Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/13/2018
10:30 AM
Francis Dinha
Francis Dinha
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Data Security Landscape Is Shifting: Is Your Company Prepared?

New ways to steal your data (and profits) keep cropping up. These best practices can help keep your organization safer.

The world around online data is changing, and with it the landscape of business is facing an irreversible shift. Not only in terms of regulations — with the European Union's General Data Privacy Regulation enacted — but in the way businesses actually use and have access to data. An increasing number of businesses are moving their data to the cloud, which brings a different set of security issues.

Through the cloud, hackers can shut down your business for weeks — or longer. They can steal not only your data but your resources. Companies often don't take this threat seriously enough. The cloud feels invisible, so we make the incorrect assumption that it's inaccessible. I've seen many powerful companies neglect simple steps — like properly training their staff, having a backup in place, or limiting employees' access — which can make the difference between powerful profits and destruction due to cybercrime.

Thankfully, there are steps you can take to protect your company, and they aren't that complicated. Implement these five best practices to keep your data (and profits) out of the hands of hackers.

1. Make sure your IT staff is highly trained and available. Make sure your IT staff is highly trained and available. Too many companies relegate their IT crew to a dusty office in the back, with no supervision and little training. They're treated as outsiders, usually because they have a different skill set and a different goal than the rest of the team — they're there to support the company, rather than expand the company like sales or product development. Because of this, IT faces the same kind of problems people in other supportive departments, like HR, face: they're taken for granted, denied the resources they need, and sometimes even unfairly blamed when something related to their department goes wrong.

But these supportive departments are vital to your company's functioning, and you neglect them at your peril. The IT world is constantly shifting, so the training for your employees needs to be updated constantly if you want them to succeed. Provide them with the right resources and ever-updated training, and you'll find yourself with an IT team ready and able to support your employees and protect your data. Proper training means your IT staff will see the incoming problems before they arrive — and, for the problems that do come, your IT team will be well equipped to handle them.

2. Educate your regular staff and develop a company-wide policy. Once your IT staffers are highly trained, you can rely on them to develop a company-wide security policy that you can implement and enforce. Many details will depend on your company and industry, but there are a few basic practices that every company should employ.

  • Create a process everyone knows how to follow, including a two-factor authentication system, strong passwords, and access to a private network.
  • Don't let your employees use their personal phones for company work. But if you do, have the right certificates installed on their devices.
  • Put up all walls to protect employees from hacking, and make them a standard part of your company policy — one that your employees understand, are trained in, and can implement. Having the best security tech in the world will mean nothing if your staff isn't taking it seriously.

3. Everything is on a need-to-know basis. Your employees do not need access to everything — they only need access to what's relevant to them. Policy comes into play here again: Make sure each level of access is protected by two-factor authentication and strong passwords, and work with your IT team to see that everyone has the access they need — but no more.

4. Back everything up. Yes, this step may seem basic, but I've seen plenty of otherwise savvy executives avoid it. They don't want to deal with the work of creating a backup to all their data, all their code, all their important financial info — it feels like a hassle, but it's absolutely essential. You're at risk of losing an incredible amount of work if you don't have a backup to turn to in case of an emergency. What's more, make sure you back it up somewhere private. Don't simply rely on Google Drive! On top of all this, charge your IT team with having their own backups and regularly taking snapshots of their work. There are plenty of tools available to make this simple; just make sure your IT staff really is using them. Then, of course, make sure all those backups are private and insulated extensively from attack.

5. Prepare for the worst. No matter how much you prepare, there will always be risk involved with any kind of online data storage. Inherent risk means you must be inherently prepared. Have a disaster recovery plan in place, ready to go if a hacker destroys your data. Recovery from this kind of attack is all about speed — the longer your company is down, the greater the damage will be long-term. No insurance or reparations can make up for the potential business your company loses when it's out of commission — which means a speedy recovery, more than anything else, determines whether a company will be able to bounce back. Use the backup you developed to rebuild and relaunch your programs; make it automated if possible. Set a plan in place so that, when the worst happens, you can turn it around quickly, efficiently, and effectively.

If hackers have your company as a target, they'll either want to attack you and bring your network down or they're simply after financial gains. Many hackers will try to gain access to your Amazon cloud account, steal the key, and launch a prolific amount of CPU usage, just to mine it for digital currency. Every day they develop more strategies, and every day they find new incentives. But whatever the goal, a cyberattack can mean the loss of profits, or worse, a permanent shutdown of your entire company. As our data and business landscape shifts and changes with developing technology (and corresponding government policies), make sure you and your team are prepared to ride any wave that comes your way.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

Francis Dinha is the CEO and co-founder of OpenVPN, a security-focused open source VPN protocol. With more than 50 million downloads, OpenVPN has been in the open source networking space since its founding in 2004. Its Private Tunnel service provides "last mile" security to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AdelaidaP
50%
50%
AdelaidaP,
User Rank: Apprentice
8/16/2018 | 3:58:21 AM
just
I think you can't be 100% prepared for all.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15037
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
CVE-2019-4323
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
CVE-2019-4324
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
CVE-2020-15036
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
CVE-2020-15577
PUBLISHED: 2020-07-07
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020).