Recently, it seems as if you can no longer browse the news without reading or hearing about a data breach that has affected either consumers or companies. All types of organizations, regardless of their size, are falling prey to a more sophisticated group of data thieves from around the globe.
Think about banking. Back in the day, a person would walk into a branch with their passbook and their ink signature (which was compared to the version in the passbook - signed in ink that is invisible to the naked eye). This was enough proof of identity to complete most transactions. The introduction of digital aspects means that anyone using the internet can have some degree of access to all data. As the reliance on the digital realm of things increases, con artists and thieves are also getting increasingly tech-savvy.
Years ago, I remember having a conversation with the Vice President of the company I worked for at the time about network security and taking more security measures. I recall him saying, “We are not NATO.” In today’s day and age, where hackers are targeting not only firms of all sizes but also individuals, this opinion or view is completely outdated.
Experts estimate that cybercrime costs will grow by 15 percent a year over the next five years, reaching $10.5 trillion annually by 2025. Depending on the type of data breach one faces and the type of data that is lost, you could be looking at various costs accounting for liabilities and damages. In cases where consumer data has been breached, companies have had to pay invoices for extended credit bureau monitoring for the affected accounts in addition to other standard costs.
While large companies may be able to afford to hire external consultants or security firms to implement a sophisticated data security policy, small to mid-sized companies generally lack the required resources to implement such policies. This results in these companies falling prey to data theft which can cost them up to $200,000 (Source: https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html). With 100 percent of SMBs susceptible to data breaches and only 14 percent of them prepared for it, all firms and organizations must take vital steps to secure their data. Here are ten things to consider when working with a service provider (or your own internal IT team) that will help:
- Unique User ID and Password
Each user should have their own user ID and password to key systems. This should enable activities within your software applications to be audited, as well as allowing a company to terminate access when they terminate an employee. As simple as it may sound, the user is generally the weakest link of a security chain; your company security is only as strong as the weakest user. Passwords should not be shared, written down or too simple. They should also not be saved within browsers, except when additional authentication methods are used – for example, biometric verification. Passwords to corporate systems should not be the same as passwords for personal use systems. For instance, your company access password should not be the same as your personal banking password. Your company should have a password policy that your software helps you adhere to.
- Session Timeouts
Inactivity timeouts are not always popular among users but are necessary from a security standpoint. Unattended workstations where users are logged in essentially takes away any security provided by the password policy.
- Authentication Factors
Depending on what technology your applications are using, talk with your software vendor about what options are available for providing additional authentication factors. These could range from locking down access to your data when users are traveling, out of the office or working from home.
- Paper-Based Office
It is no surprise that unattended printouts put data at risk. Data security policies and measures will be completely ineffective if someone can get into your office and pick up documents from the paper tray. With the introduction of various EDMS tools, it is now possible to share, access and edit files virtually. Talk to your software provider to see what they offer.
- Testing and Staging Environments
Never use real data when testing. When applying a “data masking” program to data within test environments, it is crucial to always have a testbed of data to use in such situations. Often, test environments do not have the same levels of security that production environments do. Any data element that could identify an individual – for example, name, address, phone numbers, etc. should be masked.
- User Access
Users should have access to only the data that they need to be more effective in their role. It might be easier to just give users access to everything, but it makes it that much easier for a widespread data breach in case something goes wrong. User access should be monitored regularly; as team members change roles, their user access should also change. Organizations are generally very good at giving users access to the things they need to complete their day-to-day tasks, but are also generally bad at taking away access to items that a user no longer requires.
- Secure Your Networks
Give your network a checkup. The pandemic sent millions home to work from there for a longer than expected period of time. Companies should develop policies about the network security of a home network which an employee is using as an extended office. Adding strong password protection to a home network is not a difficult thing to do and the Internet Service Provider of the network will usually help. You could also consider adding a VPN (Virtual Private Network) as a strong security alternative. This solution takes the wide-open highway of the internet and builds a virtual “tunnel” from the home office to your corporate office. This allows data to be passed through the tunnel without any possibility of any outside party intercepting it along the way.
- Data Storage
If you have a server in your corporate offices, it should be physically secured with only a few individuals having access to it. The individuals who work on the server should have their time in and out logged. If you have a software provider who provides application services, ask them where the data, backups and the disaster recovery data is stored. Lately, cloud storage has become a trend but really, cloud storage just means the data is stored on someone else’s computer. Find out where that computer is and ask your vendor about their security policy and how they limit unauthorized access to your data.
- Email Communication
Email is a great tool, but it is the wrong way to send sensitive data. Emailing a financial report for instance, from the Controller to the external auditor, could effectively publish that data to the internet. Think of email as a postcard, where anyone could read the contents as it makes its way from originator to endpoint, stopping at innumerable points along the way. It goes without saying that no one should ever send usernames or passwords via a regular email.
Some may say that there is no such thing as bad publicity, but no one wants to have their organization in the news because of a public data breach. Taking some time to think about data security now could save many hours of pain, loss of reputation and possible financial damages in the future.
- Ask for help
Not everyone managing a finance company can be an expert on data security. There are many consultants and firms ready to help with this. Your software provider may be able to offer some free advice. Your financial auditing firm may also have an expert on staff. Putting some thought into this now may save a great deal of trouble later.