Restrict Access Based on Authorization and Location The first step to safe sensitive data handling in the workplace is to restrict access. It’s probably true that only a handful of specific employees need direct access to a company’s stored sensitive data. Likewise, only a few processes and programs run on company computer systems might have a legitimate reason to directly access sensitive data. In many circumstances, there’s no need for sensitive data to ever be accessed or transported outside a physical space.  So close all other points of access. Only give employee authorization to those who need access. Limit access only to specific monitored workstations inside the office. Or only permit a specific program with decryption codes to access the data under any circumstances.     Create a List of Approved Uses for Sensitive Day What is sensitive data being used for in your company? For example, you would use a customer’s financial data to bill them and possibly to build analysis models for trend-spotting. You might use a customer’s home address to geo-target advertisements, or you might use a customer’s IP address to provide better local online services. But the number of things your company does with sensitive data can be written in a finite list. Determine all the approved uses of sensitive data inside the company and make that your White List. Prevent and ban all other uses of sensitive data and excuses to access it.   Prevent Unauthorized Copies of the Information Copying sensitive data is a huge risk. Whether employees make a digital or printed copy or even jot down notes on a scratch pad, this is now sensitive information that could leave the secured and encrypted confines of the company. An employee with a copy of information can lose that copy in public or give it to another person who will misuse the sensitive data. So don’t allow copies unless through an approved data use process. Prevent anyone from copy-pasting text, block digital file copies from being made without authorization, and do not allow printing by default.   Trigger Notifications When Sensitive Data is Accessed One of the best ways to prevent accidents is with constant oversight. Create a log for routine and approved sensitive data access. And if any sensitive data is accessed outside of 100% expected conditions, then create a notification for the security admin. This quick heads-up that sensitive data is being accessed might be enough to detect and prevent a major breach. Any time your servers containing sensitive information are accessed without the right authorization, decryption, timing, etc. will create a security incident that will need to be checked out and cleared. This concept is much like when Google alerts you to a new device login. Just in case it’s a hacker in another state.   Automate Complete and Audited User Removal A critical element of sensitive data security is data deletion. When a customer deletes their account or asks for data to be destroyed, it must be destroyed completely. This means removing all lingering sensitive, personal, and possibly public information about that account-user from your servers. No identifying information can remain when an account is closed. To do this, build a system of combined automation and auditing. Start with an automated clearing and complete deletion of all known information about […]

  The benefits and risks of cloud services Almost every organization with a significant amount of data entrusts some of it to the cloud. On-site systems for data require constant maintenance and upgrading. An unexpected server failure disrupts operations. Increased data requirements force the company to get more hardware. A cloud service handles the maintenance for a predictable monthly cost, and good services have redundant hardware that minimizes downtime. At the same time, cloud usage involves some risks. These considerations apply not only to services that store data, but to file syncing services. Even if data is only on the cloud server temporarily, many of the same considerations apply. Entrusting data to a service, with no fallback, can lead to catastrophic data loss if it ceases to be available. Handing data which someone else owns to a third-party service may violate contracts or legal requirements. There may be restrictions on what country information can be stored in, or the service may require certification. The uncoordinated proliferation of cloud usage by different departments may lead to redundant and inconsistent sets of data. Different cloud services may not hold the same types of information, and they could diverge over time. Besides, having two services to hold the same data is an unnecessary expense and takes more work. External and internal security risks could arise. A carelessly maintained service could be breached. Criminals using phishing and other techniques try to steal passwords. A poor setup of accounts may give access to employees who aren’t supposed to have it. The limitations of free services Free cloud services with good reputations may be a good choice for non-critical situations, However, they aren’t suited for highly sensitive data. They don’t give you a service level agreement (SLA), and they’re geared more toward ease of use than security. They can terminate or change their offerings without any obligation to you. Without an SLA, a service isn’t suitable for situations that require formal guarantees. When a business receives a copy of a partner’s confidential data, it promises to protect its security and integrity. It can hand the data only to a cloud service that makes the same promise. The same applies to information that falls under regulations or standards such as PCI, HIPAA, or GDPR. The terms and conditions of free services usually say, in effect, “You can’t hold us responsible for anything bad.” Sensitive data should be entrusted to a cloud service only if it guarantees adequate protection in writing. Written, enforceable guarantees come only with paid services. Drawing up a cloud policy These are some provisions that you may want to include when creating a policy for cloud usage. Have a lawyer review your policy before putting it into effect. Cloud usage must comply with all applicable laws and regulations. When in doubt, employees should seek confirmation that there are no legal problems. The choice of vendors must follow any company-specific restrictions. The company might have a list of approved vendors or require that data be stored only in its home country. It may require specific contractual language. The handling of data belonging to others must follow the conditions set by the owner. Data from a business partner may come with handling requirements that limit or exclude the use of cloud services. Information sets must be […]

  What are the signs of a breach? The first indications that your network’s security is compromised may come in several different ways. These are the most common: Unusual network activity. If you have network monitoring in place, it will alert you if there’s a sudden change in the quantity or kind of data transfers. The alert could mean that your data is being sent to an unauthorized system. Changes in accounts. If employees are locked out of their accounts or see unexplained changes in their account status, it’s often a sign of trouble. If the account in question has administrative powers, that’s especially concerning and needs to be investigated immediately. Suddenly slower performance. An abrupt drop in performance could indicate unauthorized access, malware, and data transfers to an outside system. Anomalies in system logs. Log analysis tools will let you know if suspicious activity, such as logins from unexpected places, has been happening. Data integrity problems. Application error messages may tell you something is wrong with your data. Whether it’s a breach or some other kind of system issue, it needs investigation. Notifications from outside. You may get a message from law enforcement, from customers, or even from the perpetrators telling you your data has been compromised. How to be prepared It’s easier to deal with these signs if your people know their responsibilities and have a plan of action. Many small businesses find the best approach is to outsource data protection to a managed system provider or managed security provider. It’s difficult for a small company to justify a full-time security specialist, and giving the job to an experienced outside team is often more cost-effective. Either way, the important thing is to have someone who’s familiar with the network and knows how to deal with security issues. The people with this task should know the network architecture and the software that runs on it. If something looks wrong, they’ll investigate it quickly and decide whether it represents a danger to the business’s data. They’ll know what steps to take and whom to notify. Your business needs a breach response plan. It will specify who needs to be notified and what steps have to be taken. This means less panic and a more coordinated response. How to act on a suspected breach Whether you’ve laid out a plan in advance or not, you need to take a step-by-step approach when something looks wrong. Identify and analyze the signs of trouble. Do they indicate a significant chance of a breach, or is some other explanation more likely? Sometimes a slow system is just an overloaded system. But a breach that isn’t stopped will be expensive, so be sure there isn’t one before closing the investigation. Document and report the signs of the problem. If the breach looks real, the security team needs to let management know what’s happening and what they plan to do. They won’t have all the answers at this point, and their report should say that more details will follow. Take immediate damage control measures. There should be some quick ways to limit the damage. Dubious IP addresses can be blocked. Infected machines can be quarantined from the network. Nonessential accounts can be disabled. Identify the kind and extent of the compromised data. Subsequent actions will depend […]

  What are the Cyber Risks of Remote Workers Returning? So, what are the specific security risks associated with remote workers returning to the office. A few issues to consider: Dormant malware. For the last few months, very few employees have been connecting to company networks. In particular, the habit of walking into the office and switching their phone to company Wi-Fi is likely to be a problem. Why? Because there has been a significant increase in campaigns distributing malware to devices, and this malware may stay dormant until the device is connected to a major network. IT may not have been able to monitor devices as much as they would like with workers absent. Instruct employees to run malware scans and similar on devices before coming back to the office. Company equipment might not be properly inventoried and, in some cases, may be mislaid. Employees might, in the rush, have grabbed extra monitors, keyboards, webcams, etc, and not told IT they were taking them. Enlist everyone’s help in tracking down errant equipment, in a non-judgmental manner. Stranded machines, such as desktops, left in the office for the duration were probably not booted up. This might result in them not having been updated or patched. Run all patches and updates on these systems before returning them to service. Employees violating app policies. Not everyone was ready to provide their employees with all the tools they needed to work remotely. Check devices for unauthorized apps and programs. Company devices may have picked up malware from the lack of protection that comes from being behind a consumer-grade, rather than enterprise-grade firewall. Some businesses ran out of VPN bandwidth, with the inevitable result of employees connecting “naked” to company networks. A sudden rush back to work could overwhelm IT, resulting in not enough staffing to cover the demand, run scans on devices, etc. Over the work from home period, employees may have become stressed and sloppy, or forgotten protocols that were once second nature. The return to work, thus, results in a spike in cybersecurity risk that needs to be addressed. What Should Companies Do? Thankfully, there are things companies can and should do to mitigate the issues caused by what is likely to be a somewhat chaotic return to work. It’s important to involve employees in the process and to understand that the problems created by the sudden departure are not anyone’s fault. Companies should: Make use of the phased return. Although servicing both remote and on-site employees could be a challenge for IT teams not used to doing so, phased returns allow for a certain number of devices to be checked at a time. Ideally, have IT come into the office early and go through the stranded machines, applying patches and making sure everything still boots up and runs. Run endpoint detection each device as the worker returns. (Again, make use of the phased return so you aren’t trying to do this all at once). This includes personal devices included in a BYOD policy. Limit phones and other personal devices to the guest network until they can be checked. Run all updates that need to be run. Mobile device management can help limit the access unchecked devices have to the network. Audit apps found on devices and either validate them or […]

The Risks of a Lost or Stolen Device Asset Loss Data Exposure Network Security Breach Employee Identity Theft The first thing every business should consider when authorizing mobile-device use is security. Mobile devices access secure accounts and apps, often with auto-logged-in employee accounts. These devices may also be stocked with proprietary business data or employee’s personal data. In the wrong hands, any of this can become harmful if used or exposed. Not only do you lose the value of the device, you also risk losing security of your company’s sensitive information. Protect clients, employees, and the company by knowing how to handle the risk of lost or stolen devices.   Prevent Lost Devices with Tracking Methods Mobile devices are occasionally misplaced, checked out by the wrong person, or taken to school by someone’s child. Lost devices are a normal part of business that provides phones or laptops to their team. Sometimes, things get lost. Sometimes, they’re lost in plain sight or right where they should be. Sometimes, they’re wedged between couch cushions and a disaster is averted with a simple tracking method. GPS Location Tracking External Tracking Tag Key-Finder Chime Emergency-Only GPS Tracking Software The most advanced and useful tracking method is GPS tracking. All wifi devices have limited GPS-style tracking, while all phones have internal GPS for precise positioning. These features can be activated and fed to your control panel to identify the location of a lost device. You can usually narrow it down to a street address, and sometimes the side of a larger building. This is enough to assure you if a device is A) lost at home, B) lost in the office or C) somewhere it shouldn’t be and possibly stolen. There are two concerns here. First, you must never use GPS tracking continuously – as this can qualify as invading an employee’s privacy or collecting dangerously personal location data. Instead, only turn on GPS tracking for emergencies or — in some industries — during work hours. The second concern is power. If the device dies, is turned off, or is wiped, then your GPS software will not activate. Install a Tracking Tag A tracking tag is an external GPS, wifi, or RFID tag that helps to locate non-GPS items. These are useful for devices without GPS and in-case a device is powered-down. Tracking tags are most commonly used as “Key finder” products, but are useful for anything you want to track. GPS tags are best for legal purposes, while RFID is the most precise indoors. Install a Key-Finder Chime Another key-finder type is a simple remote-control chime. For smaller device, consider a key-finder in the case that can help employees find a misplaced company device.   Prepare for Stolen Devices Sometimes, devices are stolen. There is a market for the hardware and for the data that might be harvested from anyone’s stolen device. These can be thefts of opportunity, targeted thefts, or even roommates who borrow too casually. Whatever the reason for device theft, it’s vital to first protect the data on the computer, then the login access, then to try and recover the device itself. Advanced Passwords Remove Authorization Kill-Switch and Brick GPS Tracking Advanced Password Strategies The more password protection on each device, the better. Require a lock-screen with a real password – […]