Getting hacked seems part and parcel of doing business these days.
It even happens to the big boys (see Delta and Best Buy, for example). This may suggest that data breaches are inevitable, especially for small businesses. But just because large corporations dropped the ball, doesn’t mean you have to. Implement the following strategies and you’ll prevent the majority of attacks.
This is a bit of a bugbear of ours and here’s why. Most businesses will do the bare minimum to improve their data security. This is even true amongst large multinationals! Those that go the next level tick off most of the items on our list, but hardly anyone does penetration testing. And that, we can’t stress enough, can lead to very expensive mistakes.
Penetration testing, aka ethical hacking, is the process of attempting to hack into your system, allowing you to find exploits and fix them (before the bad guys get there first!). We recommend taking this process seriously. Either employ a company that specializes in this stuff or consider engaging a turned-to-the-light-side hacker. Giving this as a side job to your IT officer or someone else in your organization won’t do the business.
Minimize Your Attack Surface
When it comes to data security, you want to limit the hacker’s options. The best way of doing this is by minimizing your attack surface, in other words reducing the number of points available where the hacker can gain unauthorized access. Yes, we’re augmenting your knowledge of hacker lexicon. You’re welcome. Here’s how you can make it happen:
- Reduce privileges. Be extremely careful about user accounts. Do not give extensive permissions to all employees, keep tabs on new accounts you create, and always delete users that have left your organization.
- Patching. Ensuring your software is running on the latest version isn’t just a usability issue. In fact, it’s mainly about security. Download and install patches as soon as they are released.
- Uninstall unnecessary software. Audit your software (or plugin/module, if a website) list on a regular basis. Figure out whether you’re actually using it or whether it’s just acting as a memory hog or worse, a potential exploit point.
Backup Your Data
You should always have a way of turning back the clock and restoring your data to the last secure point. Hackers aren’t just about stealing information, they often just go into servers for the mere fun of it. Yes, some people just like to destroy stuff. Deleting everything on a server is, unfortunately, part of the fun.
This is why data backups are so important. And we’re not just talking local backups here. Go to the cloud to ensure you have your data spread out over multiple locations. Of course, this widens your attack surface, but we think it’s worth it. Just make sure you enable two-factor authentication, have all data encrypted, and don’t let employees save files on their local computers.
Security First Development Approach
Software and web developers often work according to unrealistic deadlines and huge pressure to release code. This leads to rushed development where getting something out there that just ‘kinda works’ takes precedence over a decent software product that’s also secure. While you can usually get away with this way of doing things in the short term, it’ll definitely come back to bite you.
The slower, yet safer and just altogether better approach, is to engage in security first development. This means that creating secure software is a cornerstone of your development process, not just an afterthought. Your developers should become accustomed to having security at the forefront of the development cycle.
Plan, Plan, Plan (and Plan Some More!)
Companies that have their security situation in order always have detailed plans in place that outline company policy and what should be done in case of a data breach. Be one of those companies. These are the bases you need to cover:
- Give it proper attention. Emergency plans are not given the attention they deserve, simply because emergencies don’t often happen. Until they do. Plan properly and you’ll save yourself plenty of headaches in the future.
- Remember, it’s a work in progress. Your documentation isn’t a one-time affair. It’s something you need to work on consistently, updating it based on changing requirements and new data.
- What are your assets? Be aware of everything your company controls and ensure you know how they are managed and by whom. You don’t want a rogue application that isn’t accounted for.
- Contact points. If a breach happens, you want to jump on it quickly. The sooner you fix the issue, the better when it comes to damage limitation. If you’re dealing with a third-party for your cloud storage, for example, have a trusted point of contact ready to go.
Whether your company is big or small, you need to learn how to protect it. Don’t be lazy and leave it to chance; your and your customers’ data and privacy depends on how well you protect yourself from breaches.