Avoid the "Inside Job" Data Breach
By Stacey Vanden Boogart-Romenesko
The last few years have been filled with highly publicized data breaches. Even if you were not one of the hundreds of thousands of victims in these large scale attacks, you could not miss the media coverage. These breaches have brought the conversation of information security out of the data center and into our homes, however recent research shows this hasn’t translated to awareness when we're considering internal and external threats to business data security. A 2013 Forrester study reported that 58% of data breaches in SMB's stem from inadvertent misuse of data by employees or simple loss or theft. According to a 2013 Symantec and Ponemon Institute Global Cost of a Data Breach Study, only 37% of data breaches are attributed to malicious attacks, while the remaining 64% are human and technology errors. Although the media continues to focus on the external threats, such as hackers and malicious viruses that rob intellectual property, we need to turn the spotlight on the internal threats that put our businesses at risk.
As "bring your own device" (BYOD) practices become more commonplace, employees are accessing sensitive business data across many platforms, from their cell phones and tablets to home computers and laptops. With mobile technology moving at breakneck speeds, IT managers must navigate an ever-changing landscape of threats on a diverse array of devices in our infrastructures.
The first step in securing data from the inside is to "secure your perimeter." This means not only identifying all endpoints in which employees are accessing your network and data, but also enforcing the implementation of secure data practices. A written security policy should identify best practices to address security gaps such as:
- Unauthorized or unsecured synchronization software for email, calendar, contacts, etc.
- Unsecured Bluetooth or wireless connectivity.
- Outdated OS service packs, networking, PBX, or internet-facing systems.
- Remote data management if an employee's personal device is lost or stolen.
- Outdated or non-existent antivirus software.
- Lack of encryption on systems handling web, email, or instant messaging traffic.
While a business can implement BYOD and security policies for devices accessing sensitive data, many IT professionals find enforcement much more difficult. This is where employee training is important to close any gaps in your infrastructure. In fact, according to the same Forrester report, only 57% of North American and European SMB employees surveyed were aware of their organization's current security policies, and only 42% had received any training on their workplaces security practices. Employee training can help to address:
- Ensuring employees use strong, complex, passwords and store them in a secure manner.
- Identifying and avoiding phishing attacks.
- Keeping up to date on system patches and updates.
- Using appropriate data management practices so sensitive data is stored in the appropriate, secure, location.
Of course, after securing the perimeter, one must put up a strong barrier to external attacks. IT professionals can limit exposure to unwanted internet traffic by implementing a firewall and only opening the specific ports necessary to run your business. Server operating systems, such as Microsoft Windows Server, offer security tools to disable unnecessary ports, services, and roles. One may also add an additional layer of security by segmenting their network using a DMZ for external facing services such as email, web, and DNS servers.
Finally, many SMB's may find that a managed services provider (MSP) or cloud provider is a stronger, more cost effective method to securing their sensitive business data. MSP's and cloud services bring enterprise-class security practices to your mission critical systems, without the overhead or expertise required to implement such technology in your own systems. Are you ready to minimize network vulnerabilities that have direct implications on your business? Please consider Security Consulting Services from Aventis Systems. We offer assessment and testing services to proactively identify threats, provide and implement security best practices, and provide training for in-house personnel.