In recent years, news coverage of high profile data breaches resulted in the assumption that data heists are always sophisticated efforts by devious hackers in far-off lands. The reality is much more plain.
According to a recent study by Securis, simple employee error causes 25% of data breaches. If your team spends all its time anticipating black swan events, it’s easy to overlook everyday safeguards. Organizations need to take the necessary steps to keep data secure in a fast-moving business environment. In some jurisdictions (EU), a designated Data Protection Officer oversees the day-to-day management of organizational data security processes.
First: Think Physical.
Imagine you’ve spent months testing your infrastructure. You’ve ensured your site has the necessary certificates and building the protocols to store data securely and anonymously. Then, someone from marketing leaves a USB stick on the table of a coffee shop. And just like that, all the hard work gets undone in an instant.
Technical teams can think beyond the way data is stored. They can think through the way their team members, mainly non-technical team members, access and transport company data. Take responsibility by educating those who are ignorant. Teach their non-technical team members the level of caution needed when handling this precious resource.
In real terms, this means workshopping and hosting seminars to educate the rest of the organization around best practices and warned of the consequences that can occur when casual attitudes prevail.
Second: Keep Access Control Granular.
Despite your best efforts, technical teams must understand that every employee constitutes a security risk and a potential access point for data thieves. Consequently, organizations should work to make data access as granular as possible.
No one team member should have access to anything more than the data that is necessary to do their job. An “all-or-nothing” access policy avoided at all costs. Also, you can apply this philosophy to development work and third-party services and applications.
Not only are password management tools and critical vaults essential for your developers, but you should and must limit access for individual services and systems. Limit access to the data necessary to complete the function performed only.
Third: Password Policies Matter.
If your organization has thought proactively about the previous two priority points, you’ll also need to remember the fact that passwords are the first line of defense. Passwords are the most vulnerable access point to security breaches.
Build password protection into your company’s IT architecture to increase security for every employee and customer. Risk drastically reduces by providing customers and staff with a two-factor authentication login procedure. Furthermore, passwords to company networks and systems become safeguarded with 2FA and encryption at all times.
Fourth: Use Regulations As A Guidepost.
The landscape is ever-evolving. Companies loathe sharing the inner-workings of their data systems with the world. SME’s becomes challenged when gauging whether they have taken the appropriate steps to safeguard customer and business data.
Here, it can be useful to compare your policies against the regulations laid out in frameworks like the GDPR, the CCPA, and HIPAA. These regulations are laws of their lands. They are also a good summary of the minimum level of performance and security that organizations need to be building into their data infrastructure. What’s more, they’re not all that complex, particularly if you have experience with the subject matter.
We encourage developers to go straight to the source and familiarize themselves with the articles of the GDPR as a handy starting point for thinking about data security.