Protect Your Data: Top Ten “Need to Know” Tips
By Dietrich Benjes, VP UK, Ireland and Middle East, Varonis Systems, Inc.
With breaches happening on an almost daily basis, it's critical to establish rules and processes to keep your data safe and secure. The following tips, designed to help you build a sustainable path towards data security, were inspired by the FTC.
Don’t Make Security an Afterthought
Think before you collect. Is it necessary and does it add value to capture personal, sensitive information from your customers and prospects? Or does it just open up additional risk? If you absolutely need to collect sensitive information, don’t hold on to it longer than necessary. Set an “end date” and follow through with securely destroying the info. Security shouldn’t be reactive but proactive.
Stay in Control
If you need to hold on to sensitive data (it’s a business must), then how do you keep it safe from prying eyes – both inside and outside your organization? Answer: limit access. Does your summer intern need wide-open access to corporate IP to do her job? Probably not. Implement a system for periodically reviewing entitlements to ensure people only have access to the information they need. Your auditors will thank you.
Passwords and Authentication, Please
You’ve got sensitive data and want to keep it safe. Requiring complex passwords (by the way, “password” is NOT complex) that include multiple elements (caps, numbers, minimum characters) and changing them on a quarterly basis makes it hard for hackers. Even better: require two-factor authentication, disable access after a specific number of failed login attempts, and protect against authentication bypass to really “up” the proverbial ante.
Share It Securely
Sure, your internal network is secure. But what if you need to share your data outside the firewall? One way to do this securely is with a data file sync and share solution that works with your existing permissions and authentication infrastructure.
Who’s Knocking on Your Door?
Do you know who is accessing what computer at all times? Probably not. So protect yourself – and your sensitive data – in a separate, secure place on your network. Limit access. Even better, continuously monitor your file access activity with a solution that makes it easy to see and address suspicious, unusual behavior before it’s too late.
Isn’t telecommuting great? It allows employee freedom and increased productivity. But it can be a security nightmare. The key idea is to allow remote connections, but restrict the ability to re-login to other desktop and servers. We really want to make it difficult for hackers to leapfrog around your network. This can be accomplished by enhancing security of the Remote Desktop feature in Windows. You can read more about how to do it here.
Keep It Under Wraps
Is your organization developing a hot new product or solution? Have you thought about how your customers will use it and whether it needs to be secure? Make sure your developers are up to scratch with Privacy by Design principles, and the latest best practices in safe coding. In addition, know thy platform security guidelines – no need to recreate the wheel. Finally, testing is key! While not every threat can be anticipated, testing for common vulnerabilities ensure security at the gate.
Who’s Got Your Back?
You probably work with service providers and other contractors. But do they share your passion for security? Make sure your standards are being met by including your security requirements (for example, encryption, two-factor authentication, data retention limits) in contracts and service-level agreements. Remember to stay active and always monitor your controls to ensure that your security expectations are followed and your users aren’t inadvertently exploited.
Make a Plan, Stan
You’re secure – for now. Unfortunately, security isn’t static and so to remain compliant you’ll need to stay on top of your systems and technology. This means making a plan that includes monitoring third party software, performing updates, and faithfully implementing patches. In addition, pay heed to security warnings and notifications! Develop an action plan! If a vulnerability has been exposed, be proactive and take the steps necessary to protect your data!
Network security is critical. But what about computer hardware, as well as paper files and all the miscellaneous stuff that makes up a typical office environment? Does your company have a security policy for the non-virtual world? Rule #1: keep important papers and other physical IP in a secure place (locked file cabinets, secured server rooms, etc.). Laptops should have secure-login and hardware-level password protection set. What about old computers, servers, tapes, and disk drives? What may appear as trash to you could be a gold mine to hackers.