Data breaches are on the rise going into 2018, and they are wreaking havoc on businesses across the globe. There are three simple, inexpensive steps you can take towards protecting your business from data breaches:
- Conduct an Internal Security Audit
- Increase Employee Security Awareness
- Invest in a Password Manager to Encourage and Enable Employee Behavior Changes
It’s impossible to say with 100% certainty that breaches can be prevented. However, your goal and your job is to make them as difficult as possible on the perpetrators.
There is a misconception that preventing data breaches requires highly-expensive tools and software, and an extremely deep understanding of security protocols. While those expensive tools and software are valuable for larger organizations and more security-sophisticated small organizations, the truth is that taking the first steps to breach-prevention simply requires time, focus, and a dedication to changing organizational behavior.
Here are the three simple, inexpensive steps to protecting your business from a data breach:
Step One: Conduct an Internal Security Audit
If you want to identify the areas of your organization that need attention, conducting an internal security audit is the best place to start.
Begin by listing your most valuable assets, like sensitive customer data or physical data stores, and build a “security perimeter” around those assets. A security perimeter means that you intend to focus your audit on those particular valuable assets only.
Write down potential threats for each asset within your security perimeter. Once you assess your organization’s current ability to defend against specific threats, you need to score each threat in terms of how likely it is to happen and how much it would cost to recover from.
Now you have a prioritized list of threats that need to be attended to, and you have to get to work on devising strategies to protect your business from data breaches and other threats. Keep in mind that an internal security audit isn’t a one time thing – it’s a process that’s intended to be built upon over time in order to measure improvements and scale solutions.
The importance of this exercise should be stressed to executives, as it is the first step in securing your organization. Remind them that a single data breach can mean life or death for their company.
Step Two: Increase Employee Security Awareness
Your employees are the weakest link in your organization’s security. Whether it’s security best-practices or an orientation on the dangers of phishing, it’s your job to to engender a security-first mindset among all your employees. There are tools available, like PhishMe and KnowBe4, to help businesses with cybersecurity training and awareness.
According to The Global State of Information Security Survey 2018 from PwC, nearly 50% of executives said they do not have an employee security awareness training program. You don’t want to be part of that 50%.
Nearly 50% of executives said they do not have an employee security awareness training program…
You don’t want to be part of that 50%.
Budget restrictions holding you back? Become immersed in the ins and outs of security awareness training.
Create your own training that goes through the most prevalent causes of data breaches and how employees can play a part in prevention — for example, illustrate to employees what a phishing attack looks like, and emphasize the importance of double-checking before clicking on an attachment or link.
As the security expert in your organization, the importance of software updates might be obvious to you — but updates are useless unless your employees understand their value and actually execute them every time they’re available. You can explain that software updates are a critical, often overlooked area where employees can make a difference in maintaining network security.
Make this training a part of employee onboarding for every new member of your organization, and make sure to update existing employees monthly about the latest tips and tricks to turn negligent employees into security advocates.
From the New York Times: “Among the simpler precautions small businesses and consumers alike can take [to prevent data breaches] is to create strong passwords. That has long been the advice of security experts but many say it is stunning how many people and small businesses fail to heed the advice.”
“Among the simpler precautions small businesses and consumers alike can take is to create strong passwords. That has long been the advice of security experts but many say it is stunning how many people and small businesses fail to heed the advice.”
– New York Times
“Don’t use default passwords as doing so makes criminals’ lives much easier.”
- Password managers allow employees to use complex, unique passwords everywhere, because they only need to remember one master password. Employees can also share passwords securely, instead of writing down passwords on paper, in plain-text emails, or in unprotected documents.
“If you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned. Those are two things you shouldn’t have to worry about.”
- Password managers enable businesses to eliminate password reuse. Employees and admins are notified of password reuse across personal and work accounts, and instructed to remove reused passwords. Additionally, because passwords don’t need to be remembered, employees are encouraged to make complex, unique passwords everywhere instead of defaulting to their go-to password.
“Using default or easily guessable passwords simply will not cut it in today’s world. Implement multi-factor authentication across your enterprise…[especially] for administrative access to web applications and any other devices that are data stores. Reduce the effectiveness of stolen credentials being reused to unlock the door to member or customer information.”
- Password managers enable admins to grant full or limited access to business credentials, and allow admins to group specific passwords together for approved groups of employees or executives. Of course, password managers work in association with (and encourage) two-factor authentication to allow for added layers of protections on highly sensitive accounts.
“Keep an eye on employees and periodically monitor their activities. Do not give them permissions they do not need to do their job, and make sure you disable accounts immediately upon termination or voluntary departure.”
- With a password manager, admins have a bird’s-eye view of who has access to what credentials within the organization. In addition, password managers that force categorize business passwords vs. personal passwords allow admins to easily revoke access to business passwords for employees who leave the organization and grant access to business passwords for new employees on day one.
Interested in learning more about the effects of a potential data breach on your organization? Read our post on every data breach statistics your business needs to know.
Interested in a business password manager to meet your needs and help you defend against data breaches? Check out Dashlane’s business password manager, trusted by over 7,000 businesses worldwide, and lauded by businesses big and small for its effectiveness in changing security behavior and simplicity of design that enables company-wide adoption.