mean misusing the desktop owner’s privileges.
Take a cautious approach and make sure information is accessed only where there is business validity. Even small businesses need to bear this in mind, particularly as the business grows and employees leave and join.
6) ‘Fat fingers’
The so-called ‘fat fingers’ phenomenon has been known to cause problems throughout all industries. People make mistakes, and emails and files can be sent to the wrong recipient. With email systems increasingly keen to autocorrect and autofill our typing, it’s easy to insert the wrong email address – which can have serious implications.
The easiest way to protect against this is to embed best practice across your business. Encourage employees to type in email addresses only once an email has been completed and reviewed. Then double check before sending, state any confidentiality levels and make clear if emails or attachments should not be forwarded to others.
Ex-employees may feel entitled to take information with them to a new job, such as contact databases, lists of customers, trade secrets or recipes. If someone’s employment is terminated, you may want to remove certain privileges and access to data immediately. It’s also worth checking whether large amounts of data have recently been downloaded from a certain user profile, and ensuring that contracts make clear what employees are and aren’t allowed to do when it comes to intellectual property and data.
8) Industrial espionage
Somewhat dramatic sounding, industrial espionage may not be a problem for many people but it can happen to anyone. It’s most commonly enacted by current or ex-employees, so always screen people properly before they enter your business, and restrict their access to the information they need for their day-to-day job. Also, beware of letting people wander freely through your physical or digital premises – it is always better to err on the side of caution.
With all of these data breach pitfalls, it’s important to spread awareness throughout your workforce and have clear protocols and guidance in place. It’s unwise to assume your business will remain safe, or that you’re too small to appear on fraudsters’ radars – it’s just a numbers game. Criminals are out there constantly looking for someone to target – so you need to instil preventative action, and minimise the consequences if you do fall victim.
If you’d like to discuss any of the issues covered here, or receive advice on data protection, please get in touch with Greame Fearon.