You will have heard terms such as ‘data breach’ and ‘cyber-attack’ being used more and more in recent years, with cyber-crimes often reported across local and global news. As our reliance on technology has grown, data breaches have become commonplace. Thieves and fraudsters are no longer just the cliché shady characters sneaking around after dark.
The UK Government’s 2021 Cyber Security Breaches Survey states that 39% of businesses and 26% of charities have experienced a cybersecurity breach in the last year. This figure rises to a staggering 64% amongst large businesses, and 51% amongst high-income charities. Despite this, only 31% of businesses and 27% of charities have a business continuity plan that covers cybersecurity.
So, what can we do to keep our data safe?
The key to any solution is identifying that there is a problem. There are many causes of data breaches, but the most common cause is human error within company walls. Information storage devices being lost or stolen is an example of this. Senior managers may not prioritise prevention methods. Innocent slip-ups such as failing to use blind copying when interacting with a mailing list are also considered a data breach. While these may be honest mistakes, this inattentiveness poses a serious risk of a data breach.
To prevent a data breach, everyone in a company must understand their responsibility to protect sensitive information. Outlined below are ten steps all businesses can take to help protect themselves from data breaches in the workplace.
Tip 1 – Use Online Protection
As we’ve mentioned, data breaches occur in a large number of businesses and charities. No organisations are invulnerable to an attempted attack. One way these attacks happen is through hackers trying to access your data online.
Ensure you have all the necessary antivirus software, anti-malware, and a strong firewall in place. These will prevent unauthorised access to your network. Also, ensure that software updates happen as soon as they are available. Software updates may include fixes to any potential issues in past versions and could prevent an attack.
Another way to prevent data breaches is to ensure all sensitive data is encrypted. This includes everything on work laptops and other electronics issued to staff.
To protect your customers’ online accounts, you could also introduce multi-factor authentication. A great example of a company that uses this is Airbnb. Airbnb has implemented additional verification from users when logging in from a new device. They also send text message alerts whenever account changes have taken place. This authentication type is used by many businesses, including web giants such as Twitter, MailChimp, and GitHub.
Should the worst happen and a data breach occurs, it’s also important to have a disaster recovery solution or data loss plan in place. This way, your IT department will be able to recover any data you’ve lost and disarm threats upon discovery.
Tip 2 – Conduct Regular Risk Assessments and Actively Search for Vulnerabilities
This is an area many organisations forget to look into, simply by taking an “if it’s not broke, don’t fix it” approach to security. But, as business and technological climates evolve, something that has worked for years may not work in a week’s time. New risks can emerge overnight. Businesses should therefore actively test their websites and search for security vulnerabilities from the perspective of an attacker. Consider all aspects such as data storage, how employees are accessing documents remotely, and the general functionality of your online protection.
Risk assessments are a good way of noting the risks associated with any potential security hazards too. They are very useful for getting issues noticed by senior management and contain all of the different ways risks can affect a business. By giving busy seniors the full picture, you will be able to provide them with a cause to hopefully initiate change. Remember though, risks are not just financial. They can be reputational, operational, and compliance-related. Be sure to include all of these implications in your assessment. Importantly, keep these documents password protected as to not expose vulnerabilities to unauthorised individuals. This is particularly crucial if using shared network drives in the workplace.
Tip 3 – Train Your Staff
The Government’s Cyber Security Skills in the UK Labour Market 2021: Findings Report revealed that just 10% of businesses and 12% of charities provided cybersecurity training to non-cyber staff in the last 12 months.
As previously mentioned, the biggest causes of data breaches are a result of internal errors. This enforces the point that educating employees around data and online security is absolutely essential.
Make sure staff receive regular security training. This should include how to spot phishing scams and not opening attachments they weren’t expecting to receive. Brief staff on the importance of data security, and how seemingly innocent mistakes could result in a serious data breach. Staff should have security on the front of their mind when conducting their day-to-day duties, and it should be a part of the company’s culture.
Whilst more prevalent in certain industries such as the legal sector or sectors which handle the data of children, confidentiality training should also be given to employees in all industries. Any leak of confidential information could damage the reputation of a company irreparably.
Tip 4 – Improve Password Security
While this may seem like a no-brainer, a surprising number of businesses become victims of breaches due to inadequate password security.
As well as phishing scams, there are many tools hackers use to quickly crack passwords. One way is a Brute Force Attack. This is where a program works through all possible alphanumeric password combinations from ‘aaa01’ to ‘zzzz99’. These programs can decipher unsecure passwords and the hacker can break into your accounts in a very short time. Another way is by using Spidering application tools. Hackers know that many corporate passwords are made up of words connected to the business. For example, the first line of the office address. The hacker will study the corporation’s online literature, and enter these keywords into a custom list for the Brute Force Attack. This can often mean they are able to gain access faster. Because of this, strong passwords are crucial in ensuring the safety of your sensitive data.
Ensure employees change their passwords regularly, and use combinations of upper and lower-case letters, numbers, and symbols. If you use words in your password, make sure they are not directly related to the nature of the business in any way. For example, if you are the owner of an eCommerce business selling printers, the password ‘printers54321’ would be easy to crack. Also, encourage employees to never use the same password for more than one work-related account.
You should also password protect sensitive documents when possible, and only share these passwords with those who need direct access – do not store them on a shared or public drive.
Tip 5 – Restrict Access
Another vital and often overlooked method of prevention is access control. By restricting websites, network access, files, downloads, and databases to specific users only, you will automatically decrease the chances of a breach. Organisations should ensure that employees only have access to the information necessary for their jobs. While this process can be time-consuming and will need regular amendments, it will mean a much lower risk of important data being seen by unintended recipients.
It’s worth noting that information is still considered ‘breached’ when viewed by any unauthorised or unintended person or colleague. This applies even when information is seen accidentally. Data breach notification laws state that certain industries are legally obligated to notify the ICO (Information Commissioner’s Office) and consider notifying customers if a data breach such as this occurs, however harmless it may seem.
Tip 6 – Physical Security
Whether you’re the owner of a start-up working out of their garage or an international firm with offices around the globe, one obvious thing to consider is the physical security of your premises. To help keep your data physically secure, consider the following preventions.
- Use CCTV wherever possible and, of course, ethical. Make sure keyholders know how to keep keys safe and keep a signed record of who has key access to the building.
- Don’t ever give your building entry codes out to guests or visitors under any circumstances. To do so could pose a serious risk for theft. This information could be overheard or shared with malicious intentions.
- If you leave workstations unattended even just for a few minutes, put computers into sleep mode and secure sensitive documents. Also ensure employees lock away laptops, external hard drives, and sensitive documents overnight or when unused. For additional security, use a signing out system for when employees need to access these records.
- Avoid leaving any papers, computers, or electronic devices visible from the outside of the building, especially in ground floor offices. Similarly, avoid leaving sensitive paperwork uncollected from printers, fax machines, copiers, or in unlocked storage.
Tip 7 – Use Extra Security Methods for Portable Devices
Portable devices are at the most risk of getting lost or stolen. SO, as well as locking these devices up, ensure extra precautions are in place should these devices go missing.
Encrypt all laptops, USB drives, external hard drives, and other portable devices. While encryption can’t prevent theft, it can prevent unauthorised parties from accessing content, as they won’t be able to decode the data without the decryption key.
Make sure to delete sensitive files once no longer needed as an extra method of protection. Where financially viable, get old electronics and storage devices safely destroyed. This will stop unauthorised parties from recovering documents.
Tip 8 – Provide Devices for Flexible Workers
The majority of organisations now allow companies to bring their own devices to work. Many also allow their staff to work flexibly from home, depending on the nature of the role. While this is great for employee satisfaction, it can pose additional risks to cybersecurity.
When working remotely there is no real way of being sure that employees aren’t accessing sensitive data on unsafe devices. It can be much harder to control prevention methods on personal devices than on work-issued devices. There are also certain ethical issues. If you need to access what your employee has been working on, are there risks of privacy infringement by looking at their personal laptops?
The best way to ensure flexible workers keep working safely while offsite is by issuing a company laptop or phone. These devices can be shared and signed in and out by employees when needed. Although this can be seen as an inconvenient expense for businesses, it is also the best way of keeping employees happy and keeping your sensitive data safe in the long run.
Tip 9 – Ensure Partners and Vendors Maintain High Data Protection Standards
When working alongside other businesses or service providers who may need to handle your sensitive data, ensure they have satisfactory systems in place. The easiest way of doing this is to look for certain accreditations.
There are four main accreditations that will show you that your suppliers are maintaining high data protection standards. These are:
- ISO 14001
- ISO 9001 Quality Management incorporating EN15713
- BSIA – British Security Industry Association approved member
- And PCI DSS Level 1 Service Provider Compliance
There is no harm in asking for a scanned certificate as proof for these accreditations should you see fit. It is better to be safe than sorry when it comes to the potential exposure of sensitive information. Often these certificates will be available online, and ours can be found here.
Tip 10 – Know When to Destroy Data
We’ve spoken a lot about protecting your data, but knowing when to destroy this data is crucial as a preventative method of data breaches. Whether you’re looking to destroy paperwork, products, or electronic storage devices, this must be done securely. You must also keep proof of destruction.
Fraudsters don’t just operate online, so leaving secure waste in recycling facilities or general waste bins is not a safe way of disposing of your secure information. To be fully safe, this data should be destroyed. After all, thieves cannot steal what doesn’t exist.
The benefits of using a shredding service with an accredited business such as ourselves here at Shred Station Ltd are numerous. Security-vetted individuals will destroy your items under constant CCTV. You will also receive a certificate of destruction.
For many businesses, the apparent burden of employing cybersecurity measures can be daunting. There is often a fear that it would mean less flexibility for staff as well as business operations. However, this doesn’t have to be the case. Your team can still work flexibly and safely, and just small changes can make a big difference. Data breach prevention methods are numerous. Once implemented they are invaluable to businesses of all sizes. They can prevent risks to not only customer data, but also a company’s reputation, finances, and day-to-day processes.
To see the UK Government’s Cyber Security Breaches full survey report for 2021, you can find this here.
Sign up for our newsletter to be alerted about brand new articles, data protection advice, and news about Shred Station.