You will have heard terms such as ‘data breach’ and ‘cyber-attack’ being used more and more in recent years, with instances of these cyber-crimes featuring increasingly across local and global news. As our reliance on technology has grown, data breaches have become commonplace. Thieves and fraudsters are no longer just the cliché shady character sneaking around after dark.
The UK Government’s 2018 Cyber Security Breaches Survey states that 43% of businesses and 19% of charities have experienced a cybersecurity breach in the last year. This figure rises to a staggering 72% amongst large businesses (250+ employees), and 73% amongst charities with annual incomes of £5 million+. Despite this, only 27% of businesses and 21% of charities have a formal cybersecurity policy.
So, what can we do to keep our data safe?
The key to any solution is identifying that there is a problem. There are many causes of data breaches, but the most common cause is human error within company walls. An example of this could be information storage devices being lost or stolen. Preventative methods may not be being prioritised by senior managers. Innocent slip-ups such as failing to use blind copying when interacting with a mailing list are also considered a data breach. While these may be honest mistakes, this inattentiveness poses a serious risk of data breach.
To prevent a data breach, everyone in a company must understand their responsibility to protect sensitive information. Outlined below are ten steps all businesses can take to help protect themselves from data breaches in the workplace.
Tip 1 – Use Online Protection
As we’ve mentioned, data breaches occur in a large number of businesses and charities. No organisations are invulnerable to an attempted attack. One way these attacks happen is through hackers trying to access your data online.
Ensure you have all the necessary antivirus software, anti-malware, and a strong firewall in place. These will prevent unauthorised access to your network. Also, ensure that software updates happen as soon as they are available. Software updates may include fixes to any potential issues in past versions and could prevent an attack.
Another way to prevent data breaches is to ensure all sensitive data is encrypted. This includes everything on work laptops and other electronics issued to staff.
To protect your customers’ online accounts, you could also introduce multi-factor authentication. A great example of a company who uses this is Airbnb. Airbnb have implemented additional verification from users when logging in from a new device. They also send text message alerts whenever account changes have taken place. This authentication type is used by many businesses, including web giants such as Twitter, MailChimp, and GitHub.
Should the worst happen and a data breach occurs, it’s also important to have a disaster recovery solution or data loss plan in place. This way, your IT department will be able to recover any data you’ve lost, and disarm threats upon discovery.
Tip 2 – Conduct Regular Risk Assessments and Actively Search for Vulnerabilities
This is an area many organisations forget to look into, simply by taking an “if it’s not broke, don’t fix it” approach to security. As business and technological climates evolve, however, something that has worked for years may not work in a week’s time. New risks can emerge overnight. Businesses should therefore actively test their websites and search for security vulnerabilities from the perspective of an attacker. Consider all aspects such as data storage, how employees are accessing documents remotely, and the general functionality of your online protection.
Risk assessments are a good way of noting the risks associated with any potential security hazards too. They are very useful for getting issues noticed by senior management, and contain all of the different ways risks can affect a business. By giving busy seniors the full picture, you will be able to provide them with a cause to hopefully initiate change. Remember though, risks are not just financial. They can be reputational, operational, and compliance-related. Be sure to include all of these implications in your assessment. Importantly, keep these documents password protected as to not expose vulnerabilities to unauthorised individuals. This is particularly crucial if using shared network drives in the workplace.
Tip 3 – Train Your Staff
The UK Government’s Cyber Security Breaches Survey of 2018 reported that just 20% of businesses and 15% of charities have had any staff attend cyber security training in the last 12 months, internally or externally. Additionally, just 30% of businesses and fewer than a quarter of charities have board members or trustees with cybersecurity responsibilities.
As previously mentioned, the biggest causes of data breaches are a result of internal errors. This enforces the point that educating employees around data and online security is absolutely essential.
Ensure staff are trained and kept up-to-date on best security practices. This should include how to spot phishing scams and not opening attachments they weren’t expecting to receive. All staff members should be briefed on the importance of data security, and how seemingly innocent mistakes could result in a serious data breach. Staff should have security on the front of their mind when conducting their day-to-day duties, and it should be a part of the company’s culture.
Whilst more prevalent in certain industries such as the legal sector or sectors which handle the data of children, confidentiality training should also be given to employees in all industries. Any leak of confidential information could damage the reputation of a company irreparably.
Tip 4 – Improve Password Security
While this may seem like a no-brainer, a surprising number of businesses become victims of breaches due to inadequate password security.
As well as phishing scams, there are many tools hackers use to quickly crack passwords. One of these is something called a Brute Force Attack. This is where a program is used to work through all possible alphanumeric combinations from ‘aaa01’ to ‘zzzz99’. These programs can decipher unsecure passwords and the hacker can break into your accounts in a very short time. Another method is through a tool known as a Spidering application. Hackers have realised that many corporate passwords are made up of words connected to the business itself, for example, the first line of the office address. The hacker will study the corporation’s online literature, and enter these keywords into a custom list for the Brute Force Attack. This can often mean they are able to gain access faster. Because of this, strong passwords are crucial in ensuring the safety of your sensitive data.
Ensure employees change their passwords regularly, and use combinations of upper and lower-case letters, numbers, and symbols. If words are used, they should not be directly related to the nature of the business in any way. For example, if you are the owner of an eCommerce business selling printers, the password ‘printers54321’ would be easy to crack. Also, encourage employees to never use the same password for more than one work-related account.
Sensitive documents should also be password protected when possible, and shared only with those who need to access them directly – not stored on a shared or public drive.
Tip 5 – Restrict Access
Another vital and often overlooked method of prevention is access control. By restricting websites, network access, files, downloads, and databases to specific users only, you will automatically decrease the chances of a breach. Organisations should ensure that employees only have access to the information necessary for their jobs. While this process can be time-consuming and will need regular amendments, it will mean a much lower risk of important data being seen by unintended recipients.
It’s worth noting that information is still considered ‘breached’ when viewed by any unauthorised or unintended person or colleague. This is the case even if that information was seen accidentally and wasn’t shared. Data breach notification laws state that certain industries are legally obligated to notify the ICO (Information Commissioner’s Office) and consider notifying customers if a data breach such as this occurs, however harmless it may seem.
Tip 6 – Physical Security
Whether you’re the owner of a start-up working out of their garage or an international firm with offices around the globe, one obvious thing to consider is the physical security of your premises. To help keep your data physically secure, consider the following preventions.
- Use CCTV wherever possible and, of course, ethical. Ensure keyholders are briefed on keeping their keys secure, and a signed record is kept of who has key access to the building.
- Don’t ever give your building entry codes out to guests or visitors under any circumstances. To do so could pose a serious risk for theft. This information could be overheard, or shared with malicious intentions.
- If workstations are left unattended even for a few minutes, ensure computers are put into sleep mode and sensitive documents are secured. Also ensure employees lock away laptops, external hard drives, and sensitive documents overnight or when unused. For additional security, use a signing out system for when employees need to access these records.
- Avoid leaving any papers, computers, or electronic devices visible from the outside of the building, especially in ground floor offices. Similarly, avoid leaving sensitive paperwork uncollected from printers, fax machines, copiers, or in unlocked storage.
Tip 7 – Use Extra Security Methods for Portable Devices
Portable devices are at the most risk of getting lost or stolen, so as well as locking these devices up, ensure that extra precautions are in place should these devices go missing.
Ensure all laptops, USB drives, external hard drives, and other portable devices are encrypted. While encryption can’t prevent theft, it can prevent unauthorised parties from accessing content, as they won’t be able to decode the data without the decryption key.
Just as an extra bit of protection, make sure sensitive files are securely deleted once no longer needed. Where financially viable, get old electronics and storage devices safely destroyed. This will prevent these documents from being recovered by unauthorised parties.
Tip 8 – Provide Devices for Flexible Workers
The majority of organisations now allow companies to bring their own devices to work. Many also allow their staff to work flexibly from home, depending on the nature of the role. While this is great for employee satisfaction, it can pose additional risks to cybersecurity.
When working remotely there is no real way of being sure that employees aren’t accessing sensitive data on unsafe devices. It can also be much more difficult to ensure prevention methods are controlled or managed on a personal device than it would be on work-issued device. There are also certain ethical issues. If you need to access what your employee has been working on, are there risks of privacy infringement by looking at their personal laptops?
The best way to ensure flexible workers keep working safely while offsite is by issuing a company laptop or phone. These devices can be shared and signed in and out by employees when needed. Although this can be seen as an inconvenient expense for businesses, it is also the best way of keeping employees happy and keeping your sensitive data safe in the long run.
Tip 9 – Ensure Partners and Vendors Maintain High Data Protection Standards
When working alongside other businesses or service providers who may need to handle your sensitive data, ensure they have satisfactory systems in place. The easiest way of doing this is to look for certain accreditations.
There are four main accreditations which will show you that your suppliers are maintaining high data protection standards. These are:
- ISO 14001
- ISO 9001 Quality Management incorporating EN15713
- BSIA – British Security Industry Association approved member
- And PCI DSS Level 1 Service Provider Compliance
There is no harm in asking for a scanned certificate as proof for these accreditations should you see fit. It is better to be safe than sorry when it comes to the potential exposure of sensitive information. Often these certificates will be available online, and ours can be found here.
Tip 10 – Know When to Destroy Data
We’ve spoken a lot about protecting your data, but knowing when to destroy this data is crucial as a preventative method of data breaches. Whether you’re looking to destroy paperwork, products, or electronic storage devices, this must be done securely. Additionally, proof of destruction must be kept.
Fraudsters don’t just operate online, so leaving secure waste in recycling facilities or general waste bins is not a safe way of disposing of your secure information. To be fully safe, this data should be destroyed, as, after all, thieves cannot steal what doesn’t exist.
The benefits of using a shredding service with an accredited business such as ourselves here at Shred Station Ltd are numerous. Your data will be destroyed by security-vetted individuals, and this process will be stringently monitored with protected CCTV. You will also receive a certificate of destruction.
For many businesses, the apparent burden of employing cybersecurity measures can be daunting. There is often a fear that it would mean less flexibility for staff as well as business operations. However, this doesn’t have to be the case. Your team can still work flexibly and safely, and just small changes can make a big difference. Data breach prevention methods are numerous, and once implemented, are invaluable to businesses of all sizes as they can prevent risks to not only customer data, but also a company’s reputation, finances, and day-to-day processes.
To see the UK Government’s Cyber Security Breaches full survey report for 2018, you can find this here.
Sign up to our newsletter to be alerted about brand new articles, data protection advice, and news about Shred Station.